Extended Access Control Lists

April 22, 2025 - Reading time: 4 minutes

On our previous lesson, we explored the fundamentals of standard ACLs, which filter traffic based solely on the source IP address. We discussed the importance of applying them close to the destination and how each ACL ends with an implicit ‘deny all’ that can unintentionally block desired traffic if not carefully managed. We also went through best practices, such as verifying ACL matches using show access-lists and ensuring the correct inbound/outbound direction is specified when applying the ACL to an interface. By understanding these essentials, you can now confidently create and troubleshoot standard ACLs in various network scenarios.

This time, we'll tackle extended ACLs, a more advanced type of ACL that not only checks source and destination IP addresses but can also evaluate protocols, TCP/UDP ports, and other criteria. Extended ACLs are typically placed close to the source to block unwanted traffic early, preventing it from traversing your network unnecessarily. With extended ACLs, you can allow specific types of traffic (like HTTP on port 80) while denying others (like Telnet on port 23). In the next lesson, we will walk through the configuration and verification steps to harness this added flexibility for granular traffic control.

Step-by-Step Lab

Topology Assumption

• R1 has two interfaces:
  • FastEthernet0/0 (LAN side) on subnet 192.168.1.0/24
  • FastEthernet0/1 (WAN side) on subnet 10.0.12.0/30 connected to another device or router (R2).
• R2 has telnet configured:
  • password: cisco

In this lab, we will create an Extended ACL on R1 that:

1. Denies Telnet traffic (TCP port 23) from the LAN host at 192.168.1.10 going to the WAN IP 10.0.12.2.
2. Permits all other traffic.

We will then apply this ACL inbound on FastEthernet0/0 of R1 so that any Telnet traffic from 192.168.1.10 to 10.0.12.2 is denied on its way in. (While ACL direction can vary, we keep it simple by placing it inbound on F0/0 in this example.)

1. Basic Device Setup

R1(config)# interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# interface FastEthernet0/1
R1(config-if)# ip address 10.0.12.1 255.255.255.252
R1(config-if)# no shutdown
R1(config-if)# exit

Expected Outcome: Interfaces are up and assigned IP addresses.

2. Create the Extended Access List

• We will name this ACL 100 (extended range: 100–199).
• Deny Telnet from 192.168.1.10 to 10.0.12.2.
• Permit all other traffic.

R1(config)# access-list 100 deny tcp host 192.168.1.10 host 10.0.12.2 eq 23
R1(config)# access-list 100 permit ip any any

Expected Outcome: ACL 100 is created. The first entry denies Telnet from 192.168.1.10 to 10.0.12.2, and the second entry permits all other traffic.

3. Apply the ACL to the Interface

We will apply the ACL inbound on FastEthernet0/0:

R1(config)# interface FastEthernet0/0
R1(config-if)# ip access-group 100 in
R1(config-if)# exit

Expected Outcome: Traffic coming into R1 on F0/0 will be checked against ACL 100.

4. Verification Commands

Below are key verification commands, their explanations, and the exact console outputs you might expect on a Cisco router.

1. Show the ACL configuration

   R1# show access-lists 100
   Extended IP access list 100
       10 deny tcp host 192.168.1.10 host 10.0.12.2 eq telnet
       20 permit ip any any
   

   • Explanation: Confirms the ACL statements in sequence. Lines start with sequence numbers (10, 20).
     
     

2. Show IP interfaces to confirm the ACL is applied

   R1# show ip interface FastEthernet0/0
   FastEthernet0/0 is up, line protocol is up
     Internet address is 192.168.1.1/24
     Broadcast address is 255.255.255.255
     Address determined by configuration file
     MTU is 1500 bytes
     Helper address is not set
     Directed broadcast forwarding is disabled
     Outgoing access list is not set
     Inbound  access list is 100
     <...output truncated...>
   

   • Explanation: Indicates the ACL 100 is applied inbound on F0/0.
     
     

3. Testing the ACL

   • Telnet attempt from Host0 to R2 will be denied:
     R1# show access-lists 100
     Extended IP access list 100
         10 deny tcp host 192.168.1.10 host 10.0.12.2 eq telnet (1 match)
         20 permit ip any any
     

     • Explanation: The (1 match) indicates the deny statement matched traffic (Telnet was denied).
       
       
   • Ping from 192.168.1.10 to 10.0.12.2 should succeed because ICMP is permitted by the second line:
     R1# show access-lists 100
     Extended IP access list 100
         10 deny tcp host 192.168.1.10 host 10.0.12.2 eq telnet (1 match)
         20 permit ip any any (2 matches)
     

     • Explanation: The permit statement is incrementing (2 matches), showing successful traffic matches other than Telnet.
       
       

Common Mistakes

1. Incorrect ACL Number or Type

   • Symptom: No traffic is denied or permitted as intended.
   • Solution: Ensure you use an extended ACL number (100–199) for source/destination/port-based filtering.
     
     

2. ACL Applied to the Wrong Interface or in the Wrong Direction

   • Symptom: Traffic is unaffected because ACL is never evaluated.
   • Solution: Carefully apply the ACL in the correct direction (in or out) on the correct interface.
     
     

3. Missing or Incorrect Statement in ACL

   • Symptom: All traffic is denied or all traffic is allowed.
   • Solution: Verify each ACE (Access Control Entry). Use show access-lists to confirm the correct lines are present.
     
     

4. Not Placing a Final Permit

   • Symptom: Traffic that should pass is dropped (due to the implicit deny).
   • Solution: Always end with a permit ip any any (or the required permit lines) if you want all remaining traffic allowed.
     
     

User Challenge

The lab is available for download from this link. Try recreating the sample lab above using the provided IP addressing scheme to reinforce your understanding.

1. Add Another Deny Statement: Add a statement to deny ICMP from a specific host in your LAN. Verify it with show access-lists to see match counters incrementing.
   
   
2. Download the extended ACL1 and ACL2 troubleshooting scenarios and apply what you've learned.
   (requires version 2.8)

Completing these tasks will deepen your understanding of extended ACLs and demonstrate their powerful traffic control capabilities.