Configuring Extended ACLs Examples

By | 9th November 2015

Lets look at how to configure an extended access list to enable users on a network to browse secure and insecure websites.

Firstly,  consider if the traffic you want to filter is going in or out. Trying to access websites on the Internet is traffic going out, receiving e-mails from the Internet is traffic coming in.

Applying extended ACL on an Interface example.

From the example in the figure below, R1 has two interfaces. It has a serial port, S0/0/0, and a Fast Ethernet port, Fa0/0. The Internet traffic coming in is going in the S0/0/0 interface, but is going out the Fa0/0 interface to reach PC1. The example applies the ACL to the serial interface in both directions.

extended acls config1

Configuration example:

Router1#config t

Router1#(config)#interface s0/0/0

Router1#(config)#ip access-group 101 out

Router1#(config)#ip access-group 102 in

Router1#(config)#end

     How to  Configure Extended ACL to deny FTP from subnets.

 This is an example of denying FTP (File Transfer Protocol) traffic from subnet 192.168.2.0 going to subnet 192.168.3.0, but permitting all other traffic. Note the use of wildcard masks. Remember that FTP requires ports 20 and 21; therefore you need to specify both eq 20 and eq 21 to deny FTP.

extended acls config2

Configuration example:

Router1#config t

Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 21

Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 20

Router1#(config)#access-list 103 permit ip any any

Router1#(config)#interface fa0/1

Router1#(config-if)#ip access-group 101 in

With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name.

Configuring Extended ACL to deny TELNET from subnets

This example denies Telnet traffic from 192.168.3.0, but allows all other IP traffic from any other source to any destination inbound on Fa0/1. Note the use of the any keywords, meaning from anywhere going to anywhere.

extended acls config3

Configuration example:

Router1#config t

Router1#(config)#access-list 103 deny tcp 192.168.3.0 0.0.0.255 any eq 23

Router1#(config)#access-list 103 permit ip any any

Router1#(config)#interface fa0/1

Router1#(config)#ip access-group 103 in

Router1#(config)#end

Troubleshooting ACLs Errors

IPv6 ACLs

Access List Configuration Example

Complex ACLs

How to Configure Switchport ACLs

Numbering and Naming ACLs

Reflective ACLs

Time Base ACLs

Troubleshooting ACLs Errors.

Leave a Reply

Your email address will not be published. Required fields are marked *