extended access control lists n.
Skip this Video
Loading SlideShow in 5 Seconds..
Extended Access Control Lists PowerPoint Presentation
Download Presentation
Extended Access Control Lists

Loading in 2 Seconds...

play fullscreen
1 / 19

Extended Access Control Lists - PowerPoint PPT Presentation

  • Uploaded on

Extended Access Control Lists. Extended ACLs Can Filter on One or Many Data Fields. Extended ACLs – Creating an Extended Access List.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Extended Access Control Lists' - lane

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
extended acls creating an extended access list
Extended ACLs – Creating an Extended Access List

As with standard lists, the access-list command is used to create each condition of the list – using one condition per line. The syntax for each line in the list is:

access-list access-list-number {permit | deny} {protocol | protocol keyword} {source | any} [source-wildcard] [source port] {destination | any} [destination-wildcard] [destination port] [options]


Lab-X#config t

Lab-X(config)#Access-list 101 deny tcp any eq www

Lab-X(config)#Access-list 101 deny tcp any any eq ftp

Lab-X(config)#Access-list 101 permit ip any any

Lab-X(config)#interface Fastethernet 0/0

Lab-X(config-if)#ip access-group 101 out

The access list-number range for IP extended access lists is 100 to 199.

The protocol entry defines the protocol to be filtered, such as IP, TCP, UDP, or ICMP for example. Because IP headers transport TCP, UDP, and ICMP, it is important to specify the protocol or you could end up inadvertently filtering more than you want to.

extended acls tcp relational operators
Extended ACLs – TCP Relational Operators

The access list TCP protocol option supports both source and destination ports. You can access each by using either the port number or a mnemonic or acronym. Keyword relational operators such as those shown in the following code output precede these:

Lab-X(config)#access-list 101 deny tcp any ?

A.B.C.D Destination address.

any Any destination host.

eq Match only packets on a given port number.

gt Match only packets with a greater port number.

host A single destination host.

lt Match only packets with a lower port number.

neq Match only packets not on a given port number.

range Match only packets in the range of port numbers.

extended acls protocol identifiers
Extended ACLs – Protocol Identifiers

After choosing a relational operator, specify a mnemonic (or acronym) or port number, such as the following code output for the TCP port names:

Lab-X(config)#access-list 101 deny tcp any eq ?

<0-65535> Port number

bgp Border Gateway Protocol (179)

chargen Character generator (19)

cmd Remote commands (rcmd, 514)

daytime Daytime (13)

discard Discard (9)

domain Domain Name Service (53)

echo Echo (7)

exec Exec (rsh, 512)

finger Finger (79)

ftp File Transfer Protocol (21)

--Some output omitted—

uucp Unix-to-Unix Copy Program (540)

whois Nicname (43)

www World Wide Web (HTTP, 80)

extended acls tcp example
Extended ACLs – TCP Example

The first statement could have used the mnemonic “telnet” in place of 23 with exactly the same result. The one advantage to using the mnemonic is that it is more intuitive to anyone having to support the device.

Lab-X#config t

Lab-X(config)#access-list 101 deny tcp any eq 23

Lab-X(config)#access-list 101 permit ip any any

Lab-X(config)#interface fastethernet 0/1

Lab-X(config-if)#ip access-group 101 in

If you want to block network from being able to surf the Web while still allowing other services such as FTP, use this code:

Lab-X#config t

Lab-X(config)#access-list 106 deny tcp any eq www

Lab-X(config)#access-list 106 permit ip any any

Lab-X(config)#interface ethernet 0

Lab-X(config-if)#ip access-group 106 in

extended acls blocking rip routing updates
Extended ACLs – Blocking RIP Routing Updates

One example of using ACLs with UDP packets would be to block RIP routing updates from passing out a particular interface using an ACL such as the following:

Lab-X#config t

Lab-X(config)#access-list 150 deny udp any any eq rip

Lab-X(config)#access-list 150 permit ip any any

Lab-X(config)#int e0

Lab-X(config-if)#ip access-group 150 out

important concept for extended acls
Important Concept for Extended ACLs

Both ACLs below implicitly deny all other IP traffic, not just all other TCP traffic. A common mistake many people make is assuming that because they specified only TCP in the main statement(s), they need only to refer to TCP in the final permit any statement (102 below).

