How to Configure Extended Access List on Router

In the previous post, we discussed the basics of IP access lists (ACLs) and how to configure standard access lists. In this post, we will explain how to configure an Extended Access List on Cisco routers. If you have any queries regarding the concept of Extended ACL, please visit the following link before start to configure Extended ACL.

  1. First of all, let’s have a look at the syntax used to configure an Extended ACL on Cisco routers.

Router(config)#access-list <an ACL number from 100-199> <select an action> <select a protocol or service> <source address> <destination address> <port number> <packet condition>
  1. If the preceding syntax does not help you, let’s have a look at the following syntax in detail.
  2. The following figure shows the syntax to select the action, protocol, and source address.Syntax to configure an extended ACL on Cisco router
  3. The following figure shows the syntax to select the destination address and packet filter method.Syntax to configure extended ACL in Packet Tracer
  4. The following figure shows the syntax to select the port number.Configure Extended ACL to prevent http on cisco

Steps to Configure Extended ACL.

Once you are familiar with the syntax used to configure Extended ACL, let’s begin the configuration.

To configure an Extended ACL, we will use the following network topology. In this example, we will deny host from accessing the Web server ( To do so, we need to filter the IP traffic containing the HTTP packet coming from host.Topology to configure Extended ACL in Cisco Packet Tracer

  1. We assume that you are already familiar with how to configure TCP/IP settings and how to configure routing. If you face any problem to configure the TCP/IP settings and a routing algorithm (such as RIP) for the preceding topology, the following links may help you.
  1. In order to prevent host to access the Web server (, you need to execute the following commands on Router2.
Router2(config)#access-list 150 deny tcp host host eq www
Router2(config)#access-list 150 permit ip any any
Router2(config)#int fa0/1
Router2(config-if)#ip access-group 150 in
  1. Once you applied an ACL on the desired interface (in this case fa0/1), you can view the configured access lists by executing the following command.
Router2#show ip access-lists
  1. The following figure shows how to configure an extended ACL on cisco router.How to Configure Extended ACL on Cisco Router

Verify Access Control List Configuration

  1. To verify your configuration, open the Web browser on PC1, type, and press Enter. You should not be able to access the Web server as shown in the following figure.Verify Extended ACL configuration
  1. Now move on to PC2 and try to access Web server, this time you should be able to access Web server.Verify ACL configuration using Cisco Packet Tracer

That’s all you need to know to configure an Extended ACL on Cisco router. In this post, we have learned how to configure Extended ACl on Cisco Routers using the numbered method. In the next posts, we will learn how to configure Extended ACL using the named ACL method. If you found this article helpful, please share with others too. Sharing this article will not cost you anything.


Posted in Cisco, Security Tagged with: , , ,