Cisco Extended Numbered Access Control List Configuration

By | April 27, 2014

Hi there, in my last article we did Standard Numbered Access Control List. Did you try those labs? If yes, let’s get in to next type of Cisco access list called Extended Numbered Access Control List. Those who did not read my previous article, I recommend to check out it first before reading this tutorial.

In this article I’m going to go to extended numbered access control list example and configurations with Packet Tracer. As the name indicating this kind of ACL is extended form of Standard Numbered ACL. It considers Source network, Destination network, Protocol to be denied/permitted and Port to be blocked/permitted. Thus it provides better network security as compared to standard numbered ACL.

Extended-Numbered-Access-Control-List

This extended numbered access control list guide provides well described scenarios and images for better realization.
I hope you already aware about what is access list and types of Cisco access lists.

What is Extended Numbered Access Control List?

  • This type of ACL permits or denies traffic based on the source address, as well as destination address.
  • Valid Extended ACLs are 100 to 199.
  • Extended numbered access list syntax is,

access-list <permit/deny> <protocol> < source address> <wildcard mask> <destination address> <wildcard mask><operator> <port>

  • Usually it binds on the interface as ‘in

Extended-Numbered-Access-Control-List-Interface

  • Since its filtering based on Source IP, extended numbered access list applied on interface close source network.

Extended Numbered Access Control List Command Interpretation

Below describes the parameters present in the Extended Numbered ACL syntax.

<100-199> is extended numbered access control list range.

<protocol>

Protocol Description
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol

<operator>

Operator Description
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers

<port>

Port Description
Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)

Extended Numbered Access Control List Configuration Example in Packet Tracer

Well, How to configure Extended Numbered Access List in a Cisco router? Let’s see the configuration commands with the help of Packet Tracer network scenario.

I didn’t use the Operator and Port in the following example because, instead of blocking a particular protocol I just blocked all IP traffic. If you would like to deny a specific port, use those parameters also in the configuration.

Example 1: Deny a Complete Network

In this example I’m gona to block the network N4 (40.0.0.0/8) accessing network N1 (10.0.0.0/8).

Extended-Numbered-Access-List-deny-Complete-Network

Configuration defines an access list which denies the source network N4 (40.0.0.0/8) accessing the destination network N1 (10.0.0.0/8). Just configuring ACL won’t do anything in the network. Hence we should apply this ACL to FastEthernet 0/1 port of Router 2 since Router 2 is close to the source network.

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 100 deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
R2(config)#access-list 100 permit ip any any
R2(config)#interface f0/1
R2(config-if)#ip access-group 100 in
R2(config)#exit

Example 2 – Deny a Specific Host and Permit All other Host

This configuration denies the host 40.0.0.2/8 accessing the network 10.0.0.0/8 whereas other hosts can access 10.0.0.0/8 network.

Extended-Access-List-deny-Single-host

R2#configure t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 101 deny ip host 40.0.0.2 10.0.0.0 0.255.255.255
R2(config)#access-list 101 permit ip any any
R2(config)#interface f0/1
R2(config-if)#ip access-group 101 in
R2(config-if)#exit

Example 3 – Permit a Specific Host and Deny all other Host

This example permit the host 40.0.0.2/8 to access 10.0.0.0/8 network but all other hosts are denied to access 10.0.0.0/8.

Extended-Numbered-Access-List-Permit-Single-host

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 102 permit ip host 40.0.0.2 10.0.0.0 0.255.255.255
R2(config)#access-list 102 deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
R2(config)#access-list 102 permit ip any any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 102 in
R2(config-if)#exit

Example 4 – Deny Communication between Two Hosts Only And Permit Others

This is a peer to peer blocking. Here the communication between host 40.0.0.04/8 and host 40.0.0.4/8 blocked. All other host in these networks can communicate each other.

Deny-Communication-between-Two-Hosts

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 103 deny ip host 40.0.0.4 host 10.0.0.4
R2(config)#access-list 103 permit ip any any
R2(config)#interface f0/1
R2(config-if)#ip access-group 103 in
R2(config-if)#exit

***   ***   ***

Access List Verification and Testing Commands

Here are some selected commands that a network administrator must use.

#show ip access-lists: Check Access List

This command shows all the defined access list in the router.

R2#show access-lists
Extended IP access list 100
deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any

Check Binding Interface

How to know which access list hooked with which interface? Use #show running-config command to identify associated access lists in an interface.

R2#show running-config
Building configuration...

Current configuration : 841 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 30.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 40.0.0.1 255.0.0.0
ip access-group 100 in

How to Remove Extended Numbered Access List

Use ‘no’ version of extended numbered access lists to remove an ACL configuration.

R2(config)#no ip access-list extended 100

Unbind Access List from an Interface

How to unbind an access list form an interface? for unbinding also we should use ‘no’ version of ACL command.

R2(config)#interface f0/1
R2(config-if)#no ip access-group 100 in

How to Edit Access Control List Cisco

Numbered access list could not be edited, hence use any Text editor while managing numbered access lists.

That’s it; extended numbered access control list tutorial assisted you? Please share your views here.

So the basic access list configuration has been completed. Next we will see 2 types of Named access Control List.

One thought on “Cisco Extended Numbered Access Control List Configuration

  1. Joao Ferreira

    Hi,

    It seems there is a typo here:

    Example 4 – Deny Communication between Two Hosts Only And Permit Others

    This is a peer to peer blocking. Here the communication between host 40.0.0.04/8 and host 40.0.0.4/8 blocked. All other host in these networks can communicate each other.

    Where you write “Here the communication between host 40.0.0.04/8 and host 40.0.0.4/8 blocked” I think that you mean>

    “Here the communication between host 40.0.0.4/8 and host 10.0.0.2/8 blocked”

    I change the destination IP and remove an extra 0 on the source IP .04 to .4

    Regards

    Joao Ferreira

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *