Configuring extended ACLs

To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as:

  • source and destination IP address
  • type of TCP/IP protocol (TCP, UDP, IP…)
  • source and destination port numbers

Two steps are required to configure extended access lists:

1. configure extended access lists using the following command:


2. apply an access list to an interface using the following command:

(config) ip access-group ACL_NUMBER in | out
Extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699. You should always place extended ACLs as close to the source as possible.


To better understand the usefulness of extended access lists, consider the following example.

extended acl example 3
We want Users from the network to be able to access the server S2 (IP address and prevent them from accessing server S1 (IP address First, we need to configure an access list to permit Users the access to server S2:

extended acl command 1

Next, we need to deny Users the right to access S1 by using the deny statement:

extended acl command 2

Finally, we need to apply the access list to the interface on R1:

extended acl command 3

Here is another example of using extended access lists. In this example we will use extended ACLs to filter traffic by the port used.

extended acl example 4
Again, we have the Users network ( On the right side, we have a server that serves as a web server, listening on port 80. We need to permit Users to access web sites on S1, but we also need to deny other type of access, for example the Telnet access.

First, we need to allow traffic from Users network to the web server port of 80. We can do that by using the following command:

extended acl example port 1

By using the TCP keyword, we can filter packets by source and destination ports. In the example above, we have permited traffic originating from the network to the host on the port 80. The last part of the statement, eq 80, specifies the destination port of 80.

Now we need to disable telnet traffic from the network to To do that, we need to create a deny statement:

extended acl example port 2

Next, we need to apply our access list to the interface:

applying extended acl

Since at the end of each access list there is an explicit deny all statement, the second ACL statement wasn’t really necessary. After applying an access list, every traffic not explicitly permited will be denied.