Configure Extended Access Control List Step by Step Guide

Extended access lists are flexible. They support many options and parameters to define criteria in statements. For example, you can use a source address, a destination address, a layer-3 protocol, and a layer-4 protocol. This tutorial explains how to create, apply, update, and delete an extended access list for layer-4 protocols.

Setting up a practice lab

Create a practice lab on Packet Tracer as shown in the following image.

Configure IP addresses as shown in the above image and test connectivity between sections. To test connectivity, use the 'ping' command. The following image shows testing from PC0.

Server0 includes many services. Enable and configure HTTP, FTP, and DNS for testing. The HTTP service is already enabled and configured. It does not require any additional configuration.

Just like the HTTP service, the FTP service is also enabled by default. However, it requires authentication. It includes a default testing account. The username and password for this account are 'cisco' and 'cisco'.

The DNS service is not enabled by default. To enable it, select the 'On' option. You also need to add a few DNS records. To add a record, specify the device's name and IP address, then click the Add and Save buttons.

You also need to update IP configurations on PCs to make them DNS clients. Add the DNS server's IP address to the PCs' IP configuration. The following image shows how to set the DNS server's IP address on PC0.

After updating the DNS server's IP address, verify that PC0 can access all three services. The following image verifies that PC0 can access the web service running on Server0.

The following image verifies that PC0 can access FTP and DNS services running on Server0.

Pre-built practice lab

The following link provides this lab with all the configurations listed above.

Packet Tracer Lab with Initial Configuration

Objectives:-

Create an extended access list that allows the Marketing section to access only the web and DNS services running on the Server, while denying all other services. Allow all access to the Management section. Deny all other traffic.

Understanding requirements

To fulfill the above requirements, you have to add the following statements to the extended access list.

• A statement that allows the Marketing section to access the web service.
• A statement that allows the Marketing section to access the DNS service.
• A statement that blocks the Marketing section from accessing all other services.
• A statement that allows all access to the Management section.
• A statement that blocks all other traffic.

An extended list performs best near the source. In this example, you want to filter traffic originating from the Marketing section. The Marketing section's traffic enters the network via the Router's Gig0/0 interface. You can implement an extended ACL on this interface that includes the statements above.

Port numbers/names

To keep each application's data separate from other applications, TCP and UDP assign a unique numeric value to each application. This value is known as the port number. You can use an application's port number to match its traffic. Some applications also use keywords. If a keyword is available, you can use it in place of the port number. Since keywords are not available for all applications, you should use port numbers instead of names.

The following table lists port numbers and names for some of the most common applications.

Creating an extended access list

Access the Router's command-line interface and run the following commands.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended BlockMarketing
Router(config-ext-nacl)#permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 80
Router(config-ext-nacl)#permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 53
Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
Router(config)#interface gigabitethernet 0/0
Router(config-if)#ip access-group BlockMarketing in
Router(config-if)#exit
Router(config)#exit
Router#

The above commands create an extended access list BlockMarketing and apply it to the GigabitEthernet 0/0 interface in the inward direction. The access list contains five statements. The following table lists their meanings.

Verifying the extended access list

To verify that the Marketing section can access the web server running on Server0, you can access a web page from the web server. The following image shows how to perform this test on PC0.

To verify that the Marketing section can access the Management section and the DNS service running on Server0, send ping requests from PC0 to a PC in the Management section. To send ping requests, instead of using the IP address of the PC, use the name of the PC. The ping command uses the DNS service running on Server0 to resolve the name to an IP address, then sends ping requests to that IP address. This way, you can verify both requirements with a single command.

To verify that the Marketing section cannot access any other services running on the Server, ping the Server's IP and access the FTP service running on it from PC0. The ACL will block both requests.

Configured Packet Tracer Lab

The following link provides the configured Packet Tracer lab for the above example.

Packet Tracer Lab with ACL Configuration

Updating the extended ACL

Suppose you want to allow the Marketing section to access the FTP service running on the Server. For this, you have to create an allow statement and insert it before the deny-all statement. To modify an existing ACL, you need the sequence number of existing entries. To view the sequence number of current statements, you can use the 'show ip access-lists' command.

Check the sequence number of the entry that denies all traffic to the destination 30.0.0.10. To insert a statement that allows FTP traffic, use a sequence number that is lower than the sequence number of the deny statement. The following commands perform the tasks described above.

Router>enable
Router#show ip access-lists
Extended IP access list BlockMarketing
10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www
20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain
30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
50 deny ip 10.0.0.0 0.255.255.255 any
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended BlockMarketing
Router(config-ext-nacl)#21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 21
Router(config-ext-nacl)#exit
Router(config)#exit
Router#
Router#show ip access-lists
Extended IP access list BlockMarketing
10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www
20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain
21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq ftp
30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
50 deny ip 10.0.0.0 0.255.255.255 any
Router#

The following image shows how to run the above commands on the Router.

To verify that the Marketing section can access the FTP service running on the Server, open a command prompt on PC0 and connect to the FTP server running on Server. If PC0 can access the FTP server running on Server, it verifies the updated ACL configuration.

The following link provides the updated packet tracer lab.

Download the updated Packet Tracer Lab with ACL Configuration

Conclusion

An ACL is the essential tool for controlling and managing network traffic. This tutorial demonstrated how to configure and implement an extended ACL to allow specific traffic while blocking the rest. By following the steps outlined in this tutorial, you can effectively create, apply, update, and delete extended ACLs to control which services users can access precisely.