The Ultimate Guide to Extended Access Control List for CCNA
Introduction to Extended ACL
Extended ACL is the advanced version of standard ACL. It is used to deny or permit any specific port or application, e.g. telnet, HTTP, SMTP, DHCP, DNS,, ICMP etc. Extended ACL has two ranges which are 100-199 and 2000-2699. We specify the source address as well as the destination address with the application port number. An extended access control list should be applied as close as possible to the source address.
Syntax of Extended-ACL;
Router_1(config)# access-list [number] [permit/deny] [tcp/udp] [source-network] [wild-card] [destination-network] [wild-card] eq [protocol number]
Example
Router_1(config)# access-list 110 permit tcp 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255 eq 80
Apply the extend-ACL in inbound or outbound;
Router_R1(config)# interface fast ethernet 0/2 in
Router_R1(config-if)# ip access-group 110 out
Lab Topology for Extended Access Control List:
Our lab topology consists of three routers R1, R2, and R3. PC1 and PC2 are attached with R1 and there are HTTP servers and PC6 on R3’s LAN side.
We will have to configure to stop the following services at R1’s LAN to the router R3 and its LAN.
1. Blocking PC1 from Accessing an HTTP Server
Configure an ACL to block HTTP traffic from PC1 to an HTTP server located on R3’s Fast ethernet 1/0 interface LAN.
2. Blocking PC2 from Telnet into Router R3
Next, we’ll configure an ACL to block Telnet access from PC2 to Router R3.
3. Blocking PC3 from into Router R3
finally, we’ll configure an ACL to block ICMP (ping) from PC1 to PC6 (Router R3).
Configure basic IP configuration on all routers, PCs, and servers and run RIP on all routers.
We will block HTTP, Telnet, and ICMP traffic from PC1 and PC2. So, we will check all the protocols before configuring ACL on R1. First, of all check the browser HTTP server on PC1.
Then access the router R3 through telnet from PC2.
And at the last, ping PC6 from PC1.
We are going to configure ACL on R1 because it is best practice to configure extended ACL close to the source. The first statement of ACL will block PC1 from browsing the HTTP server.
110 is the extended ACL range number, while TCP represents the type of traffic. As the HTTP is TCP-type traffic, so we use TCP in the command.
Host represents a single PC or single IP while 80 is the http protocol number. You can use the word “http” instead of 80.
While the 2nd step is to block ICMP traffic pinging PC1 to PC6. So, PC1 will not be able to ping PC6.
The 3rd step, is to configure extended ACL, which will deny PC2 to telnet Router R3.
23 is the protocol number of telnet while you can use “telnet” instead of 23.
There is an implicit deny statement at the end of every ACL. If we don’t configure it, then the ACL will not also permit other traffic to the destination.
As in the above, we only deny PC1 to browse HTTP_Server, but PC1 is also not able to ping HTTP_Server due to implicity deny as below in the screenshot.
Now configure the permit statement, so that PC1 will be able to ping the HTTP Server.
Check again ping from PC1 to the HTTP Server.
Next, apply the ACL in the inbound direction of R1’s fast ethernet 0/1.
After applying the ACL, Now we will check one-by-one PC1 to check block traffic. First of all, we are going to check the HTTP Traffic at PC1.
However, PC1 is able to ping HTTP_Server because we didn’t deny PC1 ICMP traffic to HTTP_Server. Let’s check PC1 ping for HTTP_Server.
But, PC1 is not able to Ping PC6, because we deny it from being ping to PC6.
The third step is to check telnet Router R3 because we blocked telnet traffic from PC2 to R3. Let’s try to telnet R3 from PC2.
Although PC2 is able to ping R3.
That was our small effort to configure Extended ACL. Extended ACL helps to filter traffic based on protocol or port number instead of the whole IP address.