Access-list extended command

Prerequisite – Access-lists [ACL], Standard Access-list
Access-list [ACL] is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.

Extended Access-list –
It is one of the types of Access-list which is mostly used as it can distinguish IP traffic therefore the whole traffic will not be permitted or denied like in standard access-list. These are the ACL that uses both source and destination IP address and also the port numbers to distinguish IP traffic. In this type of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.

Features –

1. Extended access-list is generally applied close to the source but not always.
2. In the Extended access list, packet filtering takes place on the basis of source IP address, destination IP address, port numbers.
3. In an extended access list, particular services will be permitted or denied.
4. Extended ACL is created from 100 – 199 & extended range 2000 – 2699.
5. If numbered with extended Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
6. If named with extended Access-list is used then we have the flexibility to delete a rule from the access list.
   

Configuration –

Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.10.40/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, we want to deny the FTP connection from the sales department to finance department and deny telnet to the Finance department from both the sales and marketing departments.

Now, first configuring numbered extended access – list for denying FTP connection from sales to finance department.

Here, we first create a numbered Access-list in which we use 110 [used from extended access-list range] and deny the sales network [172.16.40.0] to make an FTP connection to the finance network [172.16.50.0].

Note – Here, as FTP uses TCP and port number 21. Therefore, we have to specify the permit or deny the condition according to the need. Also, after eq, we have to use the port number for the specified application layer protocol.

Now, we have to deny telnet connection to finance department from both sales and Marketing department which means no one should telnet to finance department. Configuring for the same.

Here, we have used the keyword any which means 0.0.0.0 0.0.0.0 i.e any IP address from any subnet mask. As telnet uses port number 23 therefore, we have to specify the port number 23 after eq.

Now, this is the most important part. As we already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of Access-list then the traffic will be dropped.

By specifying any any means that source having any IP address traffic will reach finance department except the traffic which it matches the above rules that we have made. Now, we have to apply the access-list on the interface of the router:

As we remember, we have to apply the extended access-list as close as possible to source but here we have applied it to close to the destination because we have to block the traffic from both sales and marketing department, therefore, we have to apply it close to the destination here otherwise we have to make separate access-list for fa0/0 and fa1/0 inbound.

Named access-list example –

Now, considering the same topology, we will make a named extended access list.

By using this command we have made an access-list named blockacl.

And then the same configuration we have done in numbered access-list.

Đầu tiên, có thể hiểu Access-list là một danh sách các câu lệnh được áp dụng vào các cổng interface của router hay switch cisco. Danh sách này giúp chỉ cho chúng ta thấy router hay switch sẽ biết được loại packet nào được chấp nhận hay loại bỏ. Việc chấp nhân hay loại bỏ có thể dựa vào các yếu tố như: địa chỉ nguồn, địa chỉ đích hoặc chỉ số cổng [port].

Extended Access Control Lists, syntax of access-list IOS command to create an Extended Access Control List [ACL]

Standard Access Control Lists can filter the IP traffic ONLY based on the source IP address in an IP datagram packet.

Extended Access Control Lists can filter the traffic based on many other factors.

• Source and destination IP addresses.

• Protocols like IP, TCP, UDP, ICMP etc.

• Protocol information Port numbers for TCP and UDP, or message types for ICMP.

Extended Access Control Lists can be created by using the "access-lists" IOS command. The syntax of "access list" IOS command to create a Extended Access Control List is shown below.

Router[config]# access-list [Access_list_number] permit|deny
IP_protocol source_address source_wildcard_mask
[source_protocol_information] destination_address destination_wildcard_mask
[destination_protocol_information] [log]

Access_list_number: For Extended Access Control List, Access list number must be between 100–199 or 2000–2699.

permit | deny: Whether to permit or deny traffic.

IP_protocol: IP protocol to match. The IP protocols can be IP, ICMP, TCP, GRE, UDP, IGRP, EIGRP, IGMP, IPINIP, NOS, and OSPF.

source_address: Source IP address.

source_wildcard_mask: Source wildcard mask. Click the following link to learn more about Access Control List - Wildcard masks.

source_protocol_information: Additional source protocol information like TCP or UDP Port numbers

destination_address: Destination IP address.

destination_wildcard_mask: Destination wildcard mask. Click the following link to learn more about Access Control List - Wildcard masks.

destination_protocol_information: Additional destination protocol information like TCP or UDP Port numbers.

log: Specifies whether logging is required either to console or to a syslog server.

wildcard mask: Instead of specifying a single IP address, you can also permit or deny networks/subnets entirely or partly by using wildcard masks, also known as inverse masks. Wildcard masks is optional in above IOS command.

Video liên quan