Configure Extended Access Control List Step by Step Guide

This tutorial explains how to create, apply, update and delete a named extended access list. Learn the Extended access list management through a packet tracer example.

Extended access lists are flexible. They support many options and parameters to define criteria in statements. For example, you can use a source address, a destination address, a layer-3 protocol, and a layer-4 protocol.

In this tutorial, we will discuss how to define criteria for layer-4 protocols in extended access lists. In an IP network, two protocols work on layer 4. These protocols are TCP and UDP. We will learn how to create an extended access list for both protocols.

For this tutorial, I assume that you know what access lists are and how they work. To learn access lists from the beginning, you can check the previous parts of this tutorial.

This tutorial is the thirteenth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.

Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
How to block ICMP Ping on Cisco Routers

Setting up a practice lab

Create a practice lab on Packet Tracer as shown in the following image.

example lab for practice

Configure IP addresses as shown in the above image and test connectivity between sections. To test connectivity, you can use the 'ping' command. The following image shows testing from PC0.

testing connectivity

Server0 includes many services. From these services, we will use three services to test layer-4 connectivity. These services are HTTP, FTP, and DNS.

The HTTP service is already enabled. We don't need to make any changes to enable this service.

enable http service

Just like the HTTP service, the FTP service is also enabled by default. The FTP service requires authentication. For testing, a default account is also created. The username and password for this account are 'cisco' and 'cisco', respectively.

enable ftp service

By default, the DNS service is not enable. We have to enable it. To enable it, select the 'On' option. We also need to add some records. To add a record, specify the name and IP address of the device and click the Add and Save buttons. The following image shows this process.

enable dns service

We also have to update the IP configuration on PCs to make them DNS clients. Add the DNS server's IP address to the IP configuration of PCs. The following image shows how to set the DNS server's IP address on PC0.

update dns record

After updating the DNS server's IP address, verify that PC0 can access all three services. The following image verifies that PC0 can access web service running on Server0.

access web service

The following image verifies that PC0 can access FTP and DNS services running Server0.

verify ftp and dns service

Now, this lab is ready. If you can't replicate this lab or need a ready-to-use lab, you can download and use the following pre-created lab.

Download Packet Tracer Lab with Initial Configuration

This lab includes all the above configurations.

Requirements

Create an extended access list that allows the Marketing section to access only the web service and DNS service from the Server. The Marketing section should not be allowed to access any other services running on the Server.

Understanding requirements

To fulfill the above requirements, we have to add the following statements to the extended access list.

  • A statement that allows access to the web service.
  • A statement that allows access to the DNS service.
  • A statement that blocks access to all other services.
  • A statement that allows access to the Management section.
  • A statement that blocks all other traffic.

An extended list is applied near to the source. In our example, we want to filter the traffic that originates from the Marketing section. The Marketing section's traffic enters the network from the Gig0/0 interface of the router. We will implement an extended ACL on this interface with the above statements.

Port numbers/names

To keep each application's data separate from other applications, TCP and UDP assign a unique numeric value to each application. This value is known as the port number. We use the port number of an application to match the traffic of that application.

Some applications also use keywords. If a keyword is available, you can use the keyword in the place of the port number. Since keywords are not available for all applications, it is recommended to use port numbers instead of names.

The following table lists port numbers and names for some most common applications.

Application Protocol Port number Keyword
FTP TCP 21 ftp
Telnet TCP 23 telnet
SMTP TCP 25 smtp
HTTP TCP 80 www
POP3 TCP 110 pop3
DNS UDP 53 dns
TFTP UDP 69 tftp
SNMP UDP 161 snmp
IP RIP UDP 520 rip

Creating an extended access list

There are two commands to create an extended access list. These commands are 'access-list' and 'ip access-list'. We have already discussed the 'access-list' command in the previous part of this article. In this part, we will use the 'ip access list' command to create the extended access list.

Access the command line interface of the Router and run the following commands.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended BlockMarketing
Router(config-ext-nacl)#permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 80
Router(config-ext-nacl)#permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 53
Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
Router(config)#interface gigabitethernet 0/0
Router(config-if)#ip access-group BlockMarketing in
Router(config-if)#exit
Router(config)#exit
Router#

The above commands create an extended access list BlockMarketing and apply it to the GigabitEthernet 0/0 interface in the inward direction. The access list contains five statements. The following table lists the meaning of these statements.

Statements Description/action
permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 80 Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is 30.0.0.10 and the destination application is HTTP.
permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 53 Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is 30.0.0.10 and the destination application is FTP.
deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10 Block a packet if its source address is from the network 10.0.0.0/8 and the destination address is 30.0.0.10.
permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is from the network 20.0.0.0/8.
deny ip 10.0.0.0 0.255.255.255 any Block a packet if its source address is from the network 10.0.0.0/8 and the destination address is from any network.

The following image shows how to execute the above commands on the Router.

create an extended access list

Testing/verifying the extended access list

To verify that the Marketing section can access the webserver running on Server0, you can access a web page from the webserver. The following image shows how to perform this test on PC0.

web service allowed

To verify that the Marketing section can access the DNS service running on Server0 and can access the Management section, you can send ping requests to a PC of the Management section from PC0. To send ping requests, instead of using the IP address of the PC, use the name of the PC. The ping command will use the DNS service running on Server0 to resolve the name to the IP address and then will send ping requests to the IP address. This way, you can verify both requirements with a single command.

To verify that the Marketing section can't access any other services running on the Server, you can access the FTP service running on the Server from PC0. The request must be blocked by the ACL.

ftp blocked

Configured Packet Tracer Lab

The following link provides the configured packet tracer lab of the above example.

Download Packet Tracer Lab with ACL Configuration

Updating the extended ACL

Now suppose, we want to allow the Marketing section to access the FTP service running on the Server. For this, we have to create an allow statement and will have to insert this statement before the statement that denies all traffic to the Server.

To view the sequence number of current statements, we can use the 'show ip access-lists' command. Check the sequence number of the statement that denies all traffic to the destination 30.0.0.10. To insert a statement that allows FTP traffic, use a sequence number that is lower than the sequence number of the deny statement.

The following commands perform the above tasks.

Router>enable
Router#show ip access-lists
Extended IP access list BlockMarketing
10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www
20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain
30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
50 deny ip 10.0.0.0 0.255.255.255 any
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended BlockMarketing
Router(config-ext-nacl)#21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 21
Router(config-ext-nacl)#exit
Router(config)#exit
Router#
Router#show ip access-lists
Extended IP access list BlockMarketing
10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www
20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain
21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq ftp
30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10
40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
50 deny ip 10.0.0.0 0.255.255.255 any
Router#

The following image shows how to run the above commands on the Router.

update ACL entry

To verify that the Marketing section can access the FTP service running on Server. Open the command prompt on PC0 and access the FTP server running on Server. If PC0 can access the FTP server running on Server, it verifies that the ACL has been successfully updated for the new requirement.

verify update

The following link provides the updated packet tracer lab.

Download updated Packet Tracer Lab with ACL Configuration

That’s all for this tutorial. In the next tutorial, we will learn how to create, implement, and verify a named extended access list.

By ComputerNetworkingNotes Updated on 2021-12-02 11:35:49 IST

ComputerNetworkingNotes CCNA Study Guide Configure Extended Access Control List Step by Step Guide

Extended ACL Configuration Commands Explained
Types of Wireless Network Explained with Standards