Configuring extended ACLs
Download as PPTX, PDF0 likes221 views
Extended access lists allow for more precise matching of network traffic than standard access lists by allowing specification of source/destination IP addresses, protocol, and port numbers. Two steps are required to configure an extended ACL: 1) use the access list command to define permit/deny rules and 2) apply the ACL to an interface. Extended ACLs can be used to allow certain users to access specific servers by IP and port while denying other traffic.
![Two steps are required to configure extended access lists:
1. configure extended access lists using the following command:
R1(config) access list NUMBER permit|deny IP_PROTOCOL
SOURCE_ADDRESSWILDCARD_MASK
[PROTOCOL_INFORMATION] DESTINATION_ADDRESS
WILDCARD_MASK PROTOCOL_INFORMATION
2. apply an access list to an interface using the following command:
R1(config) ip access-group ACL_NUMBER out
NOTE - extended access lists numbers are in ranges from 100 to 199
and from 2000 to 2699](https://image.slidesharecdn.com/configuringextendedacls-160314025948/85/Configuring-extended-ACLs-3-320.jpg)
Configuring extended ACLs
- 2. To be more precise when matching a certain network traffic, extended access lists are used. With extended access lists, you can match more information, such as: • source and destination IP address • type ofTCP/IP protocol (TCP, UDP, IP...) • source and destination port numbers
- 3. Two steps are required to configure extended access lists: 1. configure extended access lists using the following command: R1(config) access list NUMBER permit|deny IP_PROTOCOL SOURCE_ADDRESSWILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK PROTOCOL_INFORMATION 2. apply an access list to an interface using the following command: R1(config) ip access-group ACL_NUMBER out NOTE - extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699
- 4. To better understand the usefulness of extended access lists, consider the following example.
- 5. We want Users (network 10.0.0.0/24) to be able to access server S2 (IP address 192.168.0.1) and prevent them access to server S1 (IP address 172.16.0.1/24). First, we need to configure an access list to permit Users the access to server S2:
- 6. Next, we need to deny Users the right to access S1 by using the deny statement: Lastly, we need to apply the access list to the interface on R1:
- 7. Here is another example of using extended access lists:
- 8. Again, we have Users network (10.0.0.0/24). On the right side, we have a server that serves as a web server, listening on port 80. We need to permit Users to access web sites on S1, but we also need to deny other type of access, for example aTelnet access. First, we need to allow traffic from Users network to the web server port of 80.We can do that by using the following command:
- 9. By using the TCP keyword, we can filter packets by source and destination ports. In the example above, we have permitted traffic originating from the 10.0.0.0 network to the host 172.16.0.1 on port 80. The last part of the statement, eq 80, specifies the destination port of 80. Now we need to disable telnet traffic from the network 10.0.0.0 to 172.16.0.1.To do that, we need to create a deny statement:
- 10. Next, we need to apply our access list to the interface: NOTE – since at the end of each access list there is an explicit deny all statement, the second ACL statement wasn't really necessary. After applying an access list, every traffic not explicitly permitted will be denied.