Online Courses
CCNA 200-301
HomeAPI Penetration Testing CourseMalware AnalysisAPI AuthenticationSSDLCIS Auditing, Controls and AssuranceCyber Incident ResponseSecurity of the PipelineSecurity in the PipelineSecurity in the PipelineContainer SecurityInfrastructure as CodeCCNA 200-301Blockchain SecurityCyber Threat Hunting
Online Courses
CCNA 200-301
HomeAPI Penetration Testing CourseMalware AnalysisAPI AuthenticationSSDLCIS Auditing, Controls and AssuranceCyber Incident ResponseSecurity of the PipelineSecurity in the PipelineSecurity in the PipelineContainer SecurityInfrastructure as CodeCCNA 200-301Blockchain SecurityCyber Threat Hunting
  • Introduction
  • Interfaces And Cables
    • Ethernet
    • UTP Cables
    • Fiber Optic
    • UTP vs Fiber-Optic
    • Quiz
  • OSI Model & TCP/IP Suite
    • Networking Model
      • OSI Model
        • Application
        • Presentation
        • Session
        • Transport
        • Network
        • Data Link
        • Physical
      • PDUs
      • TCP/IP Suite
    • Quiz
  • Intro to the CLI
    • What is a CLI
      • Global Configuration Mode
      • Enable Password
    • Configuration Files
    • Canceling commands
    • Quiz
  • Ethernet LAN Switching
    • Local Area Network (LAN)
    • MAC Address
    • Ethernet Frame
    • Quiz 1
    • ARP
    • Ping
    • Quiz 2
  • IPv4 Addressing
    • Network Layer Review
    • IPv4
    • Quiz
    • Cisco CLI
    • Quiz
  • Switch Interfaces
    • CLI
    • Full/Half Duplex
    • CSMA/CD
    • Speed / Duplex Auto-Negotiation
    • Interface Errors
    • Quiz
  • IPv4 Header
    • Fields
      • Do Not Fragment
    • Quiz
  • Static Routing
    • Topology
    • CLI
    • Default Route
    • Static Route
    • Most Specific Matching Route
    • Quiz
  • Subnetting
    • Subnetting
    • Quiz
    • Variable-Length Subnet Masks
  • VLANs
    • What is a LAN ?
    • VLAN Configuration
    • Quiz 1
    • Example
    • Trunk Ports
      • Configuration
    • VLAN Ranges
    • Native VLAN
    • Router on a Stick (ROAS)
    • Quiz 2
    • Native VLAN on Router
    • Layer 3 (Multilayer) Switches
    • Quiz 3
  • DTP/VTP
    • DTP
    • VTP
    • Quiz
  • Spanning Tree Protocol
    • Network Redundancy
    • Layer 2 Loops
    • Spanning Tree Protocol
      • Exercise
    • STP Port Role Selection
      • Exercise
    • Blocking Ports
    • Quiz 1
    • States
    • Timers
    • BPDU
    • STP Toolkit
    • Configurations
    • Load-Balancing
      • Quiz
    • Quiz 2
  • Rapid Spanning Tree Protocol
    • STP Version Comparison
    • RSTP Intro
    • Quiz 1
    • BPDU
    • Link Types
    • Quiz 2
  • EtherChannel
    • Why EtherChannel is needed?
    • Load-Balancing
      • Configuration
    • PAgP, LACP, and Static
      • PAgP
      • LACP
      • Static
      • Manually Configure the Negotiation Protocol
    • EtherChannel Requirements
    • EtherChannel Verification
    • Layer 3 EtherChannel
    • Quiz
  • Dynamic Routing
    • Network Topology
    • Dynamic Routing
    • Types
      • Distance Vector Protocols
      • Link State Protocols
    • Metrics
    • Administrative Distance
      • Floating Static Routes
    • Quiz
    • RIP
      • RIPv1 & RIPv2
      • RIP Configuration
    • EIGRP
      • EGRP Configuration
    • Quiz
    • OSPF
      • Areas
      • Configuration
      • Cost
      • Neighbors
      • Loopback Interfaces
      • Network Types
      • Neighbor Requirements
      • LSA Types
    • Configuration
    • Quiz
  • First Hop Redundancy Protocols
    • Introduction
    • HSRP
    • VRRP
    • GLBP
    • Comparing FHRPs
    • Configuring HSRP
    • Quiz
  • TCP & UDP
    • Basic of Layer 4
      • Port Numbers / Session Multiplexing
    • TCP
    • UDP
    • Comparing TCP & UDP
    • Port Numbers
    • Quiz
  • IPv6
    • What about IPv5?
    • Why IPv6?
    • IPv6
    • Identifying the IPv6 Prefix
    • Configuration
    • EUI-64
      • Configuration
    • Why invert the 7th bit?
    • Global Unicast Addresses
    • Unique Local Addresses
    • Link Local Addresses
    • Multicast Addresses
    • Anycast Addresses
    • Other IPv6 Addresses
    • Representation
    • Header
    • Solicited-Node Multicast Address
