Tuesday, May 28, 2024

Cisco 120 - Extended ACLs

Extended ACLs are like Standard ACLs but you can filter by source/destination IP, protocol, port, and other stuff.

Since they are more surgical/precise, the recommendation is to place them close to the source instead of the destination like with Standard ACLs.  This is because Standard ACLs tend to sweep up too much stuff, whereas Extended ACLs can pinpoint very specific traffic, prevent it from entering the network (think WANs), and save traffic.

Standard ACLs use numbers 1-99 and 1300-1999
Extended ACLs use numbers 100-199 and 2000-2699

Syntax:
R1(config)#access-list number [permit | deny] protocol src-ip dest-ip

R1(config)#ip access-list extended {name | number}
R1(config-ext-nacl)#[seq-num] [permit|deny] protocol src-ip dest-ip

Example:
R1(config-ext-nacl)#deny tcp any 10.0.0.0 0.0.0.255
^ Blocks all packets from any source to any host in 10.0.0.0/24

R1(config-ext-nacl)#permit ip any any
^ Allow anything.

R1(config-ext-nacl)#deny udp 10.0.0.0 0.0.255.255 host 192.168.1.1
^ Prevent 10.0.0.0/16 from sending UDP traffic to 192.168.1.1/32

R1(config-ext-nacl)#deny icmp host 172.16.1.1 192.168.0.0 0.0.0.255
^ Deny pings from 172.16.1.1/32 to 192.168.0.0/24

You can also do specific ports:

R1(config-ext-nacl)#deny tcp src-ip ___ src-port-num dest-ip

The blank can be:
eq 80 = equals 80
gt 80 = greater than 80 (81 and higher)
lt 80 = less than 80 (79 and less)
neq 80 = not equal 80
range 80 100 = from port 80 to 100

Example:
R1(config-std-nacl)#deny tcp any host 1.1.1.1 eq 80
^ Deny all packets destind for IP 1.1.1.1/32 on TCP port 80 (web)

R1(config-std-nacl)#permit tcp 172.16.1.0 0.0.0.255 gt 9999 host 4.4.4.4 neq 23
^ Allow hosts in 172.16.1.0/24 using TCP source port greater than 9999 to access all TCP ports on 4.4.4.4 except port 23

R1#show access-lists
^ Will display configured ACLs

R1#show ip interface g0/0
^ Shows details about int g0/0 including outgoing and inbound access lists

!! Easy to forget !!
Now apply the ACL to an interface:
R1(config-if)#ip access-group number {in|out}



[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]

Posted by
Labels: