Extended Numbered ACL Configuration in Packet Tracer

Access control lists are a fundamental part of network security. It helps us control access to a server, host, or subnetwork within a network by defining rules that permit or deny certain traffic flows.

In our previous article, we covered the extended named ACL configuration. This article will focus on the extended numbered ACL configuration in Packet Tracer.

Extended numbered ACLs are almost the same as extended named ACLs except that they are identified with a unique number within the range 100–199 or 2000–2699 and are configured in the global configuration mode.

This post is one of our series on ACL configuration. You can check others below;

Overview of Extended ACLs

Just like I said before, extended ACLs share some similarities with standard ACLs but give more room for more complex and flexible rules. It match traffic based on a wide array of parameters, including layer 4 protocols, source and destination IP addresses, as well as port numbers.

Here are some important properties to remember when working with extended numbered ACLs:

A. Matching Criteria

Extended ACLs can filter traffic based on the following criteria:

  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer 4 Protocol (TCP, UDP, etc.)
ALSO READ:  Extended Named ACL Configuration in Packet Tracer

B. Rule Order

Just as with standard ACLs, the rules in an extended numbered ACL are processed sequentially from top to bottom. The first rule that matches a packet is applied, and subsequent rules are ignored. Hence, the order of your rules is very important.

C. Applying ACLs

For optimal effectiveness, extended ACLs should be applied as close to the source of the traffic as possible.

Applying an extended ACL close to the source ensures that unwanted traffic is filtered out early in the packet movement process.

D. Flexibility in Rule Management

Unlike the extended named ACL, the extended numbered ACL is not easily managed. You can hardly delete, edit, or add ACEs without having to delete the ACL and having to create a new one.

Network Topology

The network topology we will make use of is shown below. This topology consists of two routers with two PCs attached to them through a switch.

network topology

I have completed the IP address configuration for the host devices and the interfaces of the routers. The IP address I configured on the network is shown in the table below:

DeviceDefault GatewayInterface (Ip address)Interface (Ip address)Subnet Mask
Router 1(R1)__G0/0/1 (192.168.1.1)G0/0/0 (192.168.2.1)255.255.255.0
Router 2(R2)__G0/0/1 (192.168.3.1)G0/0/0 (192.168.2.2)255.255.255.0
PC0192.168.3.1fa/0 (192.168.3.2)__255.255.255.0
PC1192.168.3.1fa/0 (192.168.3.3)__255.255.255.0
PC2192.168.1.1fa/0 (192.168.1.2)__255.255.255.0
PC3192.168.1.1fa/0 (192.168.1.3)__255.255.255.0

Also, I have completed the static route configuration so that the hosts in one network will be able to ping host devices in another network.

Extended Numbered ACL Configuration Command

 

The Extended ACL configuration command is;

access-list {access-list-number} {permit|deny} {protocol} {source Ip address} {source-wildcard} [operator [port]] {destination Ip address} {destination-wildcard} [operator [port]]

Here’s a breakdown of each component:

  • {access-list-number}: This is the numeric identifier for the ACL. Extended numbered ACLs typically use numbers in the range of 100-199 or 2000-2699, depending.
  • {permit|deny}: Specifies whether you want to permit or deny traffic that matches the criteria defined in the ACL.
  • {protocol}: Indicates the network protocol you want to filter (e.g., ip, tcp, udp, icmp, etc.).
  • {source Ip Address}: Defines the source IP address or network from which traffic originates.
  • {source-wildcard}: Specifies a wildcard mask for the source address, allowing you to match a range of source addresses.
  • [operator [port]]: Optional. You can further specify source port information here if needed.
  • {destination}: Defines the destination IP address or network to which traffic is going.
  • {destination-wildcard}: Specifies a wildcard mask for the destination address, allowing you to match a range of destination addresses.
  • [operator [port]]: Optional. You can further specify destination port information here if needed.

Extended Numbered ACL Configuration

Having covered some of the features of extended numbered ACLS, let’s now see how they apply on a network by doing an example configuration.

Configuration Objectives:

Our primary objectives for this configuration are as follows:

  1. PC0 should be denied HTTPS access to PC2.
  2. PC3 should be prevented from accessing hosts in the 192.168.3.0/24 subnet.

 

Configuration Steps:

To achieve the objectives we outlined above using Extended Numbered ACLs, the following configuration steps are needed:

Obj 1: PC0 can’t use HTTPS to access PC2

Step 1: Access the global configuration mode of Router2 and enter the following command;

R2(config)# access-list 100 deny tcp host 192.168.3.2 host 192.168.1.2 eq 443

Step 2: Permit all other traffic:

R2(config)# access-list 100 permit ip any any

Step 3: Apply the ACL to the inbound traffic on Router 1’s interface connected to PC0:

R2(config-if)# interface GigabitEthernet0/0/1
R2(config-if)# ip access-group 100 in 

Step 4: Save the configuration:

R2(config-if)# end
R2# write

To confirm that I have achieved this configuration objective, I sent HTTPS traffic from PC0 to PC3 as shown below;

Objective 2: Prevent PC3 from accessing hosts in the 192.168.3.0/24 subnet

Step 1: Access the global configuration mode of Router1 and enter the following command;

R1(config)# access-list 101 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255

Step 2: Permit all other traffic:

R1(config)# access-list 101 permit ip any any

Step 3: Apply the ACL to the inbound traffic on Router 2’s interface connected to PC3:

R1(config-if)# interface GigabitEthernet0/0/1
R1(config-if)# ip access-group 101 in

Step 4: Save the configuration:

R1(config-if)# end
R1# write

Testing the Configuration:

ALSO READ:  How to Configure Cisco Router Sub-Interfaces | Router on a Stick | Inter-VLAN Routing

To verify the successful implementation of our extended numbered ACLs, execute the following command on both Router 1 and Router 2.

R1(config)# do show access-list

You should observe the ACL configurations as intended, similar to the output provided below:

R1(config)# do show access-list
Extended IP access list 101
    10 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255
    20 permit ip any any

Similarly, the configuration for Router 2 can be displayed using:

R2(config)# do show access-list

Related posts;

  1. Standard Numbered ACL Configuration in Packet Tracer
  2. Standard Named ACL Configuration in Packet Tracer
  3. Extended Named ACL Configuration in Packet Tracer

 

3 thoughts on “Extended Numbered ACL Configuration in Packet Tracer”

  1. Hеllo are using WordPress for your site ρlatform?
    I’m new to tһe blog world but I’m trying to get ѕtarted and create
    my own. Dο you requіre any coding exρertise to make your own bⅼog?
    Any help would be greatly apprecіated!

    1. If you are looking to create a new blog where you will be sharing contents, just that. It is better to do that with WordPress for easy management. Unless you are a web developer, you may not be able to integrate some functionalities to optimize your blog on a blog site created from scratch.

  2. If you аre going for best contents like I do,
    only ρay a quick visit this web ρage еvery day
    for the reason thаt it provides feɑture contents, tһanks

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top