How to Configure Cisco Extended Named Access Control List in Router

By | July 12, 2014

This is the last section of Cisco Access Control Lists. Since now we had seen three different types of Access Control Lists viz. Standard Numbered ACL, Extended Numbered ACL and Standard Named ACL respectively. There is one more remaining in Cisco ACL called Extended Named Access Control List.

After reading my previous articles you may get what exactly access list does. An access list is a network security protocol which denies or permits traffic between networks. You can block/ allow certain end users accessing some network resources via Access Control Lists. Today we will go through Extended Named Access List with different examples using Packet Tracer.

What is Extended Named Access Control List?

  • Extended Named ACL denies / permits traffic based on source network address and destination network address.
  • Specific ‘Names’ are used to indicate ACL.
  • Usually binds on the interface as ‘in’.

Extended-Named-Access-Control-List-Interface

  • Since its filtering based on Source IP, extended numbered access list typically imposed on interface adjacent to the source network.

Extended Named Access Control List Command Interpretation

The syntax of Extended Named ACL as follows. I explained each and every terms in the ACL commands.

router(config)#ip access-list extended [name]
router(config-ext-nacl)#[permit/deny] [protocol] [source network] [wildcard mask] [destination network] [wildcard mask] [operator] [port]

[protocol]

Protocol Description
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol

[operator]

Operator Description
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers

[port]

Port Description
Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)

Extended Numbered Access Control List Configuration Example in Packet Tracer

Well, let’s begin our configurations for Extended Numbered Access Control List with the help of Packet Tracer. Here I demonstrated different situations where Extended Numbered ACL utilized. Please try those examples and get familiar with Cisco ACLs.

Please note: Following examples didn’t use [operator] and [port] arguments instead it blocks all IP traffic instead of denying a definite port. It doesn’t make sense that you must use without [operator] and [port]. It is up to your requirements.

Example 1: Deny a Complete Network

This configuration denies the Network N4 (40.0.0.0/8) arriving at Network N1 (10.0.0.0/8). The complete Network N4 blocked to access Network N1
Extended-Named-Access-List-deny-Complete-Network

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip access-list extended TEST1
R2(config-ext-nacl)#deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group TEST1 in
R2(config-if)#exit

Example 2 – Deny a Specific Host and Permit All other Host

Such situation is common in enterprise network. Here we blocks a particular host (40.0.0.2/8) accessing the network N1 (10.0.0.0/8).
Extended-NamedAccess-List-deny-Single-host

R2(config)#ip access-list extended TEST2
R2(config-ext-nacl)#deny ip host 40.0.0.2 10.0.0.0 0.255.255.255
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group TEST2 in
R2(config-if)#exit

Example 3 – Permit a Specific Host and Deny all other Host

This is just an inverted scenario of Example 2. Here we permits a particular host (40.0.0.2/8) whereas blocks all other hosts in the network N4 (40.0.0.0/8)
Extended-Named-Access-List-Permit-Single-host

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip access-list extended TEST3
R2(config-ext-nacl)#permit ip host 40.0.0.2 10.0.0.0 0.255.255.255
R2(config-ext-nacl)#deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group TEST3 in
R2(config-if)#exit

Example 4 – Deny Communication between Two Hosts Only and Permit Others

This is an advantage of extended type of Access Lists. This kind of filtering is impossible in Standard ACL (ACL considers source network address only). Since extended ACL consider Source and Destination networks it is possible to block between two hosts in two different networks (peer to peer deny).

Extended-Named-Access-List-Peer-to-Peer

R2#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip access-list extended TEST4
R2(config-ext-nacl)#deny ip host 40.0.0.4 host 10.0.0.4
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group TEST4 in
R2(config-if)#exit

*** *** ***

Access List Verification and Testing Commands

Above examples well described about Cisco Extended Named Access Control List. Still there are some troubleshooting commands remaining. Let’s discuss that in this section.

#show ip access-lists: Check Access List

It provides all available ACL in the router.

R2#show ip access-lists
Extended IP access list TEST1
deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any
Extended IP access list TEST2
deny ip host 40.0.0.2 10.0.0.0 0.255.255.255
permit ip any any

Check Binding Interface

This command tells where the ACL binds.

R2#show running-config
Building configuration...

Current configuration : 938 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 30.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 40.0.0.1 255.0.0.0
ip access-group TEST2 in
duplex auto
speed auto
!
interface Serial0/2/0
ip address 50.0.0.2 255.0.0.0
ipv6 ospf cost 781
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 30.0.0.0
network 40.0.0.0
network 50.0.0.0
no auto-summary
!
ip classless
!
!
ip access-list extended TEST1
deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any
ip access-list extended TEST2
deny ip host 40.0.0.2 10.0.0.0 0.255.255.255
permit ip any any
!
--More--

How to Remove Extended Numbered Access List

To remove an ACL from the router, use ‘no’ version command.

R2(config)#no ip access-list extended TEST1

Unbind Access List from an Interface
How to detach an ACL from an interface? In this case we also employs ‘no’ version command for interface.

R2(config-if)#no ip access-group TEST2 in

How to Edit Access Control List Cisco

Another advantage of Named ACL is the capability to edit access list lines. We can add further line in an ACL, but keep in mind the new entries will added at the bottom of ACL. We can’t insert new lines in between two entries of already defined ACL.
For the following example I added ‘deny ip 30.0.0.0……. etc’ line after removing ‘permit ip any any’ with ‘no’ version command. Again added ‘permit ip any any’.

R2#show ip access-lists
Extended IP access list TEST1
deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any
R2#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip access-list extended TEST1
R2(config-ext-nacl)#no permit ip any any
R2(config-ext-nacl)#deny ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
R2(config-ext-nacl)#permit ip any any
R2#show ip access-lists
Extended IP access list TEST1
deny ip 40.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any

For adding the line ‘deny ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255’ first I removed ‘permit ip any any’ line and added at last again because new entries added to the last section of an ACL.

***

Wow! We have completed all the 4 kinds of Cisco Access Lists. Please review all of those and in my next article, I will come with some different Cisco router topics. Till then try your own network topology and experiment your routing skills.

Leave a Reply

Your email address will not be published. Required fields are marked *