Extended ACLs

Extended ACLs function mostly the same as standard ACLs.

They can be numbered or named, just like standard ACLS.

• Numbered ACLs use the following ranges: 100 - 199, 2000 - 2699

They are processed from top to bottom, just like standard ACLs.

However, they can match traffic based on more paremeters, so they are more precise (and more complex) than standard ACLs.

We will focus on matching based on these main parameters: Layer 4 protocol/port, source address, and destination address.

R1(config)# access-list <number> [permit | deny] <protocol> <src-ip> <dst-ip>

R1(config)# ip access-list extended {<name> | <number>}
R1(config-ext-nacl)# [<seq-num>] [permit | deny] <protocol> <src-ip> <dst-ip>

Matching protocol

Matching source/destination IP address

Practice

Allow all traffic

R1(config-ext-nacl)# permit ip any any

Prevent 10.0.0.0/16 from sending UDP traffic to 192.168.1.1/32

R1(config-ext-nacl)# deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1

Prevent 172.16.1.1/32 from pinging hosts in 192.168.0.0/24

R1(config-ext-nacl)# deny icmp host 172.16.1.1 192.168.0.0 0.0.0.255

Matching TCP/UDP port numbers

When matching TCP/UDP, you can optionally specify the source and/or destination port numbers to match.

R1(config-ext-nacl)# deny tcp <src-ip> [eq | gt | lt | neq | range] <src-prt-num> <dst-ip> [eq | gt | lt | neq | range] <dst-port-num>

• eq 80 = equal to port 80

• gt 80 = greater than 80 (81 and greater)

• lt 80 = less than 80 (79 and less)

• neq 80 = not 80

• range 80 100 = from port 80 to port 100

R1(config-std-nacl)# deny tcp any host 1.1.1.1 eq 80

• Deny all packets destinated for IP address 1.1.1.1/32, TCP port 80

After the destination IP address and/or destination port numbers, there are many more options you can use to match (not necessary for the CCNA).

• ack: match the TCP ACK flag.

• fin: match the TCP FIN flag.

• syn: match the TCP SYN flag.

• ttl: match packets with a specific TTL value.

• dscp: match packets with a specific DSCP value.

If you specify the protocol, source IP, source port, destination IP, destination port, etc, a packet must match all of those values to match the ACL entry. Even if it matches all except one of the parameters, the packet won't match that entry of the ACL.

Practice

Allow traffic from 10.0.0.0/16 to access the server at 2.2.2.2/32 using HTTPS

R1(config-ext-nacl)# permit tcp 10.0.0.0 0.0.255.255 2.2.2.2 0.0.0.0 eq 43

Prevent all host using source UDP port number from 20000 to 30000 from accessing the server ar 3.3.3.3/32

R1(config-ext-nacl)# deny udp any range 20000 30000 host 3.3.3.3

Allow hosts in 172.16.1.0/24 using a TCP source port greater than 9999 to access all TCP ports on server 4.4.4.4/32 except port 23.

R1(config-ext-nacl)# permit tcp 172.16.1.0 0.0.0.255 gt 9999 host 4.4.4.4 neq 23

First requirement

Extended ACLs should be applied as close to the source as possible, to limit how far the packets travel in the nwtwork before being denied.

(Standard ACLs are less specific, so if they are applied close to the source there is a risk of blocking more traffic than intended)

Second requirement

Third requirement

All requirements

Checking the configurations.