Extended ACL

1. Configuration of Extended ACL

Let’s dive into the scenario and topology:

In this setup, the Marketing network (192.168.1.0/24) contains a computer that needs access to the Marketing Web Server (192.168.2.1) exclusively over HTTPS (TCP port 443).

Extended ACL Refusing Access Router

At the same time, it is crucial to deny all access from this computer to the Legal Web Server (192.168.3.1). This example illustrates how Extended ACLs can be used to enforce more granular traffic control based on protocols, source, and destination.

🛠️ Enter Global Configuration Mode

To begin creating an Extended ACL, you need to access the global configuration mode. This is where all major configurations, including ACLs, are defined.

🔹 Use the following command to enter global configuration mode:

R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#

After entering configuration mode, type the ip access-list command to check the available options for ACL creation:

R1(config)# ip access-list ?
  extended    Extended Access List
  helper      Access List acts on helper-address
  log-update  Control access list log updates
  logging     Control access list logging
  resequence  Resequence Access List
  standard    Standard Access List

You can see various ACL options, including extended for creating Extended ACLs. Choose this option to proceed.

🔍 Start Creating the Extended ACL

Extended ACLs can be numbered (100–199 or 2000–2699) or named. In this example, we’ll create a numbered Extended ACL with the number 101.

🔹 To begin, use the following command:

R1(config)# ip access-list extended ?
  <100-199>    Extended IP access-list number
  <2000-2699>  Extended IP access-list number (expanded range)
  WORD         Access-list name

Select 101 as the ACL number:

R1(config)# ip access-list extended 101

Now you’re in the extended ACL configuration mode and can start adding rules.

🔍 Define Permit Rule

We want to allow traffic from the Marketing computer (192.168.1.1) to the Marketing Web Server (192.168.2.1) over HTTPS (TCP port 443). Start by specifying the protocol for the rule, in this case, TCP:

R1(config-ext-nacl)# permit ?
  <0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  sctp          Stream Control Transmission Protocol
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol

Choose TCP as the protocol, and then define the source (the Marketing computer) as a specific host:

R1(config-ext-nacl)# permit tcp ?
  A.B.C.D       Source address
  any           Any source host
  host          A single source host
  object-group  Source network object group

Specify the source address as 192.168.1.1:

R1(config-ext-nacl)# permit tcp host 192.168.1.1 ?
  A.B.C.D       Destination address
  any           Any destination host
  eq            Match only packets on a given port number
  gt            Match only packets with a greater port number
  host          A single destination host
  lt            Match only packets with a lower port number
  neq           Match only packets not on a given port number
  object-group  Destination network object group
  range         Match only packets in the range of port numbers

Next, define the destination (the Marketing Web Server) as a specific host:

R1(config-ext-nacl)# permit tcp host 192.168.1.1 host 192.168.2.1 ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  reflect      Create reflexive access list entry
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  ttl          Match packets with given TTL value
  urg          Match on the URG bit

Finally, specify that the rule applies to traffic on port 443 (HTTPS):

R1(config-ext-nacl)# permit tcp host 192.168.1.1 host 192.168.2.1 eq ?
  <0-65535>    Port number
  bgp          Border Gateway Protocol (179)
  chargen      Character generator (19)
  cmd          Remote commands (rcmd, 514)
  daytime      Daytime (13)
  discard      Discard (9)
  domain       Domain Name Service (53)
  drip         Dynamic Routing Information Protocol (3949)
  echo         Echo (7)
  exec         Exec (rsh, 512)
  finger       Finger (79)
  ftp          File Transfer Protocol (21)
  ftp-data     FTP data connections (20)
  gopher       Gopher (70)
  hostname     NIC hostname server (101)
  ident        Ident Protocol (113)
  irc          Internet Relay Chat (194)
  klogin       Kerberos login (543)
  kshell       Kerberos shell (544)
  login        Login (rlogin, 513)
  lpd          Printer service (515)
  nntp         Network News Transport Protocol (119)
  onep-plain   ONEP Cleartext (15001)
  onep-tls     ONEP TLS (15002)
  pim-auto-rp  PIM Auto-RP (496)
  pop2         Post Office Protocol v2 (109)
  pop3         Post Office Protocol v3 (110)
  smtp         Simple Mail Transport Protocol (25)
  sunrpc       Sun Remote Procedure Call (111)
  tacacs       TAC Access Control System (49)
  talk         Talk (517)
  telnet       Telnet (23)
  time         Time (37)
  uucp         Unix-to-Unix Copy Program (540)
  whois        Nicname (43)
  www          World Wide Web (HTTP, 80)

Choose 443 as the port:

R1(config-ext-nacl)# permit tcp host 192.168.1.1 host 192.168.2.1 eq 443

This rule allows only HTTPS traffic from the Marketing computer to the Marketing Web Server.

