In our previous article, we introduced access control lists (ACLs) and went deep into standard numbered ACL configuration. Now, let’s take things a step further by diving into the extended named ACLs configuration, which offers more options to efficiently manage traffic within a network.
This post is one of our series on ACL configuration. You can check others below;
- Standard Numbered ACL Configuration in Packet Tracer
- Standard Named ACL Configuration in Packet Tracer
- Extended Numbered ACL Configuration in Packet Tracer
Overview of Extended ACLs
Extended ACLs function similarly to named ACLs, but they offer more precision and complexity when it comes to defining traffic rules.
Extended ACLs are capable of matching traffic based on various parameters, including layer 4 protocols, source IP addresses, destination IP addresses, and port numbers.
Here are some key features and rules to keep in mind when working with extended named ACLs:
A. Matching Criteria
Extended ACLs can match traffic based on the following criteria:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Protocol (TCP, UDP, etc.)
B. Configuration Mode
Unlike numbered ACLs, which are configured in global configuration mode, named ACLs are set up in a separate configuration mode. This allows for more structured and organized rule management.
C. Rule Order
Just like with standard ACLs, the rules in an extended named ACL are processed from top to bottom. The first matching rule is applied, and subsequent rules are ignored. Therefore, the order of your rules is very important.
D. Applying ACLs
To maximize effectiveness, extended ACLs should be applied as close to the source of the traffic as possible. Placing them strategically within your network architecture ensures that unwanted traffic is filtered out early in the process.
E. Flexibility in Rule Management
One advantage of using named ACLs is the ability to manage individual entries within the ACL. You can delete specific entries using the “no sequence number” command and insert new entries by specifying a sequence number. This flexibility simplifies the maintenance of your ACLs.
This is a video demonstration of what we will be covering in this article
Extended ACL Configuration Commands
To configure an Extended Named ACL, you’ll use the following command structure:
ip access-list extended {name}
Within the ACL configuration mode, you can define rules using the following format:
Deny {protocol} {source IP address} [source port] {destination IP address} [destination port]
Just like I said before, after specifying the protocol (TCP or UDP), you can optionally include the source and destination ports to create even more specific rules.
Extended Named ACL Configuration
Now that we have run through the overview of Extended Named ACL, Let’s apply what we have covered to network topology below:
This network consists of two routers, each connected to two PCs through a switch.
Below are the IP addresses table configured in the above network;
Device | Default Gateway | Interface (Ip address) | Interface (Ip address) | Subnet Mask |
---|---|---|---|---|
Router 1(R1) | __ | G0/0/1 (192.168.1.1) | G0/0/0 (192.168.2.1) | 255.255.255.0 |
Router 2(R2) | __ | G0/0/1 (192.168.3.1) | G0/0/0 (192.168.2.2) | 255.255.255.0 |
PC0 | 192.168.3.1 | fa/0 (192.168.3.2) | __ | 255.255.255.0 |
PC1 | 192.168.3.1 | fa/0 (192.168.3.3) | __ | 255.255.255.0 |
PC2 | 192.168.1.1 | fa/0 (192.168.1.2) | __ | 255.255.255.0 |
PC3 | 192.168.1.1 | fa/0 (192.168.1.3) | __ | 255.255.255.0 |
I maintained the network configuration according to the IP addresses shown in the table above. Also, I have completed the static route configuration to ensure that all PCs can communicate with each other.
Configuration Objectives:
The objective of this configuration is to achieve the following access permission/Denial:
- PC0 should be denied HTTPS access to PC2.
- PC3 should be prevented from accessing hosts in the 192.168.3.0/24 subnet.
Configuration Steps:
To achieve the objectives we outlined above using Extended-Named ACLs, the following configuration steps are needed:
Obj 1: PC0 can’t use HTTPS to access PC2
Step 1: Access the configuration mode for Extended Named ACL on Router
R2(config)# ip access-list extended ACL-PC0-TO-PC2
Step 2: Add a rule to deny HTTPS traffic (TCP port 443) from PC0 to PC2:
R2(config-ext-nacl)# deny tcp host 192.168.3.2 eq 443 host 192.168.1.2
Step 3: Permit all other traffic:
R2(config-ext-nacl)# permit ip any any
Step 4: Exit the ACL configuration mode:
R2(config-ext-nacl)# exit
Stpe 5: Apply the ACL to the outbound traffic on Router 1’s interface connected to PC0:
R2(config)# interface GigabitEthernet0/0/1
R2(config-if)# ip access-group ACL-PC0-TO-PC2 in
Step 6: Save the configuration:
R2(config-if)# end
R2# write memory
Obj 2: Denying PC3 access to hosts in 192.168.3.0/24 subnet
Step 1: Access the configuration mode for Extended Named ACL on Router 2:
R1(config)# ip access-list extended ACL-PC3-NO-ACCESS
Step 2: Add a rule to deny all traffic from PC3 to the 192.168.3.0/24 subnet:
R1(config-ext-nacl)# deny ip host 192.168.1.3 192.168.3.0 0.0.0.255
Step 3 Permit all other traffic:
R1(config-ext-nacl)# permit ip any any
Step 4: Exit the ACL configuration mode:
R1(config-ext-nacl)# exit
Step 5: Apply the ACL to the outbound traffic on Router 2’s interface connected to PC3:
R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# ip access-group ACL-PC3-NO-ACCESS in
Step 6:Save the configuration:
R1(config-if)# end R1# write memory
Testing the Configuration
To validate that we have achieved our Extended named ACL configuration objectives, I used the following command to view our configuration both on Router1 and Router2;
R1(config)#do show access-list
And the configuration is as shown below for Router 1;
R1(config)#do show access-list
Extended IP access list ACL-PC3-NO-ACCESS
10 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255 (12 match(es))
20 permit ip any any
Similarly, the configuration for Router2 is as shown below;
R2(config)#do show access-list
Extended IP access list ACL-PC0-TO-PC2
10 deny tcp host 192.168.3.2 eq 443 host 192.168.1.2 (12 match(es))
20 permit ip any any (51 match(es))
Also, I sent HTTPs traffic from PC0 to PC3 and the traffic was blocked on router 2.
Related posts;
- Standard Numbered ACL Configuration in Packet Tracer
- Standard Named ACL Configuration in Packet Tracer
- Extended Numbered ACL Configuration in Packet Tracer
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below