This tutorial explains the commands and configurations required for extended access lists. Learn Extended access list management through a packet tracer example.
An extended access list is mainly used to filter two types of traffic. These types are host-level and application-level. Host-level traffic includes all traffic originating from a specific host. For example, if three applications are running on a host, the host-level traffic involves traffic from all three applications. Application-level traffic includes all traffic originating from a specific application running on a particular host. For example, if three applications are running on a host, the application-level traffic involves traffic only from a single application.
We will discuss application-level filtering in the next part of this tutorial. In this part, we will learn how to use an extended access list to filter host-level traffic.
This tutorial is the twelfth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Wildcard masks in ACLs Explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
Setting up a practice lab
Create a packet tracer lab as shown in the following image.
Configure IP addresses as shown in the above image, enable RIPv2 routing, and test connectivity between sections. If all Sections can access each other, the lab is ready for practice.
The following image shows the connectivity tests performed from PC0.
If you can't replicate this lab or need a ready-to-use lab, you can download and use the following pre-created lab.
Download Packet Tracer Lab with Initial Configuration
This lab includes all configurations that you need for practice.
Requirements
The Server section contains four servers: Server0, Server1, Server2, and Server3. These servers respectively belong to the Sales, Marketing, Production, and Development sections. Currently, all Sections can access all servers. You need to create an access list that allows a Section to access only its server.
Currently, all Sections can access each other. You need to create an access list that allows the Sales section to access the Marketing section but does not allow to access the Production section and Development section.
Understanding requirements
Our first requirement says every section must access its server only. It should not be able to access other sections’ servers.
Since there are four sections, we need four access lists for this requirement. In each access list, we will create a statement that allows a packet only if it has the allowed server's IP address in the destination address field.
After creating an allowed statement, we will create a deny statement that will block a packet if it has other servers' IP address in the destination address field.
Access lists have a default deny statement at the end. This statement drops all unmatched traffic. To deal with this default behavior, we have to create a permit statement for all allowed traffic.
Our second requirement says the Sales section should be allowed to access only the Marking section. It should not be allowed to access the Development and Production sections.
To fulfill this requirement, we need two more statements in the ACL that filter the incoming traffic from the Sales section. We will create the first statement to allow a packet if it has the Marketing section's IP address in the destination address field. We will create the second statement to deny a packet if it has an IP address of other sections in the destination address field.
For the above requirements, we will create four extended ACLs. The following image shows the location, direction, and statements of these ACLs.
Creating extended ACLs
We have two commands to create an extended access list. These commands are 'access-list' and 'ip access-list'. In this tutorial, we will use the 'access-list' command. We will use the 'ip access-list' command in the next part of this tutorial.
To filter all traffic from a host, the 'access-list' command uses the following syntax.
Router(config)# access-list 100-199|2000-2699 permit|deny IP_protocol source_address source_wildcard_mask [protocol_information] destination_address destination_wildcard_mask [protocol_information] [log]
To learn the meaning of each argument of the above command, you can check the previous parts of this tutorial.
In our example, we need four ACLs; two ACLs on Router0 and two ACLs on Router2. Let's create ACLs on Router0.
Access the command prompt of Router0 and run the following commands.
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 permit ip 10.0.0.0 0.255.255.255 host 50.0.0.10 Router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 Router(config)#access-list 101 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 Router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any Router(config)#interface gigabitethernet 0/0 Router(config-if)#ip access-group 101 in Router(config-if)#exit Router(config)#access-list 102 permit ip 20.0.0.0 0.255.255.255 host 50.0.0.20 Router(config)#access-list 102 deny ip 20.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 Router(config)#access-list 102 permit ip 20.0.0.0 0.255.255.255 any Router(config)#interface gigabitethernet 0/1 Router(config-if)#ip access-group 102 in Router(config-if)#exit Router(config)#exit Router#
The above commands create two extended access lists: ACL 101 and ACL 102, and respectively apply them to Gig0/0 and Gig0/1.
The ACL 101 contains four statements. The following table lists these statements and their meanings.
| Statement | Description/Action |
| permit ip 10.0.0.0 0.255.255.255 host 50.0.0.10 | Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is 50.0.0.10. |
| deny ip 10.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 | Deny a packet if its source address is from the network 10.0.0.0/8 and the destination address is from the network 50.0.0.0/8. |
| permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 | Allow a packet if its source address is from the network 10.0.0.0/8 and the destination address is from the network 20.0.0.0/8. |
| deny ip 10.0.0.0 0.255.255.255 any | Deny a packet if its source address is from the network 10.0.0.0/8 and the destination address is from any network. |
For every packet, ACL statements are checked from top to bottom in sequential order until a match is found. Once a match is found, no further statements are checked for the packet. To learn how ACL statements are checked, you can check the previous parts of this tutorial.
