Extended Access Lists – ACL

Overview

Extended access lists offer greater flexibility than standard access list due to the fact that you can filter, not only source IP addresses, but also destination IP addresses, as well as other protocols ports and services, like TCP port 23 telnet for instance. Since you are able to declare both the source and the destination addresses, you can apply the extended ACL on the router that is closest to the source network, this allows you to immediately filter packets from the network, without allowing them to traverse the entire network before being filtered and dropped; applied in this way extended ACLs can conserve bandwidth and router resources.

Standard ACL (1-99)

Extended ACL (100-199)

applied closest to the destination applied closest to the source
Denies or Permits:
source IP address
Denies or Permits:
source IP address,
destination IP address,
port or service (optional)

Two Steps:

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create:

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply:

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.

IOS Commands

Extended access list command formats:
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>

Extended access list examples:

Deny and permit a source class c network to a destination class c network: 
router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255
192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Deny or permit a source host to a destination /24 network:
router(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http):
router(config)#access-list 100 deny tcp any any eq 80
router(config)#access-list 100 permit tcp any any eq 80

Deny or permit all hosts: 
router(config)#access-list 100 deny any any
router(config)#access-list 100 permit any any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 100 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 100 in

Video Tutorial

If you would like to follow along in Packet Tracer, click here to download the PT starter file:

In part 1, I demonstrate how to write and apply a basic extended access list

In part 2, I demonstrate how to permit only a port (service) using an extended access list 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *