# Extended ACLs Extended ACLs function mostly the same as standard ACLs. They can be numbered or named, just like standard ACLS. * Numbered ACLs use the following ranges: **100 - 199, 2000 - 2699** They are processed from top to bottom, just like standard ACLs. However, they can match traffic based on more paremeters, so they are more precise (and more complex) than standard ACLs. We will focus on matching based on these main parameters: **Layer 4 protocol/port, source address**, and **destination address**. ``` R1(config)# access-list [permit | deny] ``` ``` R1(config)# ip access-list extended { | } R1(config-ext-nacl)# [] [permit | deny] ``` ## Matching protocol
## Matching source/destination IP address
### Practice
Allow all traffic ``` R1(config-ext-nacl)# permit ip any any ```
Prevent 10.0.0.0/16 from sending UDP traffic to 192.168.1.1/32 ``` R1(config-ext-nacl)# deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1 ```
Prevent 172.16.1.1/32 from pinging hosts in 192.168.0.0/24 ``` R1(config-ext-nacl)# deny icmp host 172.16.1.1 192.168.0.0 0.0.0.255 ```
## Matching TCP/UDP port numbers When matching TCP/UDP, you can optionally specify the source and/or destination port numbers to match. ``` R1(config-ext-nacl)# deny tcp [eq | gt | lt | neq | range] [eq | gt | lt | neq | range] ``` * **eq 80** = equal to port 80 * **gt 80** = greater than 80 (81 and greater) * **lt 80** = less than 80 (79 and less) * **neq 80** = **not** 80 * **range 80 100** = from port 80 to port 100
``` R1(config-std-nacl)# deny tcp any host 1.1.1.1 eq 80 ``` * Deny all packets destinated for IP address 1.1.1.1/32, TCP port 80 {% hint style="info" %} After the destination IP address and/or destination port numbers, there are many more options you can use to match (not necessary for the CCNA). * **ack:** match the TCP ACK flag. * **fin:** match the TCP FIN flag. * **syn:** match the TCP SYN flag. * **ttl:** match packets with a specific TTL value. * **dscp:** match packets with a specific DSCP value. {% endhint %} {% hint style="info" %} If you specify the protocol, source IP, source port, destination IP, destination port, etc, a packet must match **all** of those values to match the ACL entry. Even if it matches all except one of the parameters, the packet won't match that entry of the ACL. {% endhint %} ### Practice
Allow traffic from 10.0.0.0/16 to access the server at 2.2.2.2/32 using HTTPS ``` R1(config-ext-nacl)# permit tcp 10.0.0.0 0.0.255.255 2.2.2.2 0.0.0.0 eq 43 ```
Prevent all host using source UDP port number from 20000 to 30000 from accessing the server ar 3.3.3.3/32 ``` R1(config-ext-nacl)# deny udp any range 20000 30000 host 3.3.3.3 ```
Allow hosts in 172.16.1.0/24 using a TCP source port greater than 9999 to access all TCP ports on server 4.4.4.4/32 except port 23. ``` R1(config-ext-nacl)# permit tcp 172.16.1.0 0.0.0.255 gt 9999 host 4.4.4.4 neq 23 ```
### First requirement
{% hint style="info" %} Extended ACLs should be applied as close to the **source as possible**, to limit how far the packets travel in the nwtwork before being denied. (Standard ACLs are less specific, so if they are applied close to the source there is a risk of blocking more traffic than intended) {% endhint %}
### Second requirement
### Third requirement
### All requirements
Checking the configurations.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/online-courses/ccna-200-301/access-control-lists/extended-acls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.