Extended ACLs

The number of extended ACLs starts from 100 to 199 and 2000 to 2699, providing a total of 799 possible extended numbered ACLs. We can also create extended ACLs with the name. The use of extended ACLs is more than standard ACLs because of greater control and facilities. Extended ACLs checks source addresses, destination addresses, protocols and port numbers of packets. For example, an extended ACL can simultaneously allow FTP traffic from a network to a specific destination while denying all other traffic and web browsing.

Configuring Extended ACLs

The extended ACLs can filter protocols and port number. The network administrators can build extremely specified extended ACLs either the port number or the name of well-known port numbers. The extended ACLs uses logical operations such as eq for equal, neq for not equal, gt for greater than and lt for less than.

The configuration steps for extended ACLs are not different than standard ACLs.  Like the standard ACLs first, we configure ACLs then it is activated on an interface. The command syntax and parameters are complex than standard ACLs due to additional features. The order in which the statements are entered during configuration is the order they are displayed and processed. The command syntax for configuring Extended ACL is following:

access-list <access-list-number> {deny | permit | remark} protocol {source source-wildcard} [operator port <port-number or name>] {destination destination-wildcard} [operator port [ port-number or name>]

The parameter detail is the following:-

access-list-number –  The parameter identifies the access list using a number. The range of extended ACL is from 100 to 199 and from 2000 to 2699.

deny – it denies access if the condition is matched.

Permit – it permits access if the condition is matched.

Remarks – This parameter is used to enter a remark and comment to the access list

protocol – The common protocol is ICMP, IP, TCP and UDP. The IP keyword is used to match any protocol.

Source –  This parameter specifies the number of the network or host from which the packet is being sent.

Source-wildcard – wild card bits are applied to the source address. It is opposite to the subnet mask.

destination –  This parameter specifies the destination host or network which is the destination of the packet.

destination wild-card – This is the wildcard for the destination network.

operator – This is an optional parameter for comparing source or destination port. The possible operands are lt, gt, eq, neq and range.

established – This is also an optional parameter for the TCP protocol only. It shows the established TCP connection.

Note:- You can see that there are many keyword and parameters for extended ACLs but it is not necessary to use all of them when configuring an extended ACL.

Example-1 Extended ACL Configuration

In this example, suppose you are a network administrator and you want to allow website browsing only from the network 192.168.2.0/24. The web traffic is using port 80 for HTTP and port 443 for https traffic. The HTTP traffic required flow back into the network from the website accessed from the clients. So the administration also wants to restrict this return traffic to HTTP exchange from the requested website, while denying all other traffic. So the figure below illustrates the ACLs configuration for the same.

Extended ACLs 4

ACL 101 allow the request to port 80 (HTTP), port 443 (HTTPS) and ACL 104 block all incoming traffic, except for previously established connections. The permit statement in ACL 104 allows inbound traffic using the established parameter. The established parameter also allows traffic that originates from the 192.168.2.0/24 network to return to that network. Without an established parameter, the clients can send traffic to a web server, but not receive traffic returning from the webserver.

Applying Extended ACLs to Interfaces

In the previous example, you have configured the ACL to allow users from the 192.168.2.0/24 network to browse both HTTP and HTTPS websites. The ACL is configured but it will not filter traffic until it is applied to an interface. Just like standard ACL, it is necessary to consider whether the traffic to be filtered is going in or out. So when a user in the network 192.168.2.0/24 network accesses a website on the server, traffic is going out to router3. When a user in the network 192.168.2.0/24 receives data from the server, traffic is coming into the local router.

In the above topology, Router3 has three interfaces. Remember that an extended ACL should be applied close to the source, so, the closest interface to the source in this topology is fa0/1. So, Web request traffic from users on the 192.168.10.0/24 LAN is inbound to the fa0/0 interface and return traffic from established connections to users on the LAN is outbound from the fa0/0 interface.  So we will apply the ACL to the fa0/0 interface in both directions as shown in the figure below.

Extended ACLs 5

Example- 2 Restrict FTP Connection

In this example, we are required to deny FTP traffic from subnet 192.168.1.0 and allow all other traffic to server0. The FTP uses TCP port 20 and 21, therefore the ACL requires both port name keywords FTP and ftp-data or eq 20 and eq 21 to deny FTP. So if we use name then the command would be.

access-list 103 deny tcp 192.168.1.0 0.0.0.255 host 192.168.4.2 eq ftp

access-list 103 deny tcp 192.168.1.0 0.0.0.255 192.168.4.2 eq ftp-data

If we use port numbers instead of port names, the commands would be written as:

access-list 103 deny tcp 192.168.1.0 0.0.0.255 192.168.4.2 eq 20

access-list 103 deny tcp 192.168.1.0 0.0.0.255 192.168.4.2 eq 21

I have already discussed the implied deny in standard ACL. This ACL also contain implied deny, so to prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement is must be added to the end. The ACL should be applied inbound on the Fa0/1 interface so that traffic from the 192.168.1.0/24 LAN is filtered as it enters the router interface. The figure below illustrates the configuration of the above-discussed ACL.

Example-3 Restrict Telnet Connection

Just like FTP traffic we can also configure and restrict telnet to any network or individual host. The example below denies Telnet traffic from any source to the 192.168.4.2  (Server0) but allows all other IP traffic. The ACL will be configured on Router2, interface Fa0/0 outbound. The permit statement is also added to ensure that no other traffic is blocked.

Creating Named Extended ACLs

Just like named standard ACLs, we can configure named extended ACLs with the same way. For creating named standard ACLs to follow the steps below

  1. Enter into global configuration mode
  2. Use the ip access-list extended  <name> command to define a name for the extended ACL and enter to named ACL configuration mode.
  3. In named ACL configuration mode, enter the conditions to permit or deny
  4. Exit the named ACL mode and apply the ACL to the desired interface.
  5. Return to privileged EXEC mode and verify the ACL with the show access-lists name command as well as using show running-config
  6. Save the entries in the configuration file with the copy running-config startup-config 
  7. To remove a named extended ACL, use the no ip access-list extended <name> in global configuration command.

Example of Named Extended ACL

The figure below illustrates the named extended ACLs for FTP services, we have already configured this ACL for network 192.168.1.0/24 to restrict from accessing the FTP services of server0. So, let us create the same ACL with a name for the same network. The named ACL denies the users on the 192.168.1.0/24 LAN to access FTP service to the server and allow all other traffic. The figure below illustrates the configuration.

Extended ACLs 6

Verifying Extended ACLs

ACL verification is an important step in the ACL configuration. When ACL has been configured and applied to an interface, use show commands to verify the configuration. We can verify the ACLs using “show access-list” command, “show running-config” command and “show ip interface <interface-number>” command.

The extended ACLs do not implement the same internal logic and hashing function like standard ACL. The output and sequence numbers are the order in which the statements were entered. Host entries are not automatically listed before range entries. The show ip interface verify the ACL on the interface and the direction in which it was functional.

After verifying the ACL configuration, also check and confirm that the ACLs work as according to plan. Check to block and to permit traffic as expected.

Editing Extended ACLs

Extended ACL editing is the same as editing a standard ACL as discussed earlier. The methods of editing extended ACL are the following:

  • Using Text editor– Copy the ACL and paste it into the text editor where the changes are made. Remove the current access list using the no access-list  Copy and paste back the modified ACL into the configuration.
  • Using Sequence numbers– Using this method deletes the sequence numbers and then re-enter the correct statement using sequence number. Enter into named ACL configuration mode using ip access-list extended <name>  If the ACL is numbered instead of named, use the ACL number in place of the name parameter. ACEs can be inserted or removed.