Access control lists are a fundamental part of network security. It helps us control access to a server, host, or subnetwork within a network by defining rules that permit or deny certain traffic flows.
In our previous article, we covered the extended named ACL configuration. This article will focus on the extended numbered ACL configuration in Packet Tracer.
Extended numbered ACLs are almost the same as extended named ACLs except that they are identified with a unique number within the range 100–199 or 2000–2699 and are configured in the global configuration mode.
This post is one of our series on ACL configuration. You can check others below;
- Standard Numbered ACL Configuration in Packet Tracer
- Standard Named ACL Configuration in Packet Tracer
- Extended Named ACL Configuration in Packet Tracer
Overview of Extended ACLs
Just like I said before, extended ACLs share some similarities with standard ACLs but give more room for more complex and flexible rules. It match traffic based on a wide array of parameters, including layer 4 protocols, source and destination IP addresses, as well as port numbers.
Here are some important properties to remember when working with extended numbered ACLs:
A. Matching Criteria
Extended ACLs can filter traffic based on the following criteria:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 4 Protocol (TCP, UDP, etc.)
B. Rule Order
Just as with standard ACLs, the rules in an extended numbered ACL are processed sequentially from top to bottom. The first rule that matches a packet is applied, and subsequent rules are ignored. Hence, the order of your rules is very important.
C. Applying ACLs
For optimal effectiveness, extended ACLs should be applied as close to the source of the traffic as possible.
Applying an extended ACL close to the source ensures that unwanted traffic is filtered out early in the packet movement process.
D. Flexibility in Rule Management
Unlike the extended named ACL, the extended numbered ACL is not easily managed. You can hardly delete, edit, or add ACEs without having to delete the ACL and having to create a new one.
Network Topology
The network topology we will make use of is shown below. This topology consists of two routers with two PCs attached to them through a switch.
I have completed the IP address configuration for the host devices and the interfaces of the routers. The IP address I configured on the network is shown in the table below:
Device | Default Gateway | Interface (Ip address) | Interface (Ip address) | Subnet Mask |
---|---|---|---|---|
Router 1(R1) | __ | G0/0/1 (192.168.1.1) | G0/0/0 (192.168.2.1) | 255.255.255.0 |
Router 2(R2) | __ | G0/0/1 (192.168.3.1) | G0/0/0 (192.168.2.2) | 255.255.255.0 |
PC0 | 192.168.3.1 | fa/0 (192.168.3.2) | __ | 255.255.255.0 |
PC1 | 192.168.3.1 | fa/0 (192.168.3.3) | __ | 255.255.255.0 |
PC2 | 192.168.1.1 | fa/0 (192.168.1.2) | __ | 255.255.255.0 |
PC3 | 192.168.1.1 | fa/0 (192.168.1.3) | __ | 255.255.255.0 |
Also, I have completed the static route configuration so that the hosts in one network will be able to ping host devices in another network.
Extended Numbered ACL Configuration Command
The Extended ACL configuration command is;
access-list {access-list-number} {permit|deny} {protocol} {source Ip address} {source-wildcard} [operator [port]] {destination Ip address} {destination-wildcard} [operator [port]]
Here’s a breakdown of each component:
{access-list-number}
: This is the numeric identifier for the ACL. Extended numbered ACLs typically use numbers in the range of 100-199 or 2000-2699, depending.{permit|deny}
: Specifies whether you want to permit or deny traffic that matches the criteria defined in the ACL.{protocol}
: Indicates the network protocol you want to filter (e.g.,ip
,tcp
,udp
,icmp
, etc.).{source Ip Address}
: Defines the source IP address or network from which traffic originates.{source-wildcard}
: Specifies a wildcard mask for the source address, allowing you to match a range of source addresses.[operator [port]]
: Optional. You can further specify source port information here if needed.{destination}
: Defines the destination IP address or network to which traffic is going.{destination-wildcard}
: Specifies a wildcard mask for the destination address, allowing you to match a range of destination addresses.[operator [port]]
: Optional. You can further specify destination port information here if needed.
Extended Numbered ACL Configuration
Having covered some of the features of extended numbered ACLS, let’s now see how they apply on a network by doing an example configuration.
Configuration Objectives:
Our primary objectives for this configuration are as follows:
- PC0 should be denied HTTPS access to PC2.
- PC3 should be prevented from accessing hosts in the 192.168.3.0/24 subnet.
Configuration Steps:
To achieve the objectives we outlined above using Extended Numbered ACLs, the following configuration steps are needed:
Obj 1: PC0 can’t use HTTPS to access PC2
Step 1: Access the global configuration mode of Router2 and enter the following command;
R2(config)# access-list 100 deny tcp host 192.168.3.2 host 192.168.1.2 eq 443
Step 2: Permit all other traffic:
R2(config)# access-list 100 permit ip any any
Step 3: Apply the ACL to the inbound traffic on Router 1’s interface connected to PC0:
R2(config-if)# interface GigabitEthernet0/0/1
R2(config-if)# ip access-group 100 in
Step 4: Save the configuration:
R2(config-if)# end
R2# write
To confirm that I have achieved this configuration objective, I sent HTTPS traffic from PC0 to PC3 as shown below;
Objective 2: Prevent PC3 from accessing hosts in the 192.168.3.0/24 subnet
Step 1: Access the global configuration mode of Router1 and enter the following command;
R1(config)# access-list 101 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255
Step 2: Permit all other traffic:
R1(config)# access-list 101 permit ip any any
Step 3: Apply the ACL to the inbound traffic on Router 2’s interface connected to PC3:
R1(config-if)# interface GigabitEthernet0/0/1
R1(config-if)# ip access-group 101 in
Step 4: Save the configuration:
R1(config-if)# end
R1# write
Testing the Configuration:
To verify the successful implementation of our extended numbered ACLs, execute the following command on both Router 1 and Router 2.
R1(config)# do show access-list
You should observe the ACL configurations as intended, similar to the output provided below:
R1(config)# do show access-list
Extended IP access list 101
10 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255
20 permit ip any any
Similarly, the configuration for Router 2 can be displayed using:
R2(config)# do show access-list
Related posts;
- Standard Numbered ACL Configuration in Packet Tracer
- Standard Named ACL Configuration in Packet Tracer
- Extended Named ACL Configuration in Packet Tracer
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below
Hеllo are using WordPress for your site ρlatform?
I’m new to tһe blog world but I’m trying to get ѕtarted and create
my own. Dο you requіre any coding exρertise to make your own bⅼog?
Any help would be greatly apprecіated!
If you are looking to create a new blog where you will be sharing contents, just that. It is better to do that with WordPress for easy management. Unless you are a web developer, you may not be able to integrate some functionalities to optimize your blog on a blog site created from scratch.
If you аre going for best contents like I do,
only ρay a quick visit this web ρage еvery day
for the reason thаt it provides feɑture contents, tһanks