Configuring Named Extended Access Lists on Cisco Devices

Table of Contents

1. Introduction

2. What are Extended Access Lists?

3. Components of Extended Access Lists

Action

Protocol

Source IP and Wildcard Mask

Destination IP and Wildcard Mask

Port/Protocol

Optional Commands

4. Named Extended Access Lists

5. Configuration Examples

Example 1: Deny an Individual Host

Example 2: Permit an Entire Subnet

Example 3: Deny Everything

6. Conclusion

7. Additional Resources

1. Introduction

Extended Access Lists (ACLs) are a fundamental tool in network security and traffic management. They allow network administrators to define rules that control the flow of traffic into and out of a network based on various criteria, such as IP address, protocol, and port number. This guide will delve into the components, configuration, and application of Extended Access Lists in network environments.

2. What are Extended Access Lists?

Extended Access Lists are a type of ACL used in networking to filter traffic based on multiple criteria. Unlike standard ACLs, which only filter traffic based on source IP addresses, extended ACLs can filter traffic based on source and destination IP addresses, protocols, and port numbers. This provides a more granular level of control over network traffic.

3. Components of Extended Access Lists

Action

The action in an ACL rule determines what to do with the traffic that matches the rule. The primary actions are permit and deny.

Protocol

The protocol field specifies the protocol type to match, such as IP, TCP, UDP, ICMP, OSPF, EIGRP, etc.

Source IP and Wildcard Mask

The source IP address and wildcard mask define the range of source IP addresses that the rule will match. For example:

• 192.168.1.0 0.0.0.255 matches any IP address from 192.168.1.0 to 192.168.1.255.
• host 192.168.1.1 matches only the IP address 192.168.1.1.

Destination IP and Wildcard Mask

The destination IP address and wildcard mask specify the range of destination IP addresses to match, similar to the source IP and wildcard mask.

Port/Protocol

The port/protocol field specifies the port or protocol to match. This is used primarily with TCP and UDP protocols. Common examples include:

• eq 23 for Telnet
• gt 80 for HTTP traffic on ports greater than 80
• lt 443 for traffic on ports less than 443

Optional Commands

Extended ACLs can include additional optional commands to refine the traffic matching criteria:

• log - Logs matches to this rule.
• time-of-day - Specifies times when the rule applies.
• established - Matches established connections.

4. Named Extended Access Lists

Named Extended Access Lists allow for more descriptive identification of ACLs. This is useful in larger networks where numerous ACLs might be in use.

To create a named extended ACL:

        R-1(config)# ip access-list extended NAME

5. Configuration Examples

Example 1: Deny an Individual Host

This rule denies Telnet traffic from a specific host (192.168.20.10) to an entire subnet (172.16.0.0/16) and logs matches:

R-1(config-ext-nacl)# deny tcp host 192.168.20.10 172.16.0.0 0.0.255.255 eq 23 log

Example 2: Permit an Entire Subnet

This rule permits all traffic from the subnet 192.168.20.0/24 to any destination:

R-1(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any

Example 3: Deny Everything

This rule denies all traffic by default, which is useful as a final rule in an ACL to ensure no traffic passes that doesn't explicitly match another rule:

R-1(config-ext-nacl)# deny ip any any

Best Configuration Examples

Example 1: Deny an Individual Host

Deny Telnet traffic from host 192.168.20.10 to the subnet 172.16.0.0/16 and log matches.

R-1# configure terminal

R-1(config)# ip access-list extended DENY_HOST_TELNET

R-1(config-ext-nacl)# deny tcp host 192.168.20.10 172.16.0.0 0.0.255.255 eq 23 log

R-1(config-ext-nacl)# exit

R-1(config)# interface GigabitEthernet0/0

R-1(config-if)# ip access-group DENY_HOST_TELNET in

Example 2: Permit an Entire Subnet

Permit all traffic from subnet 192.168.20.0/24 to any destination.

R-1# configure terminal

R-1(config)# ip access-list extended PERMIT_SUBNET

R-1(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any

R-1(config-ext-nacl)# exit

R-1(config)# interface GigabitEthernet0/1

R-1(config-if)# ip access-group PERMIT_SUBNET in

Example 3: Deny Everything

Deny all traffic by default.

R-1# configure terminal

R-1(config)# ip access-list extended DENY_ALL

R-1(config-ext-nacl)# deny ip any any

R-1(config-ext-nacl)# exit

R-1(config)# interface GigabitEthernet0/2

R-1(config-if)# ip access-group DENY_ALL in

These configurations demonstrate how to apply Extended Access Lists to manage network traffic effectively on a Cisco router.

6. Conclusion

Extended Access Lists are powerful tools for managing and securing network traffic. By understanding the components and how to configure them, network administrators can create precise rules that ensure the network operates securely and efficiently.