⚠️ Define the Deny Rule

Similarly, create a rule to deny all types of traffic from the Marketing computer (192.168.1.1) to the Legal Web Server (192.168.3.1):

🔹 Configure the deny rule:

R1(config-ext-nacl)# deny ip host 192.168.1.1 host 192.168.3.1

Explanation:

  • deny: Specifies that the traffic will be blocked.
  • ip: Matches all IP traffic, including TCP, UDP, ICMP, and others.
  • host 192.168.1.1: Specifies the Marketing computer as the source of the traffic.
  • host 192.168.3.1: Specifies the Legal Web Server as the destination.

📢 Now the router has the deny rule added to the access list. However, the access list is not yet applied to an interface, so the router doesn’t know where to filter the packets. We will apply the ACL to the appropriate interface in the next step.

2. Where to Apply Extended ACL

🔍 Apply ACL Closest to the Source

Extended ACLs filter traffic based on multiple parameters (source, destination, and ports), so applying them as close as possible to the source ensures that unwanted traffic is blocked early, preventing unnecessary load on the network.

Example Scenario:

  • In this case, the Marketing computer is the source.
  • Apply the ACL to Interface G0/0, which is the interface closest to the Marketing network.
Extended ACL Placement

🔹 Applying the ACL to Interface

First, access the interface configuration mode for G0/0:

R1(config)# int g0/0

Then, use the ip access-group command to apply the Extended ACL. The router will prompt you to specify the ACL number or name:

R1(config-if)# ip access-group ?
  <1-199>      IP access list (standard or extended)
  <1300-2699>  IP expanded access list (standard or extended)
  WORD         Access-list name

Select the ACL number (101 in this case) and apply it in the inbound direction, as we want to filter traffic entering the router from the Marketing network.

R1(config-if)# ip access-group 101 ?
  in   inbound packets
  out  outbound packets
R1(config-if)# ip access-group 101 in

3. Verifying Extended ACLs

To verify the ACL configuration, use the following command:

🔹 Check the ACL rules:

R1# show access-lists 101
Extended IP access list 101
    10 permit tcp host 192.168.1.1 host 192.168.2.1 eq 443
    20 deny   ip host 192.168.1.1 host 192.168.3.1

This output confirms the following:

  • Permit Rule: Allows HTTPS traffic from 192.168.1.1 to 192.168.2.1.
  • Deny Rule: Blocks all traffic from 192.168.1.1 to 192.168.3.1.

4. Named Extended ACLs

Extended ACLs can also be identified by either a number or a name.

Extended ACL Topology

🔍 Create the Named Extended ACL

In this section, we will create a Named Extended ACL called MARKETING_POLICY.

🔹 Enter global configuration mode and define the ACL with a descriptive name:

R1(config)# ip access-list extended MARKETING_POLICY
R1(config-ext-nacl)# permit tcp host 192.168.1.1 host 192.168.2.1 eq 443
R1(config-ext-nacl)# deny ip host 192.168.1.1 host 192.168.3.1

This configuration ensures that:

  • HTTPS traffic from the Marketing computer (192.168.1.1) to the Marketing Web Server (192.168.2.1) is permitted.
  • All traffic from the Marketing computer to the Legal Web Server (192.168.3.1) is denied.

5. Applying Named Extended ACLs to Interfaces

After creating the named ACL, it must be applied to an interface.

In this example, apply the MARKETING_POLICY ACL to incoming traffic on interface G0/0 (connected to the Marketing network):

🔹 Apply the ACL to the interface:

R1(config)# interface G0/0
R1(config-if)# ip access-group MARKETING_POLICY in

✅ This ensures that the ACL is actively filtering packets as they enter the router from the Marketing network.

6. Verifying Named Extended ACLs

To confirm that the named ACL MARKETING_POLICY is configured correctly, use the following command:

🔹 Check ACL Configuration:

R1# show access-lists MARKETING_POLICY
Extended IP access list MARKETING_POLICY
    10 permit tcp host 192.168.1.1 host 192.168.2.1 eq 443
    20 deny   ip host 192.168.1.1 host 192.168.3.1

✅ This output confirms that:

  • HTTPS traffic from 192.168.1.1 to 192.168.2.1 is permitted.
  • All traffic from 192.168.1.1 to 192.168.3.1 is denied.

7. Troubleshooting Extended ACLs

If the Extended ACL is not functioning as expected, follow these steps to troubleshoot:

🔍 Verify Application

Ensure that the ACL is applied to the correct interface and in the correct direction (inbound or outbound). Use the following command to check:

🔹 Check ACL Application on Interface:

R1# show ip interface X

✅ Confirm:

  • The ACL name or number is applied to the intended interface.
  • The direction (inbound or outbound) matches your intended configuration.

🔍 Check Configuration

Review the rules in the ACL to ensure they are correctly configured and ordered. Extended ACLs process entries top-down, so the sequence of rules is critical.

🔹 Review ACL Entries:

R1# show access-lists

✅ Check for:

  • Missing or incorrect rules.
  • Unexpected matches due to improper ordering of rules.

🔹 Modify if Needed

If the ACL is incorrect, you can remove and recreate it. Start by deleting the problematic ACL:

R1(config)# no ip access-list extended MARKETING_POLICY

Then, redefine the ACL with the correct entries.

Introduction to Wireless Networks