Configure Extended Numbered Access Lists - Extended ACL Example and Lab

In this article will demonstrate on Extended numbered Access Control List (Extended Numbered ACL).

Access control list is used for filtering unwanted traffic, there are two types of acl :numbered and named acl. numbered access lists are either standard or extended. Also, named access lists are either standard or extended. So, there are four access lists

1. Numbered standard access list
2. Numbered extended access list
3. Named standard access list
4. Named extended access list

 In this article will cover Numbered Extended Access List. Extended means it will filter the packet based on the source ip address, destination ip address, protocol, and port. Numbered  means that the access list is identified by number not by name and doesn't have a feature of editing (adding and removing specific lines capability).

Access Control List Rules

1- If you use Numbered (Standard and Extended) and Named (Standard and Extended) Access Lists, the packet is always compared with each line of the access list in sequential order, means If the source packet ip address matches the first line(entry) of the acl, the router will not check  all other entries in the access list. If the source ip address doesn't match the first line of the acl, the router will check the second line and so on. The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, no further comparisons take place.

2- There is an implicit deny at the end of each access list—this means that if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.

3- The access list is applied on an interface in a specific direction -Inbound or Outbound. Inbound: The packets will be processed through the acl before routed to the outbound interfaces. Outbound: The packets are routed to the outbound interface, and then processed through the acl.

4- Standard (numbered and named) access control lists filter network traffic by examining the source ip address in a packet (filtering traffic based on the source ip address).

5- The Named Access Lists (Standard and Extended) are editable, means you can insert a line in between the lines or at the top of the entries. Also you can delete specific line. So, there is a capability of modifying the access list(adding a line or deleting specific line).

6- Standard Access Control List is placed as close to destination as possible.

7- Extended Access Control List is placed as close to source as possible.

Extended Numbered access lists

Numbered Extended Access Control Lists use the following syntax
R(config)# access-list <permit/deny> <protocol> < source address> <wildcard mask> <destination address> <wildcard mask><operator> <port>

Below describes the parameters present in the Extended Numbered ACL syntax.<100-199> is extended numbered access control list range.

<protocol>

PROTOCOL	DESCRIPTION
ahp	Authentication Header Protocol
eigrp	Cisco’s EIGRP routing protocol
esp	Encapsulation Security Payload
gre	Cisco’s GRE tunneling
icmp	Internet Control Message Protocol
ip	Any Internet Protocol
ospf	OSPF routing protocol
tcp	Transmission Control Protocol
udp	User Datagram Protocol

<operator>

OPERATOR	DESCRIPTION
dscp	Match packets with given dscp value
eq	Match only packets on a given port number
established	established
gt	Match only packets with a greater port number
lt	Match only packets with a lower port number
neq	Match only packets not on a given port number
precedence	Match packets with given precedence value
range	Match only packets in the range of port numbers

<port>

PORT	DESCRIPTION
	Port number
ftp	File Transfer Protocol (21)
pop3	Post Office Protocol v3 (110)
smtp	Simple Mail Transport Protocol (25)
telnet	Telnet (23)
www	World Wide Web (HTTP, 80)

Looking at the above diagram, we want preventing network 192.168.10.0/24 from accessing network 192.168.30.0/24 using icmp-echo (ping) only, and everthing else is permitted.

The extended access list is applied as close to source network, and we want perventing network 192.168.10.0/24 (Source) from accessing network 192.168.30.0/24(Destination) using icmp-echo. That's why i will write the configuration on Router0.

Configuration Steps:

1- Create an access list which is identified by a number, I used 110 as a number of the access list, icmp protocol, and echo service name, as you see below in the first command . You should know that you can use the port number or service name, in the this example i used the service name.  the second command permits the packets coming from any network to any network using any protocol, I used ip protocol which means any protocol.

Router0(config)#access-list 110 deny icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 echo
Router0(config)#access-list 110 permit ip any any

2- The access list is applied on an interface in a specific direction: no action(permit or deny)  will be taken until the access list is applied on an interface in a specific direction.

In this example we will apply the acl on the interface g0/1 in inbound direction, means the router interface g0/1 will receive the icmp-echo packets from network 192.168.10.0/24 that are going to network 192.168.30.0/24 and prevent these packets from being routed to the other interfaces such as g0/0.

before writing the commands below, host 192.168.10.2 can reach 192.168.30.2
Router0(config)#int f0/0
Router0(config-if)#ip access-group 110 in

After writing the above commands (applying the acl on the interface), host 192.168.10.2 can't access 192.168.30.2

To view the configured access list
Extended IP access list 110
 deny icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 echo (4 match(es))
permit ip any any (4 match(es))

For more details, watch this simple and short video on youtube
http://adf.ly/1H8Afy
https://youtu.be/j0CDNAa2Wqg

To get automatic updates on your facebook, join a facebook group
https://www.facebook.com/groups/netsyshorizon/