What is Extended ACLs? Explained with Examples

By | 9th November 2015

Extended Access Control Lists.

Like Standard ACLs, extended ACLs check the source packet addresses, destination address, protocols and port numbers. Extended Access Control Lists (ACLs) provide a greater range of control and, therefore, an addition to your security solution.

Extended ACLs provides for more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 800 possible extended ACLs. Extended ACLs can also be named.
Extended Access Control Lists Offers a greater range of criteria on which to base the ACL.

For example, you can use extended ACL to simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.

A specific built extended ACLs Uses it’s logical decisions to filter on source and destination addresses, and protocol and port numbers.

        common command syntax for extended ACLs

Lets look at it this way; Extended ACLs can be built to:

1. Filter on the source address.

 2.Then filter the port and protocol address,

 3. Filters on the destination address.

Then on the port and protocol of the destination, then makes a final permit / deny decision.

The examples below shows how an administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt).

 Extended Access List examples

 


Using Port Numbers

acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 23

acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 21

acces-list 101 permit tcp 192.168.2.0 0.0.0.255 any eq 20

                               Using keywords

acces-list 101 permit tcp  192.168.2.0 0.0.0.255 any eq telnet

acces-list 101 permit  tcp  192.168.2.0 0.0.0.255 any eq ftp

acces-list 101 permit  tcp  192.168.2.0 0.0.0.255 any eq ftp-data

Use the following command to generate port numbers and keywords while building an ACL

Router1(config)#access-list 101 permit tcp any eq ?

Extended ACLs Configuration

IPv6 ACLs

Troubleshooting Extended ACLs Errors

Complex ACLs

How To Control VTY (Telnet) Access

Leave a Reply

Your email address will not be published. Required fields are marked *