    • Neighbor Discovery Protocol
      • SLAAC
      • Duplicate Address Detection (DAD)
    • IPv6 Static Routing
    • Quiz
  • Access Control Lists
    • What are ACLs?
    • How ACLs work
    • Implicit Deny
    • ACL Types
    • Standard Numbered ACLs
    • Standard Named ACLs
    • Numbered ACLs With Subcommands
    • Resequencing ACLS
    • Extended ACLs
    • Quiz
  • Layer 2 Discovery Protocols
    • Introduction
    • Cisco Discovery Protocol
    • Link Layer Discovery Protocol
    • Quiz
  • Network Time Protocol
    • The importance of time
    • Manual Time Configuration
    • Network Time Protocol
    • Reference Clocks
    • NTP Hierarchy
    • NTP Configuration
    • NTP Server mode
    • Symmetric active mode
    • NTP Authentication
    • Quiz
  • Domain Name System
    • Purpose of DNS
    • DNS Cache
    • DNS in Cisco IOS
    • Quiz
  • Dynamic Host Configuration Protocol
    • Purpose of DHCP
    • DHCP Messages
    • Relay
    • DHCP Sever configuration in IOS
    • Quiz
  • Simple Network Management Protocol
    • SNMP
    • Versions
    • Messages
    • Configuration
    • Quiz
  • Syslog
    • Syslog
    • Message Format
    • Logging Locations
    • Configuration
    • Syslog vs SNMP
    • Quiz
  • Secure Shell
    • Page
    • Console Port Security
    • L2 Switch Management IP
    • Telnet
    • SSH
    • Quiz
  • FTP & TFTP
    • FTP and TFTP
    • Trivial File Transfer Protocol
    • File Transfer Protocol
    • FTP vs TFTP
    • IOS File Systems
    • Upgrading Cisco IOS
    • Quiz
  • Network Address Translation
    • Private IPv4 Addressess
    • Network Address Translation (NAT)
    • Static NAT
    • Configuration
    • Dynamic NAT
    • Configuration
    • PAT (NAT Overload)
    • Quiz
  • Quality of Service
    • IP Phones
    • Power over Ethernet (PoE)
    • Quality of Service (QoS)
    • Queuing
    • Classification
    • IP Precedence and DSCP
    • RFC 4954
    • Trust Boundaries
    • Queuing/Congestion Management
    • Shaping and Policing
    • Classification
    • Quiz
  • Security Fundamentals
    • Why Security?
    • Concepts
    • Denial-of-service Attack
    • Spoofing Attacks
    • Reflection/Amplification Attacks
    • Man-in-the-middle Attack
    • Reconnaissance Attacks
    • Malware
    • Social Engineering Attacks
    • Password-related attacks
    • Multi-factor Authentication
    • Digital certificates
    • Controlling and Monitoring Users with AAA
    • Security Program Elements
    • Quiz
  • Port Security
    • Port Security
    • Why Port Security?
    • Enabling Port Security
    • Violation Modes
    • Secure MAC Address Aging
    • Sticky Secure MAC Addresses
    • Quiz
  • DHCP Snooping
    • DHCP Snooping
    • DHCP Starvation
    • DHCP Poisoning (Man-in-the-Middle)
    • DHCP Messages
    • DHCP Snooping Operations
    • DHCP Snooping Rate-Limiting
    • DHCP Option 82 (Information Option)
    • Quiz
  • Dynamic ARP Inspection
    • Gratuitous ARP
    • DAI
    • ARP Poisoning (Man-in-the-Middle)
    • Operations
    • Configurations
    • Optional Checks
    • ARP ACLs
    • Quiz
  • LAN Architectures
    • Common Terminologies
    • Two-Tier Campus LAN Design
    • Three-Tier Campus LAN Design
    • Spine-Leaf Architecture
    • SOHO Networks
    • Quiz
  • WAN Architectures
    • WAN
    • Leased Lines
    • MPLS
    • Internet Connections
    • Redundant Internet Connections
    • Internet VPNs
      • Site-to-Site VPNs (IPsec)
      • Remote-Access VPNs
    • Quiz
  • Virtualization & Cloud
    • Server Hardware
    • Servers before Virtualization
    • Virtualization
    • Why Virtualization
    • Connecting VMs to the Network
    • Cloud Services
    • Five Essential Characteristics of Cloud
    • Three Service Models of Cloud
    • Four Deployment Models of Cloud
    • Benefits of Cloud Computing
    • Connecting to Cloud Resources
    • Quiz
Powered by GitBook
On this page
  • Matching protocol
  • Matching source/destination IP address
  • Practice
  • Matching TCP/UDP port numbers
  • Practice
  • First requirement
  • Second requirement
  • Third requirement
  • All requirements
  1. Access Control Lists

