In the previous post, we discussed the basics of IP access lists (ACLs) and how to configure standard access lists. In this post, we will explain how to configure an Extended Access List on Cisco routers. If you have any queries regarding the concept of Extended ACL, please visit the following link before start to configure Extended ACL.
- First of all, let’s have a look at the syntax used to configure an Extended ACL on Cisco routers.
Router(config)#access-list <an ACL number from 100-199> <select an action> <select a protocol or service> <source address> <destination address> <port number> <packet condition>
- If the preceding syntax does not help you, let’s have a look at the following syntax in detail.
- The following figure shows the syntax to select the action, protocol, and source address.
- The following figure shows the syntax to select the destination address and packet filter method.
- The following figure shows the syntax to select the port number.
Steps to Configure Extended ACL
Once you are familiar with the syntax used to configure Extended ACL, let’s begin the configuration. To configure an Extended ACL, we will use the following network topology. In this example, we will deny host 10.0.0.2 from accessing the Web server (126.96.36.199). To do so, we need to filter the IP traffic containing the HTTP packet coming from 10.0.0.2 host.
- We assume that you are already familiar with how to configure TCP/IP settings and how to configure routing. If you face any problem to configure the TCP/IP settings and a routing algorithm (such as RIP) for the preceding topology, the following links may help you.
- In order to prevent host 10.0.0.2 to access the Web server (188.8.131.52), you need to execute the following commands on Router2.
Router2(config)#access-list 150 deny tcp host 10.0.0.2 host 184.108.40.206 0.0.0.0 eq www Router2(config)#access-list 150 permit ip any any Router2(config)#int fa0/1 Router2(config-if)#ip access-group 150 in Router2(config-if)#exit Router2(config)#exit
- Once you applied an ACL on the desired interface (in this case fa0/1), you can view the configured access lists by executing the following command.
Router2#show ip access-lists
- The following figure shows how to configure an extended ACL on a Cisco router.
Verify Access Control List Configuration
- To verify your configuration, open the Web browser on PC1, type http://220.127.116.11, and press Enter. You should not be able to access the Web server as shown in the following figure.
- Now move on to PC2 and try to access the Web server, this time you should be able to access the Web server.
That’s all you need to know to configure an Extended ACL on Cisco router. In this post, we have learned how to configure Extended ACl on Cisco Routers using the numbered method. In the next posts, we will learn how to configure Extended ACL using the named ACL method. If you found this article helpful, please share with others too. Sharing this article will not cost you anything.