This tutorial explains how to create, apply, update and delete a named extended access list. Learn the Extended access list management through a packet tracer example.
Extended access lists are flexible. They support many options and parameters to define criteria in statements. For example, you can use a source address, a destination address, a layer-3 protocol, and a layer-4 protocol.
In this tutorial, we will discuss how to define criteria for layer-4 protocols in extended access lists. In an IP network, two protocols work on layer 4. These protocols are TCP and UDP. We will learn how to create an extended access list for both protocols.
For this tutorial, I assume that you know what access lists are and how they work. To learn access lists from the beginning, you can check the previous parts of this tutorial.
This tutorial is the thirteenth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
How to block ICMP Ping on Cisco Routers
Setting up a practice lab
Create a practice lab on Packet Tracer as shown in the following image.
Configure IP addresses as shown in the above image and test connectivity between sections. To test connectivity, you can use the 'ping' command. The following image shows testing from PC0.
Server0 includes many services. From these services, we will use three services to test layer-4 connectivity. These services are HTTP, FTP, and DNS.
The HTTP service is already enabled. We don't need to make any changes to enable this service.
Just like the HTTP service, the FTP service is also enabled by default. The FTP service requires authentication. For testing, a default account is also created. The username and password for this account are 'cisco' and 'cisco', respectively.
By default, the DNS service is not enable. We have to enable it. To enable it, select the 'On' option. We also need to add some records. To add a record, specify the name and IP address of the device and click the Add and Save buttons. The following image shows this process.
We also have to update the IP configuration on PCs to make them DNS clients. Add the DNS server's IP address to the IP configuration of PCs. The following image shows how to set the DNS server's IP address on PC0.
The following image verifies that PC0 can access FTP and DNS services running Server0.
Now, this lab is ready. If you can't replicate this lab or need a ready-to-use lab, you can download and use the following pre-created lab.
Download Packet Tracer Lab with Initial Configuration
This lab includes all the above configurations.
Requirements
Create an extended access list that allows the Marketing section to access only the web service and DNS service from the Server. The Marketing section should not be allowed to access any other services running on the Server.
Understanding requirements
To fulfill the above requirements, we have to add the following statements to the extended access list.
- A statement that allows access to the web service.
- A statement that allows access to the DNS service.
- A statement that blocks access to all other services.
- A statement that allows access to the Management section.
- A statement that blocks all other traffic.
An extended list is applied near to the source. In our example, we want to filter the traffic that originates from the Marketing section. The Marketing section's traffic enters the network from the Gig0/0 interface of the router. We will implement an extended ACL on this interface with the above statements.
Port numbers/names
To keep each application's data separate from other applications, TCP and UDP assign a unique numeric value to each application. This value is known as the port number. We use the port number of an application to match the traffic of that application.
Some applications also use keywords. If a keyword is available, you can use the keyword in the place of the port number. Since keywords are not available for all applications, it is recommended to use port numbers instead of names.
The following table lists port numbers and names for some most common applications.
Application | Protocol | Port number | Keyword |
FTP | TCP | 21 | ftp |
Telnet | TCP | 23 | telnet |
SMTP | TCP | 25 | smtp |
HTTP | TCP | 80 | www |
POP3 | TCP | 110 | pop3 |
DNS | UDP | 53 | dns |
TFTP | UDP | 69 | tftp |
SNMP | UDP | 161 | snmp |
IP RIP | UDP | 520 | rip |
Creating an extended access list
There are two commands to create an extended access list. These commands are 'access-list' and 'ip access-list'. We have already discussed the 'access-list' command in the previous part of this article. In this part, we will use the 'ip access list' command to create the extended access list.
Access the command line interface of the Router and run the following commands.
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list extended BlockMarketing Router(config-ext-nacl)#permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 80 Router(config-ext-nacl)#permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 53 Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10 Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Router(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any Router(config-ext-nacl)#exit Router(config)#interface gigabitethernet 0/0 Router(config-if)#ip access-group BlockMarketing in Router(config-if)#exit Router(config)#exit Router#
The above commands create an extended access list BlockMarketing and apply it to the GigabitEthernet 0/0 interface in the inward direction. The access list contains five statements. The following table lists the meaning of these statements.
Statements | Description/action |
permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 80 | Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is 30.0.0.10 and the destination application is HTTP. |
permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 53 | Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is 30.0.0.10 and the destination application is FTP. |
deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10 | Block a packet if its source address is from the network 10.0.0.0/8 and the destination address is 30.0.0.10. |
permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 | Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is from the network 20.0.0.0/8. |
deny ip 10.0.0.0 0.255.255.255 any | Block a packet if its source address is from the network 10.0.0.0/8 and the destination address is from any network. |
The following image shows how to execute the above commands on the Router.
Testing/verifying the extended access list
To verify that the Marketing section can access the webserver running on Server0, you can access a web page from the webserver. The following image shows how to perform this test on PC0.
To verify that the Marketing section can access the DNS service running on Server0 and can access the Management section, you can send ping requests to a PC of the Management section from PC0. To send ping requests, instead of using the IP address of the PC, use the name of the PC. The ping command will use the DNS service running on Server0 to resolve the name to the IP address and then will send ping requests to the IP address. This way, you can verify both requirements with a single command.
To verify that the Marketing section can't access any other services running on the Server, you can access the FTP service running on the Server from PC0. The request must be blocked by the ACL.
Configured Packet Tracer Lab
The following link provides the configured packet tracer lab of the above example.
Download Packet Tracer Lab with ACL Configuration
Updating the extended ACL
Now suppose, we want to allow the Marketing section to access the FTP service running on the Server. For this, we have to create an allow statement and will have to insert this statement before the statement that denies all traffic to the Server.
To view the sequence number of current statements, we can use the 'show ip access-lists' command. Check the sequence number of the statement that denies all traffic to the destination 30.0.0.10. To insert a statement that allows FTP traffic, use a sequence number that is lower than the sequence number of the deny statement.
The following commands perform the above tasks.
Router>enable Router#show ip access-lists Extended IP access list BlockMarketing 10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www 20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain 30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10 40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 50 deny ip 10.0.0.0 0.255.255.255 any Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list extended BlockMarketing Router(config-ext-nacl)#21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq 21 Router(config-ext-nacl)#exit Router(config)#exit Router# Router#show ip access-lists Extended IP access list BlockMarketing 10 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq www 20 permit udp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq domain 21 permit tcp 10.0.0.0 0.255.255.255 host 30.0.0.10 eq ftp 30 deny ip 10.0.0.0 0.255.255.255 host 30.0.0.10 40 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 50 deny ip 10.0.0.0 0.255.255.255 any Router#
The following image shows how to run the above commands on the Router.
To verify that the Marketing section can access the FTP service running on Server. Open the command prompt on PC0 and access the FTP server running on Server. If PC0 can access the FTP server running on Server, it verifies that the ACL has been successfully updated for the new requirement.
The following link provides the updated packet tracer lab.
Download updated Packet Tracer Lab with ACL Configuration
That’s all for this tutorial. In the next tutorial, we will learn how to create, implement, and verify a named extended access list.