Configuring extended ACLs

To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as:

  • source and destination IP address
  • type of TCP/IP protocol (TCP, UDP, IP…)
  • source and destination port numbers

Two steps are required to configure extended access lists:

1. configure extended access lists using the following command:

(config) access list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION

2. apply an access list to an interface using the following command:

(config) ip access-group ACL_NUMBER in | out
NOTE
Extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699. You should always place extended ACLs as close to the source as possible.

 

To better understand the usefulness of extended access lists, consider the following example.

extended acl example 3
We want Users from the network 10.0.0.0/24 to be able to access the server S2 (IP address 192.168.0.1) and prevent them from accessing server S1 (IP address 172.16.0.1/24). First, we need to configure an access list to permit Users the access to server S2:

extended acl command 1

Next, we need to deny Users the right to access S1 by using the deny statement:

extended acl command 2

Finally, we need to apply the access list to the interface on R1:

extended acl command 3

Here is another example of using extended access lists. In this example we will use extended ACLs to filter traffic by the port used.

extended acl example 4
Again, we have the Users network (10.0.0.0/24). On the right side, we have a server that serves as a web server, listening on port 80. We need to permit Users to access web sites on S1, but we also need to deny other type of access, for example the Telnet access.

First, we need to allow traffic from Users network to the web server port of 80. We can do that by using the following command:

extended acl example port 1

By using the TCP keyword, we can filter packets by source and destination ports. In the example above, we have permited traffic originating from the 10.0.0.0 network to the host 172.16.0.1 on the port 80. The last part of the statement, eq 80, specifies the destination port of 80.

Now we need to disable telnet traffic from the network 10.0.0.0 to 172.16.0.1. To do that, we need to create a deny statement:

extended acl example port 2

Next, we need to apply our access list to the interface:

applying extended acl

NOTE
Since at the end of each access list there is an explicit deny all statement, the second ACL statement wasn’t really necessary. After applying an access list, every traffic not explicitly permited will be denied.
upravnik