Network Fundamentals II

Extended ACLs

Extended Access Lists

Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. This gives greater flexibility to describe what the ACL will check. Packets can be permitted or denied access based on where the packet originated and its destination as well as protocol type and port addresses.

Extended Access Lists

Extended Access Lists - Examples

port number or protocol name

The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is: Router(config-if)#ip access-group access-list-number {in | out}

Extended IP Access List

Extended IP ACL allow: Choice of source and destination IP address Protocol and Port number (identifies upper layer protocol or application) Using extended IP access list you can allow users access to the physical LAN and stop them using certain services

Extended IP Access List

Use extended range from 100 to 199
RouterA(config)#access-list 110 Specify permit or deny RouterA(config)#access-list 110 deny Then choose a network layer protocol field entry RouterA(config)#access-list 110 deny tcp Then choose the source and destination address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2

now going to match a given port number

RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

Extended IP Access List

Keep in mind that the next line is an implicit deny any statement Therefore must place after: RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255

Once access list has been created you must apply it to an interface. Use the same command as the IP standard list RouterA(config-if)ip access-group 110 in or RouterA(config-if)ip access-group 110 outRouterA(config-if)ip access-group 110 in

IP ACL example with 3 LANS and a WAN connection

Finance 172.16.10.0
Server 172.16.10.5

E0 E1 Marketing 172.16.30.0 E2 S0 Internet

Sales 172.16.40.0

Extended IP Access List Example

Using the same example Deny access to a server on the finance department LAN for both Telenet and ftp services on server 172.16.10.5 All other services on the LAN are acceptable for the sales and marketing departments to access

Extended IP Access List example

Acme#config t Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)#access-list 110 permit ip any any After the lists are created, they need to b applied to the Ethernet 0 port This is because the other three interfaces on the router need access to the LAN However, if this list were created to only block sales, then we would want to put this list closest to the source on ethernet 2 Acme(config-if)ip access-group 110 out

Example 1
172.16.20.0/24 s0 RouterA .1 e0 .1 s0 .2 RouterB .1 e0 172.16.40.0/24 s1 .1 s0 .2 RouterC .1 e0 Administration Sales Engineering

172.16.10.3/24 172.16.10.2/24

172.16.30.3/24 172.16.30.2/24

172.16.50.3/24 172.16.50.2/24

Port 80

Task What if we wanted Router A to permit only the Engineering workstation 172.16.50.2 to be able to access the web server in Administrative network with the IP address 172.16.10.2 and port address 80. All other traffic is denied.

Rick Graziani graziani@cabrillo.edu

11

Example 1
172.16.20.0/24 s0 RouterA .1 e0 .1 s0 .2 RouterB .1 e0 172.16.40.0/24 s1 .1 s0 .2 RouterC .1 e0 Administration Sales Engineering

172.16.10.3/24 172.16.10.2/24

172.16.30.3/24 172.16.30.2/24

172.16.50.3/24 172.16.50.2/24

Port 80

RouterA(config)#access-list 110 permit tcp host 172.16.50.2 host 172.16.10.2 eq 80 RouterA(config)#inter e 0 RouterA(config-if)#ip access-group 110 out

Why is better to place the ACL on RouterA instead of RouterC? Why is the e0 interface used instead of s0 on RouterA?

Example 2
172.16.20.0/24 s0 RouterA .1 e0 .1 s0 .2 RouterB .1 e0 172.16.40.0/24 s1 .1 s0 .2 RouterC .1 e0 Administration Sales Engineering

172.16.10.3/24 172.16.10.2/24

172.16.30.3/24 172.16.30.2/24

172.16.50.3/24 172.16.50.2/24

Port 80

Task What if we wanted Router A to permit any workstation on the Sales network be able to access the web server in Administrative network with the IP address 172.16.10.2 and port address 80. All other traffic is denied.

Example 2
172.16.20.0/24 s0 RouterA .1 e0 .1 s0 .2 RouterB .1 e0 172.16.40.0/24 s1 .1 s0 .2 RouterC .1 e0 Administration Sales Engineering

172.16.10.3/24 172.16.10.2/24

172.16.30.3/24 172.16.30.2/24

172.16.50.3/24 172.16.50.2/24

Port 80

RouterA(config)#access-list 110 permit tcp 172.16.30.0 0.0.0.255 host 172.16.10.2 eq 80 RouterA(config)#inter e 0 RouterA(config-if)#ip access-group 110 out

When configuring access list statements, use the ? to walk yourself through the command!

Inbound Extended Access Lists

Inbound Access Lists RouterA(config)# interface e 0 RouterA(config-if)#ip access-group 11 in

With inbound Access Lists the IOS checks the packets before it is sent to the Routing Table Process. With outbound Access Lists, the IOS checks the packets after it is sent to the Routing Table Process. This is because the output interface is not known until the forwarding decision is made.