What Is Extended ACLs?
Extended Access Control Lists (ACLs) are an advanced feature used in network devices like Cisco routers and switches to provide a stricter level of control over network traffic than standard ACLs.
While standard ACLs filter traffic based solely on the source IP address, extended ACLs can filter based on multiple criteria, including:
Source and Destination IP Addresses: Extended ACLs can match both the source and destination IP addresses in IP packets.
Protocols: They can filter traffic based on the protocol used, such as TCP, UDP, ICMP, and others.
Port Numbers: For TCP and UDP traffic, extended ACLs can match specific source and/or destination port numbers. This is crucial for controlling access to services like HTTP (port 80), HTTPS (port 443), FTP (port 21), etc.
Direction (Inbound or Outbound): Extended ACLs can be applied to inbound or outbound traffic on a network interface.
Other Options: They can also match packets based on various other factors like packet size, time range, and more.
Configuration Syntax
The configuration syntax for extended ACLs varies depending on the network device’s operating system. In Cisco IOS, for example, the syntax to create an extended ACL entry is:
access-list [acl-number] [permit | deny] [protocol] [source-address source-wildcard] [destination-address destination-wildcard] [operator operand]
Let’s look at how to configure an extended access list to enable users on a network to browse secure and insecure websites.
Firstly, consider if the traffic you want to filter is going in or out. Access to websites on the Internet is traffic going out, receiving e-mails from the Internet is traffic coming in.
Applying extended ACL on an Interface example.
From the example in the figure below, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast Ethernet port, Fa0/0. The Internet traffic coming in is going in the S0/0/0 interface but is going out the Fa0/0 interface to reach PC1. The example applies the ACL to the serial interface in both directions.
Configuration example:
Router1#config t
Router1#(config)#interface s0/0/0
Router1#(config)#ip access-group 101 out
Router1#(config)#ip access-group 102 in
Router1#(config)#end
How to Configure Extended ACL to deny FTP from subnets.
This is an example of denying FTP (File Transfer Protocol) traffic from subnet 192.168.2.0 going to subnet 192.168.3.0, but permitting all other traffic. Note the use of wildcard masks. Remember that FTP requires ports 20 and 21; therefore you need to specify both eq 20 and eq 21 to deny FTP.
Configuration example:
Router1#config t
Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 21
Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 20
Router1#(config)#access-list 103 permit ip any any
Router1#(config)#interface fa0/1
Router1#(config-if)#ip access-group 101 in
With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.
Configuring Extended ACL to deny TELNET from subnets
This example denies Telnet traffic from 192.168.3.0 but allows all other IP traffic from any other source to any destination inbound on Fa0/1. Note the use of any keywords, meaning from anywhere going to anywhere.
Configuration example:
Router1#config t
Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 any eq 23
Router1#(config)#access-list 103 permit ip any any
Router1#(config)#interface fa0/1
Router1#(config)#ip access-group 103 in
Router1#(config)#end
In conclusion, Extended ACLs are a powerful tool for network administrators, offering granular control over network traffic, but they require careful planning and management to be effective.
Troubleshooting ACLs Errors IPv6 ACLs
Access List Configuration Example Complex ACLs