Thursday, 31 July 2025

Extended ACLs

An Extended Access Control List (ACL) allows you to filter traffic based on source IP, destination IP, protocol type (TCP, UDP, ICMP), source/destination port numbers.

+Numbered Extended ACL Ranges -

100–199

2000–2699


+ We can also use named ACLs


+ Placed close to Source - Since in extended ACLs we can filter on bases of Source IP , Destination IP ,port number so placing them near the source gives precise control over who can access what and how. 




Lets block - port 80 http of server 20.1.1.1 for laptop 10.1.1.100


Source IP - 10.1.1.100

Destination IP - 20.1.1.1

Destination port number - 80



Step 1 - Creating Extended ACL 


access-list 100 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq 80

access-list 100 permit ip any any


Router#show ip access-lists

Extended IP access list 100

10 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www

20 permit ip any any


Step 2 - Apply the Extended ACL 


We would need to apply it close to the source and that will be in in direction


interface GigabitEthernet0/0/0

ip access-group 100 in



Lets try from laptop to access port 80 and port 443 of server 20.1.1.100




Port 80 is not accessible 

Port 443 is accessible 


Now check the hits on the acl entry 

Router#show ip access-lists

Extended IP access list 100

10 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www (36 match(es))

20 permit ip any any


============================================


Complete configuration Router - 


Router#show run

Building configuration...


Current configuration : 854 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0/0

ip address 10.1.1.1 255.255.255.0

ip access-group 100 in

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 20.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

access-list 100 deny tcp 10.1.1.0 0.0.0.0 20.1.1.0 0.0.0.0 eq www

access-list 100 permit ip any any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end


Happy Learning !!


Network Engineer Stuff



Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)