The unplanned result would be that all ICMP and UDP traffic matching the address/protocol criteria would be blocked (102 below).

ACL 101’s permit IP any any statement will allow all other traffic.

Lab-X#config t

Lab-X(config)#Access-list 101 deny tcp any eq ftp

Lab-X(config)#Access-list 101 permit IP any any

Lab-X(config)#Access-list 102 deny tcp eq ftp

Lab-X(config)#Access-list 102 permit TCP any any

Lab-X(config)#interface Fastethernet 0/0

Lab-X(config-if)#ip access-group 101 out

Lab-X(config-if)#ip access-group 102 in

named acls basics
Named ACLs – Basics

The Cisco IOS release supports using named access lists rather than the traditional number designations. This ability to name a list makes them easier to recognize and can make them easier to debug.

Another advantage is that it is possible to delete individual entries from a specific ACL instead of erasing the entire list.

A couple things to consider when implementing named ACLs:

1. Names, like numbers, must be unique on each router.

2. Named ACLs do not work with IOS releases prior to 11.2.

The first step is to create the ACL using the following syntax:

Router(config)#ip access-list {standard | extended} name


Lab-X(config)#ip access-list extended BlockInternet

named acls example
Named ACLs – Example

Lab-X#conf t

Lab-X(config)#ip access-list ?(to see the options)

extended Extended Access List

log-update Control access list log updates

logging Control access list logging

standard Standard Access List

Lab-X(config)#ip access-list standard ProtectLAN



Lab-X(config-std-nacl)#permit any


Lab-X(config)#ip access-list extended FilterOutside

Lab-X(config-ext-nacl)#permit tcp any established

Lab-X(config-ext-nacl)#deny icmp any

Lab-X(config-ext-nacl)#permit ip any any



Named ACLs are applied to interfaces the same as other ACLs.

acl placement
ACL Placement

Standard ACLs must be placed close to the destination.

Extended ACLs should be placed close to the source.

acls and firewall routers
ACLs and Firewall Routers

Border routers are charged with providing network security from potential attacks from outside the network. The figure shows the simplest situation where the border router becomes the clear demarcation between the network and the rest of the world.

Typically intruders come from the global Internet and the thousands of networks connected to it.

acls and firewall routers1
ACLs and Firewall Routers

Another type of firewall implementation uses two or more routers to provide the security. The border router, A, is ultimately responsible for securing the LAN(s).

The firewall router, F, is responsible for protecting both the shared servers and the internal networks from attack from outside. In an optimal solution, this would be a specialty device like Cisco’s PIX box, which combines hardware and software to secure the connection. Whether a specialty device or a router with the firewall feature set, ACLs will be a part of the solution.

verifying acls
Verifying ACLs

Lab-X#show ip interface

Ethernet0 is up, line protocol is up

Internet address is

Broadcast address is

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined:

Outgoing access list is 50

Inbound access list is 70

Proxy ARP is enabled

The show ip interface command will tell whether an inbound or outbound access list has been applied to an interface. Rows 9 and 10 above contain the information. The rest of the lines do not pertain to ACLs, so they have been omitted.

the show access lists command
The show access-lists Command

Lab-X#show access-lists

Standard IP access list 50

deny log

permit any

Standard IP access list 75



permit any


The show access-lists command will display all access lists on the router but does not show whether or where they are applied.

Another command, show ip access-lists, would include only IP access lists. Both commands enable you to specify an ACL number or name after the command to display just that ACL.

the show run command
The show run Command

Lab-X#show run

hostname Lab-X


! (output abbreviated)


access-list 50 deny log

access-list 50 permit any

access-list 75 deny

access-list 75 deny

access-list 75 permit any


One way to see your access lists and how they are applied is to use the show run command to see the active configuration. The above lines show the output of a show run command with some of the unrelated lines removed.

verifying named acls
Verifying Named ACLs

Lab-X#show run

! (output edited and omitted)

ip access-list standard ProtectLAN



permit any


ip access-list extended FilterOutside

permit tcp any established

deny icmp any

permit ip any any


Lab-X#show access-list

Standard IP access list ProtectLAN

deny, wildcard bits

deny, wildcard bits

permit any

Extended IP access list FilterOutside

permit tcp any established

deny icmp any

permit ip any any