Extended ACLs Access Control Lists

Practice this topic in the router emulator A step up from standard access lists, extended access lists allow you to match traffic based on a far broader set of criteria. Rather than just the source address, they can match source and destination addresses along with their ports and protocol types. These added options gives far more flexibility when matching traffic, but also generally make them more complicated. However, extended access lists are actually quite simple to understand once the basic structure is understood.

Extended access control list syntax

Extended access lists are sometimes hard to understand, as there are so many options that can be used and are optional.

Router(config)#access-list <access-list-number> {permit|deny} <protocol> <source> <source-wildcard> <port-operator> <source-port> <destination> <destination-wildcard> <port-operator> <destination-port>

Although this looks complicated, we can break it down to simplify.

Source and destination: If you look at the source and destination parts of the access list, they are actually the same: <address> <wildcard> <port-operator> <port>. Rather than trying to remember the whole command, just remember those 4 items.

Protocol: The protocol can be any individual protocol such as TCP or UDP, but if set to IP will mean all protocols so you don't need need to specify the port or port-operators in the command.

Any keyword: If you want to match all sources or destinations, substitute the entire source or destination elements of the command with the keyword any.

With this in mind, we can simplify the extended access list syntax to this:

Router(config)#access-list <access-list-number> {permit|deny} <protocol> {source | any} {destination | any}

Source/Destination: <address> <wildcard> <port-operator> <port>

Broken down like this, the extended access list syntax is much easier to learn. If you're still not too sure then don't worry: at the end of this page there are a few examples to develop understanding, and once you've used the access list generator and practised this a few times, the syntax should become second nature.

Port operators

An extended access list allows you to do much more than match a single port; it allows you to match entire port ranges depending on the port operator you use.

Key points

Extended access list example

Consider the example access list below.

access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.254 eq http
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 deny tcp 192.168.1.1 0.0.0.0 host 10.1.1.254 eq 23
access-list 100 deny tcp host 192.168.1.1 host 10.1.1.254 eq 80
access-list 100 permit ip any any

Highlighting the separate sections makes interpreting this access list less daunting. Working from top to bottom:

  1. Permit TCP traffic from the 192.168.1.0/24 network, to port 80 on the host 10.1.1.254
  2. Permit IP traffic from the 192.168.1.0/24 network, to the network 10.1.1.0/24
  3. Deny TCP traffic from the host 192.168.1.1, to port 23 on the host 10.1.1.254
  4. Deny TCP traffic from the host 192.168.1.1, to port 80 on the host 10.1.1.254
  5. Permit IP traffic from any source, to any destination

Practice access list questions

Using a pen and paper, see if you can create 3 access lists, numbered 101 - 103, that match these rules:

ACL 1: An access list needs to be created that will block all traffic trying to telnet into the router with the address 172.16.16.254. Management traffic sitting on the subnet 192.168.50.0/28 should be permitted telnet access. Also, as this is the internet gateway for the company all other traffic should be permitted.

ACL 2: A company would like to host a web and FTP server behind their internet facing router, and make it accessible to the world, but do not want any internet traffic reaching other parts of their network. Create an access list that meets these objectives. Both servers have the same IP address:  199.45.50.75.

ACL 3: An internet cafe would like an access list that will allow all hosts in the subnet 192.168.75.0/26 access to both secure and insecure web pages on the internet. Also, the management software that runs on the computers needs to be able to communicate with its server reachable at 192.168.80.128/26. All management traffic uses ports 10,000 to 10,010 inclusive, and is sent reliably. All other traffic from the cafe computers should be blocked.

ACL 1 Answer

To tackle these problems, its best to break what is required down into bullet points.

With this in mind, the access list statement that allows the management traffic should come first, because the deny all statement would block it otherwise. We can allow all other traffic with a permit any any statement. Although this on it's own would allow telnet access to the router, the fact that the deny statement wasn't matched means that telnet traffic to the router would not be permitted.

access-list 101 permit tcp 192.168.50.0 0.0.0.15 any
access-list 101 deny tcp any host 172.16.16.254 eq 23
access-list 101 permit ip any any

ACL 2 Answer

Breaking down the requirements:

These requirements are met with two lines, with the implicit deny meeting the last

access-list 102 permit tcp any host 199.45.50.75 eq 80
access-list 102 permit tcp any host 199.45.50.75 range 20 21

ACL 2 Answer

Breaking down the requirements:

Once again, a fairly straight forward extended access list once its broken down.

access-list 103 permit tcp 192.168.75.0 0.0.0.63 any eq 80
access-list 103 permit tcp 192.168.75.0 0.0.0.63 any eq 443
access-list 103 permit tcp 192.168.75.0 0.0.0.63 192.168.80.128 0.0.0.63 range 10000 10010

Further reading

Comments