The ACL 102 contains three statements. The following table lists their meanings.
| Statement | Description/Action |
| permit ip 20.0.0.0 0.255.255.255 host 50.0.0.20 | Allow a packet if its source address is from the network 20.0.0/8 and the destination address is the host 50.0.0.20. |
| deny ip 20.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 | Deny a packet if its source address is from the network 20.0.0.0/8 and the destination address is from the network 50.0.0.0/8 |
| permit ip 20.0.0.0 0.255.255.255 any | Allow a packet if its source address is from the network 20.0.0.0/8 and the destination address is from any network. |
The following image shows how to create and verify extended access lists on Router0.
We have created ACLs on Router0. Now, let’s create ACLs Router2. Access the command prompt of Router2 and run the following commands.
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 101 permit ip 30.0.0.0 0.255.255.255 host 50.0.0.30 Router(config)#access-list 101 deny ip 30.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 Router(config)#access-list 101 permit ip 30.0.0.0 0.255.255.255 any Router(config)#interface gigabitethernet 0/0 Router(config-if)#ip access-group 101 in Router(config-if)#exit Router(config)#access-list 102 permit ip 40.0.0.0 0.255.255.255 host 50.0.0.40 Router(config)#access-list 102 deny ip 40.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 Router(config)#access-list 102 permit ip 40.0.0.0 0.255.255.255 any Router(config)#interface gigabitethernet 0/2 Router(config-if)#ip access-group 102 in Router(config-if)#exit Router(config)#exit Router#
The above commands create two extended access lists: ACL 101 and ACL 102, and respectively apply them to Gig0/0 and Gig0/2.
The ACL 101 contains three statements. The following table lists these statements and their meanings.
| Statement | Description/Action |
| permit ip 30.0.0.0 0.255.255.255 host 50.0.0.30 | Allow a packet if its source address is from the network 30.0.0/8 and the destination address is the host 50.0.0.30. |
| deny ip 30.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 | Deny a packet if its source address is from the network 30.0.0.0/8 and the destination address is from the network 50.0.0.0/8 |
| permit ip 30.0.0.0 0.255.255.255 any | Allow a packet if its source address is from the network 30.0.0.0/8 and the destination address is from any network. |
The ACL 102 contains three statements. The following table lists these statements and their meanings.
| Statement | Description/Action |
| permit ip 40.0.0.0 0.255.255.255 host 50.0.0.40 | Allow a packet if its source address is from the network 40.0.0/8 and the destination address is the host 50.0.0.40. |
| deny ip 40.0.0.0 0.255.255.255 50.0.0.0 0.255.255.255 | Deny a packet if its source address is from the network 40.0.0.0/8 and the destination address is from the network 50.0.0.0/8 |
| permit ip 40.0.0.0 0.255.255.255 any | Allow a packet if its source address is from the network 40.0.0.0/8 and the destination address is from any network. |
The following image shows how to create and verify extended access lists on Router2.
Verifying/testing ACL implementation
To verify the ACL implementation, you can test connectivity between sections again. To test connectivity, you can use the ping command.
The following image shows the testing from PC0 of the Sales section.
As you can see in the above image,
PC0 can access the Sales section's server, but it can't access the Marketing section's server. It verifies that the ACL is allowing a device to access only its assigned server.
PC0 can access the Marketing section, but it can't access the Production section and Development section. It verifies that the ACL is allowing the Sales section to access the Marketing section, but it is not allowing the Sales section to access the Production section and Development section.
The following image shows the testing from Laptop0 of the Production section.
As you can see in the above image: -
The Laptop0 can access the Production section's server, but it can't access the Marketing section's server. It verifies the following requirement.
You need to create an access list that allows a section to access only its server.
The Laptop0 can access the Marketing section and Development section. It verifies that the ACL is not blocking any allowed traffic.
Configured Packet Tracer Lab
The following link provides the configured packet tracer lab of the above example.
Download Packet Tracer Lab with ACL Configuration
That's all for this tutorial. In the next tutorial, we will learn how to configure, implement, and verify a named extended access list.
