Extended Named ACL Configuration in Packet Tracer - Netizzan

Extended Named ACL Configuration in Packet Tracer

In our previous article, we introduced access control lists (ACLs) and went deep into standard numbered ACL configuration. Now, let’s take things a step further by diving into the extended named ACLs configuration, which offers more options to efficiently manage traffic within a network.

This post is one of our series on ACL configuration. You can check others below;

Overview of Extended ACLs

Extended ACLs function similarly to named ACLs, but they offer more precision and complexity when it comes to defining traffic rules.

Extended ACLs are capable of matching traffic based on various parameters, including layer 4 protocols, source IP addresses, destination IP addresses, and port numbers.

Here are some key features and rules to keep in mind when working with extended named ACLs:

A. Matching Criteria

Extended ACLs can match traffic based on the following criteria:

  1. Source IP address
  2. Destination IP address
  3. Source port number
  4. Destination port number
  5. Protocol (TCP, UDP, etc.)

B. Configuration Mode

Unlike numbered ACLs, which are configured in global configuration mode, named ACLs are set up in a separate configuration mode. This allows for more structured and organized rule management.

C. Rule Order

Just like with standard ACLs, the rules in an extended named ACL are processed from top to bottom. The first matching rule is applied, and subsequent rules are ignored. Therefore, the order of your rules is very important.

D. Applying ACLs

To maximize effectiveness, extended ACLs should be applied as close to the source of the traffic as possible. Placing them strategically within your network architecture ensures that unwanted traffic is filtered out early in the process.

E. Flexibility in Rule Management

One advantage of using named ACLs is the ability to manage individual entries within the ACL. You can delete specific entries using the “no sequence number” command and insert new entries by specifying a sequence number. This flexibility simplifies the maintenance of your ACLs.

This is a video demonstration of what we will be covering in this article

Extended ACL Configuration Commands

To configure an Extended Named ACL, you’ll use the following command structure:

 ip access-list extended {name} 

Within the ACL configuration mode, you can define rules using the following format:

Deny {protocol} {source IP address} [source port] {destination IP address} [destination port]

Just like I said before, after specifying the protocol (TCP or UDP), you can optionally include the source and destination ports to create even more specific rules.

Extended Named ACL Configuration

Now that we have run through the overview of Extended Named ACL, Let’s apply what we have covered to network topology below:

extended named ACL network topology

This network consists of two routers, each connected to two PCs through a switch.

Below are the IP addresses table configured in the above network;

DeviceDefault GatewayInterface (Ip address)Interface (Ip address)Subnet Mask
Router 1(R1)__G0/0/1 (192.168.1.1)G0/0/0 (192.168.2.1)255.255.255.0
Router 2(R2)__G0/0/1 (192.168.3.1)G0/0/0 (192.168.2.2)255.255.255.0
PC0192.168.3.1fa/0 (192.168.3.2)__255.255.255.0
PC1192.168.3.1fa/0 (192.168.3.3)__255.255.255.0
PC2192.168.1.1fa/0 (192.168.1.2)__255.255.255.0
PC3192.168.1.1fa/0 (192.168.1.3)__255.255.255.0

I maintained the network configuration according to the IP addresses shown in the table above. Also, I have completed the static route configuration to ensure that all PCs can communicate with each other.

Configuration Objectives:

The objective of this configuration is to achieve the following access permission/Denial:

  1. PC0 should be denied HTTPS access to PC2.
  2. PC3 should be prevented from accessing hosts in the 192.168.3.0/24 subnet.

Configuration Steps:

To achieve the objectives we outlined above using Extended-Named ACLs, the following configuration steps are needed:

Obj 1: PC0 can’t use HTTPS to access PC2

Step 1: Access the configuration mode for Extended Named ACL on Router

R2(config)# ip access-list extended ACL-PC0-TO-PC2

Step 2: Add a rule to deny HTTPS traffic (TCP port 443) from PC0 to PC2:

R2(config-ext-nacl)# deny tcp host 192.168.3.2 eq 443 host 192.168.1.2

Step 3: Permit all other traffic:

R2(config-ext-nacl)# permit ip any any

Step 4: Exit the ACL configuration mode:

R2(config-ext-nacl)# exit

Stpe 5: Apply the ACL to the outbound traffic on Router 1’s interface connected to PC0:

R2(config)# interface GigabitEthernet0/0/1
R2(config-if)# ip access-group ACL-PC0-TO-PC2 in

Step 6: Save the configuration:

R2(config-if)# end
R2# write memory

Obj 2: Denying PC3 access to hosts in 192.168.3.0/24 subnet

Step 1: Access the configuration mode for Extended Named ACL on Router 2:

R1(config)# ip access-list extended ACL-PC3-NO-ACCESS

Step 2: Add a rule to deny all traffic from PC3 to the 192.168.3.0/24 subnet:

R1(config-ext-nacl)# deny ip host 192.168.1.3 192.168.3.0 0.0.0.255

Step 3 Permit all other traffic:

R1(config-ext-nacl)# permit ip any any

Step 4: Exit the ACL configuration mode:

R1(config-ext-nacl)# exit

Step 5: Apply the ACL to the outbound traffic on Router 2’s interface connected to PC3:

R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# ip access-group ACL-PC3-NO-ACCESS in

Step 6:Save the configuration:

 R1(config-if)# end
R1# write memory

Testing the Configuration

To validate that we have achieved our Extended named ACL configuration objectives, I used the following command to view our configuration both on Router1 and Router2;

R1(config)#do show access-list

And the configuration is as shown below for Router 1;


R1(config)#do show access-list
Extended IP access list ACL-PC3-NO-ACCESS
    10 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255 (12 match(es))
    20 permit ip any any

Similarly, the configuration for Router2 is as shown below;

R2(config)#do show access-list
Extended IP access list ACL-PC0-TO-PC2
    10 deny tcp host 192.168.3.2 eq 443 host 192.168.1.2 (12 match(es))
    20 permit ip any any (51 match(es))

Also, I sent HTTPs traffic from PC0 to PC3 and the traffic was blocked on router 2.

ALSO READ:  Standard Numbered ACL Configuration in Packet Tracer

Related posts;

  1. Standard Numbered ACL Configuration in Packet Tracer
  2. Standard Named ACL Configuration in Packet Tracer
  3. Extended Numbered ACL Configuration in Packet Tracer

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top