Extended Access List

93

Extended ACLs :- 

With extended access lists, you can match more information, such as:

  • Source and destination IP Address
  • Source and destination TCP or UDp ports
  • Protocol type

It also allows you to specify different types of traffic such as ICMP, TCP, UDP, etc.

Extended Access-list Syntax

Router(config)#access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

Router(config)#interface <interface>
Router(config-if)#ip access-group <acl-number> in|out

Where Extended Access List Range :- 100 – 199 & 2000 – 2699

Extended ACLs Lab:-

Extended Access List

We have just configured basic ip addressing as per above scratch, also advertise the network in EIGRP.

On Router R1

On Router R2

On Router R3

Task 1- 

  • Deny ICMP/PINGING from host 192.168.1.1 to host 192.168.3.40
  • Permit ICMP/PINGING from host 192.168.1.1 to host 192.168.3.30
Extended Access List
Extended Access List

Now lets check rechability, host 192.168.1.1 to server Ser1 (IP address 192.168.2.30)

C:\>ping 192.168.3.30
Pinging 192.168.3.30 with 32 bytes of data:
Reply from 192.168.3.30: bytes=32 time=2ms TTL=125
Reply from 192.168.3.30: bytes=32 time=2ms TTL=125
Reply from 192.168.3.30: bytes=32 time=12ms TTL=125
Reply from 192.168.3.30: bytes=32 time=2ms TTL=125
Ping statistics for 192.168.3.30:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Now lets check rechability, host 192.168.1.1 to server Ser2 (IP address 192.168.3.40).

C:\>ping 192.168.3.40

Pinging 192.168.3.40 with 32 bytes of data:

Reply from 192.168.1.1: Destination host unreachable.

Reply from 192.168.1.1: Destination host unreachable.

Reply from 192.168.1.1: Destination host unreachable.

Reply from 192.168.1.1: Destination host unreachable.

Ping statistics for 192.168.3.40:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Task 2- 

  • Deny HTTP(80) for using host 192.168.1.1 to host 192.168.3.30
  • Deny HTTPS(443) for using host 192.168.1.1 to host 192.168.3.40

Router (config)# ip access-list extended 100

Router(config-ext-nacl)#deny tcp host 192.168.1.10 host 192.168.3.30 eq 80
Router(config-ext-nacl)#deny tcp host 172.31.1.102 host 192.168.3.40 eq 443
Router(config-ext-nacl)#permit ip any any
Router(config)# interface se 2/0

Router(config-if)# ip access-group 100 out

Task 3- 

  • Deny FTP (21) for using host 192.168.1.1 to host 192.168.3.30
  • Deny FTP (21) for using host 192.168.1.1 to host 192.168.3.40

Router (config)# ip access-list extended 100

Router(config-ext-nacl)#deny tcp host 192.168.1.10 host 192.168.3.30 eq 21
Router(config-ext-nacl)#permit tcp host 172.31.1.102 host 192.168.3.40 eq 21
Router(config)# interface se 2/0

Router(config-if)# ip access-group 100 out

Task 4- 

  • Permit Telnet for using host 192.168.1.1 to host 192.168.3.30
  • Deny Telnet for using  host any to host any.

Router (config)# ip access-list extended 100

Router(config-ext-nacl)#permit tcp host 192.168.1.10 host 192.168.3.30 eq telnet
Router(config-ext-nacl)#deny tcp any any eq telnet
Router(config)# interface se 2/0

Router(config-if)# ip access-group 100 out

Difference between standard access list and extended access list

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here