Extended Access Lists example

Written on by admin on. Posted in ACLs

Extended Access lists give us extra features in comparison with standard ACLs. They check packet for source address, destination address, protocol and port number. Like Standard ACLs, Extended Access Lists can be numbered or named. Ranges used by numbered extended ACLs are from 100 to 199 and from 2000 to 2699.

Let’s have a look and configure them¬†on Cisco router.

Extended ACLs

Numbered Extended Access List

In the image we have a Client PC that probably will try to connect to those webservers. Our task is to deny Client_PC to access WebServer_A. To achieve this, all we have to do is to add on Router R1 an extended access list, wich will filter PCs http requests to WebServer_A. Check below the configuration on R1.

R1

access-list 100 deny tcp host 10.0.0.2 host 10.0.1.2 eq www
access-list 100 permit ip any any

interface fastEthernet 0/0
ip access-group 100 in

In example above, ACL blocks http requests by “deny” statement. Instead of “host” we could use subnet address and wildcard mask. With keyword “eq” access list will match port number specified further or port name (in this case “www”). At the end of this extended access list we added a permit any statement to allow any other traffic to pass. This ACL was applied to interface fa0/0 to act on inbound traffic. So, all traffic that use port 80 (www), which come from Client PC and goes to WebServer A (10.0.1.2) will be denied.

Let’s provide one more example for this type of ACL. Next ACL will block client PC to access servers through telnet (port 23).

R1

access-list 101 deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq telnet
access-list 101 permit ip any any

interface fastEthernet 0/0
ip access-group 101 in

In this example we used subnet and wildcard instead of host addresses

Named Extended Access List

To configure a named extended ACL first define it by giving a name. In global configuration mode type

R1

ip access-list extended MYACL

Where MYACL is the name of this Access List. Now you can define filtering options for it. Let’s implement previous examples in this ACL.

deny tcp host 10.0.0.2 host 10.0.1.2 eq 80
deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 23 

interface fastEthernet 0/0
ip access-group MYACL in

Here we merged  previous ACLs into one Named Extended Access List and instead of port names (www and telnet) we used port numbers (80 and 23), but results are the same.

16514 views

Comments (8)

  • sabyasachi acharya

    |

    this lessons and examples with graphical senarios are awsm…its too helpfull for us…

    Reply

  • Adam Abubakar

    |

    Waooo…this examples are more than enough,I really appreciate all this,kudos to this site.

    Reply

  • Atit Sheth

    |

    Very easy to understand. Good example.

    Reply

  • jey

    |

    Very helpful
    thank you :)

    Reply

  • abdul

    |

    access-list 101 deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq telnet
    access-list 101 permit ip any any

    interface fastEthernet 0/0
    ip access-group 100 in

    here ip acess-group 101 in is correct

    Reply

    • admin

      |

      Yes, sure, I rectified it. Thanks.

      Reply

  • CorvusCorax

    |

    In MYACL we must use
    permit ip any any

    Reply

  • zinat

    |

    thanks

    Reply

Leave a comment


4 + = thirteen