Extended ACLs

PreviousResequencing ACLSNextQuiz

Last updated 1 year ago

Extended ACLs function mostly the same as standard ACLs.

They can be numbered or named, just like standard ACLS.

  • Numbered ACLs use the following ranges: 100 - 199, 2000 - 2699

They are processed from top to bottom, just like standard ACLs.

However, they can match traffic based on more paremeters, so they are more precise (and more complex) than standard ACLs.

We will focus on matching based on these main parameters: Layer 4 protocol/port, source address, and destination address.

R1(config)# access-list <number> [permit | deny] <protocol> <src-ip> <dst-ip>
R1(config)# ip access-list extended {<name> | <number>}
R1(config-ext-nacl)# [<seq-num>] [permit | deny] <protocol> <src-ip> <dst-ip>

Matching protocol

Matching source/destination IP address

Practice

Allow all traffic
R1(config-ext-nacl)# permit ip any any
Prevent 10.0.0.0/16 from sending UDP traffic to 192.168.1.1/32
R1(config-ext-nacl)# deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1
Prevent 172.16.1.1/32 from pinging hosts in 192.168.0.0/24
R1(config-ext-nacl)# deny icmp host 172.16.1.1 192.168.0.0 0.0.0.255

Matching TCP/UDP port numbers

When matching TCP/UDP, you can optionally specify the source and/or destination port numbers to match.

R1(config-ext-nacl)# deny tcp <src-ip> [eq | gt | lt | neq | range] <src-prt-num> <dst-ip> [eq | gt | lt | neq | range] <dst-port-num>

  • eq 80 = equal to port 80

  • gt 80 = greater than 80 (81 and greater)

  • lt 80 = less than 80 (79 and less)

  • neq 80 = not 80

  • range 80 100 = from port 80 to port 100

R1(config-std-nacl)# deny tcp any host 1.1.1.1 eq 80

  • Deny all packets destinated for IP address 1.1.1.1/32, TCP port 80

After the destination IP address and/or destination port numbers, there are many more options you can use to match (not necessary for the CCNA).

  • ack: match the TCP ACK flag.

  • fin: match the TCP FIN flag.

  • syn: match the TCP SYN flag.

  • ttl: match packets with a specific TTL value.

  • dscp: match packets with a specific DSCP value.

If you specify the protocol, source IP, source port, destination IP, destination port, etc, a packet must match all of those values to match the ACL entry. Even if it matches all except one of the parameters, the packet won't match that entry of the ACL.

Practice

Allow traffic from 10.0.0.0/16 to access the server at 2.2.2.2/32 using HTTPS
R1(config-ext-nacl)# permit tcp 10.0.0.0 0.0.255.255 2.2.2.2 0.0.0.0 eq 43
Prevent all host using source UDP port number from 20000 to 30000 from accessing the server ar 3.3.3.3/32
R1(config-ext-nacl)# deny udp any range 20000 30000 host 3.3.3.3
Allow hosts in 172.16.1.0/24 using a TCP source port greater than 9999 to access all TCP ports on server 4.4.4.4/32 except port 23.
R1(config-ext-nacl)# permit tcp 172.16.1.0 0.0.0.255 gt 9999 host 4.4.4.4 neq 23

First requirement

Extended ACLs should be applied as close to the source as possible, to limit how far the packets travel in the nwtwork before being denied.

(Standard ACLs are less specific, so if they are applied close to the source there is a risk of blocking more traffic than intended)

Second requirement

Third requirement

All requirements

Checking the configurations.