What are Extended ACLs?
Extended Access Control Lists (ACLs) are an advanced security feature used in network devices like routers and switches to provide a finer level of control over network traffic than standard ACLs. While standard ACLs filter traffic based solely on the source IP address, extended ACLs can filter based on multiple criteria, including:
Source and Destination IP Addresses: Extended ACLs can match both the source and destination IP addresses in IP packets.
Protocols: They can filter traffic based on the protocol used, such as TCP, UDP, ICMP, and others.
Port Numbers: For TCP and UDP traffic, extended ACLs can match specific source and/or destination port numbers. This is crucial for controlling access to services like HTTP (port 80), HTTPS (port 443), FTP (port 21), etc.
Direction (Inbound or Outbound): Extended ACLs can be applied to inbound or outbound traffic on a network interface.
Other Options: They can also match packets based on various other factors like packet size, time range, and more.
Configuration Syntax
The configuration syntax for extended ACLs varies depending on the network device’s operating system. In Cisco IOS, for example, the syntax to create an extended ACL entry is:
access-list [acl-number] [permit | deny] [protocol] [source-address source-wildcard] [destination-address destination-wildcard] [operator operand]
How To Enable Extended ACLs.
Placement: Extended ACLs are typically placed as close as possible to the source of the traffic for efficiency. This contrasts with standard ACLs, which are often placed close to the destination.
Order: The order of the rules in an ACL is crucial. The device processes rules in a top-down approach, stopping at the first match.
Implicit Deny: At the end of every ACL, there is an implicit ‘deny all’ statement. If a packet doesn’t match any of the specified rules, it is denied.
Testing: After implementation, it’s important to test the ACLs to ensure they are working as intended and not blocking legitimate traffic.
Like Standard ACLs, extended ACLs check the source packet addresses, destination addresses, protocols, and port numbers. Extended Access Control Lists (ACLs) provide a greater range of control and, therefore, an addition to your security solution.
Extended ACLs provide for more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 800 possible extended ACLs. Extended ACLs can also be named.
Extended Access Control Lists Offer a greater range of criteria on which to base the ACL. For example, you can use extended ACL to simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.
A specific built extended ACL uses its logical decisions to filter on source and destination addresses, and protocol and port numbers.
Common command syntax for extended ACLs
Let’s look at it this way; Extended ACLs can be built to:
1. Filter on the source address.
2. Then filter the port and protocol address,
3. Filters on the destination address.
Then on the port and protocol of the destination, make a final permit / deny decision.
The examples below show how an administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt).
Extended Access List examples
Using Port Numbers
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 23
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 21
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 20
Using keywords
acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq telnet
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq ftp-data
Use the following command to generate port numbers and keywords while building an ACL
Router1(config)#access-list 101 permit tcp any eq?
In summary, extended ACLs are a powerful tool for network administrators to control and secure network traffic by defining specific rules that permit or deny traffic based on various criteria. They are an essential part of network security and play a crucial role in safeguarding network resources and data.