Extended Access List

extended ACLs provide a greater range of criteria when filtering packets. while standard ACLs only filter for source IP address. Extended ACLs filter packets from source/destination IP address, source/destination port number (service) and protocol used. extended ACLs are numbered from 100-199 and 2000-2699. extended ACLs can be named as well.

extended ACLs has the ability to filter packets from their source/destination port number. you can specify the port number as a number or the name of a well-known port. for example the following access-lists have the same function
access-list 110 permit tcp 206.124.16.0 0.0.0.255 any eq 21
and
access-list 110 permit tcp 206.124.16.0 0.0.0.255 any eq ftp

both permit packets from network 206.124.16.0 to any host that are destined to port 21 (ftp runs on port 21).


you may notice the "eq" keyword on both of the access-list before the port number. "eq" means equal. the available keywords are:
  • eq : equal, use this to permit/deny packets of which source/destination port number is equal to the specified number
  • lt : lower than, use this to permit/deny packets of which source/destination port number is lower than the specified number
  • gt : greater than, use this to permit/deny packets of which source/destination port number is greater than the specified number
  • neq : not equal, use this to permit/deny packets of which source/destination port number is not equal to the specified number

the complete syntax is
access-list access-list-number {deny|permit|remark} protocol source [source-wildcard][operator operand] [port port-number or name] destination [destination-wildcard][operator operand] [port port-number or name] [established]

access-list-number:a number identifying the access-list. for extended ACL, this could be 100 to 199 or 2000 to 2699.
deny: drop the packet if the condition matches
permit: pass the packet if the condition matches
remark: this is used for documentation, this add a remark about entries in the access-list to make it easier to be read
protocol: the protocol of the packet. name this with one of TCP, UDP, ICMP, etc. to match every internet protocol, fill it with IP.
source: address of the network or host from which the packet is sent, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
source-wildcard: wildcard bits for the source IP address. two ways to specify source-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
destination: address of the network or host that the packet is destined to, two ways to specify the source
  • 32bit, four part dotted-decimal format
  • any, don't care about the source address. abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
destination-wildcard: wildcard bits for the destination IP address. two ways to specify destination-wildcard
  • 32bit, four part dotted-decimal format
  • any, abbreviation of source and source-wildcard 0.0.0.0 and 255.255.255.255
operator: optional, this will be used to compares source or destination ports. fill this with one of eq, gt, lt, neq.
port: optional, the port (source/destination) number or name of the service of the packet.
established: optional for TCP packets only. a match occurs the TCP packet has the ACK or RST bits set, which indicates that the packet belongs to an existing connection.


here is an example of allowing only host in network 192.168.1.0 to allow only web browsing (http).
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 115 permit tcp any 192.168.1.0 0.0.0.255 established

the "access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443" is required for https. while the "access-list 115 permit tcp any 192.168.1.0 0.0.0.255 established" is required because http traffic flows in two direction. you request a page and the server sends you the page. this ACL enables you to receive the page that have been requested by you (this actually pass every tcp packets that belongs to any existing connection, since there can be only http/https traffic going out from the network, theorotically there can be only http/https connection made from inside).

after creating the ACLs, you can apply the extended ACL the same way as you apply a standard ACL to an interface. from the example above, you can apply both ACL in an interface with one at a direction and the other for the opposite direction depends on which interface you are trying to apply those ACLs. assume that we want to apply both ACLs to interface FastEthernet0/1 which is directly connected to network 192.168.1.0 then the commands would be:
interface FastEthernet0/1
ip access-group 110 in
ip access-group 115 out


you can create a named IP extended ACL the same way as you create one for the standard ACL.
the steps are:
  • step 1. at the global configuration level. enter the command "ip access-list extended name" with name is the name of the extended ACL you want to be.
  • step 2. after entering the command you'll be at the ACL configuration level. create statements and conditions as required with the permit/deny/remark keywords. the syntax is the same as creating a statement in extended ACL, except that you don't have to specify the "access-list access-list-number" anymore.
  • step 3. you can verify the ACL that you've created with the command "show access-lists name" at the pivileged EXEC mode.

0 comments:

top