Extended Access List

964

Extended ACLs :- 

With extended access lists, you can match more information, such as:

  • Source and destination IP Address
  • Source and destination TCP or UDp ports
  • Protocol type

It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc.

Extended Access-list Syntax

Router(config)#access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

Router(config)#interface <interface>
Router(config-if)#ip access-group <acl-number> in|out

Where Extended Access List Range :- 100 – 199 & 2000 – 2699

Extended ACLs Lab:-

Extended Access List

We have just configured basic ip addressing as per above scratch, also advertise the network in EIGRP.

On Router R1

On Router R2

On Router R3

Task 1- 

  • Deny ICMP/PINGING from host 192.168.1.1 to host 192.168.3.40
  • Permit ICMP/PINGING from host 192.168.1.1 to host 192.168.3.30
Extended Access List
Extended Access List

Now lets check rechability, host 192.168.1.1 to server Ser1 (IP address 192.168.2.30)

C:\>ping 192.168.3.30
Pinging 192.168.3.30 with 32 bytes of data:
Reply from 192.168.3.30: bytes=32 time=2ms TTL=125
Reply from 192.168.3.30: bytes=32 time=2ms TTL=125
Reply from 192.168.3.30: bytes=32 time=12ms TTL=125
Reply from 192.168.3.30: bytes=32 time=2ms TTL=125
Ping statistics for 192.168.3.30:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Now lets check rechability, host 192.168.1.1 to server Ser2 (IP address 192.168.3.40).

C:\>ping 192.168.3.40

Pinging 192.168.3.40 with 32 bytes of data:

Reply from 192.168.1.1: Destination host unreachable.

Reply from 192.168.1.1: Destination host unreachable.

Reply from 192.168.1.1: Destination host unreachable.

Reply from 192.168.1.1: Destination host unreachable.

Ping statistics for 192.168.3.40:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Task 2- 

  • Deny HTTP(80) for using host 192.168.1.1 to host 192.168.3.30
  • Deny HTTPS(443) for using host 192.168.1.1 to host 192.168.3.40

Router (config)# ip access-list extended 100

Router(config-ext-nacl)#deny tcp host 192.168.1.10 host 192.168.3.30 eq 80
Router(config-ext-nacl)#deny tcp host 172.31.1.102 host 192.168.3.40 eq 443
Router(config-ext-nacl)#permit ip any any
Router(config)# interface se 2/0

Router(config-if)# ip access-group 100 out

Task 3- 

  • Deny FTP (21) for using host 192.168.1.1 to host 192.168.3.30
  • Deny FTP (21) for using host 192.168.1.1 to host 192.168.3.40

Router (config)# ip access-list extended 100

Router(config-ext-nacl)#deny tcp host 192.168.1.10 host 192.168.3.30 eq 21
Router(config-ext-nacl)#permit tcp host 172.31.1.102 host 192.168.3.40 eq 21
Router(config)# interface se 2/0

Router(config-if)# ip access-group 100 out

Task 4- 

  • Permit Telnet for using host 192.168.1.1 to host 192.168.3.30
  • Deny Telnet for using  host any to host any.

Router (config)# ip access-list extended 100

Router(config-ext-nacl)#permit tcp host 192.168.1.10 host 192.168.3.30 eq telnet
Router(config-ext-nacl)#deny tcp any any eq telnet
Router(config)# interface se 2/0

Router(config-if)# ip access-group 100 out

Difference between standard access list and extended access list

 

12 COMMENTS

  1. You’re so awesome! I do not believe I’ve read something like this
    before. So great to discover someone with some original thoughts on this subject.
    Seriously.. thank you for starting this up.
    This site is something that is required on the internet, someone with some originality!

  2. Greetinggs from Idaho! I’m bored t᧐ tears at
    ԝork so І decided tоo browe yߋur sjte on my iphone during lunch break.

    I love the info уoս provide hеre and can’t wait tߋ tɑke a loօk when I gеt hоme.
    I’m surprised аt how quck your blog loaded on my cell phone ..
    I’m not evеn using WIFI, just 3G .. Anyhoԝ, goоd blog!

  3. We ɑrе ɑ ցroup օf volunteers and opening а new scheme
    in oսr community. Уоur site offered սѕ ѡith valuable info to woгk on. You’ve done a formidable joob ɑnd oᥙr entirе community wilⅼ be thankful t᧐ yoᥙ.

  4. Write more, thats all I have to say. Literally, it seems as though you relied on the video
    to make your point. You definitely know what youre talking about, why throw away your intelligence on just posting videos to your blog
    when you could be giving us something enlightening to read?

  5. Hey would you mind stating which blog platform you’re
    working with? I’m going to start my own blog in the near future but I’m having a
    hard time selecting between BlogEngine/Wordpress/B2evolution and Drupal.

    The reason I ask is because your design seems different
    then most blogs and I’m looking for something unique.
    P.S Apologies for getting off-topic but I had
    to ask!

LEAVE A REPLY

Please enter your comment!
Please enter your name here