Extended ACLs
Extended ACLs filter traffic based on source IP, destination IP, protocol, and port numbers - gives granular control over what traffic is allowed.
Why Use Extended ACLs?
Section titled “Why Use Extended ACLs?”You need extended ACLs when:
- You want to allow/block specific services (HTTP, SSH, FTP, etc.)
- You need to filter based on source AND destination
- You want to allow outbound traffic but block inbound connections (
establishedkeyword) - Standard ACLs are too broad for your needs
ACL Numbers: 100-199, 2000-2699
Placement Rule: Apply close to the source (prevents unwanted traffic from traversing the network - saves bandwidth).
Numbered Extended ACL Syntax
Section titled “Numbered Extended ACL Syntax”Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq 80Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq 443Router(config)# access-list 100 deny ip any anyFormat:
access-list [number] [permit|deny] [protocol] [source] [source-wildcard] [destination] [dest-wildcard] [operator port]Common protocols:
ip= All IP traffictcp= TCP onlyudp= UDP onlyicmp= ICMP (ping, traceroute)
Port operators:
eq= Equal to (e.g.,eq 80)gt= Greater thanlt= Less thanneq= Not equal torange= Port range (e.g.,range 20 21)
Named Extended ACL
Section titled “Named Extended ACL”Router(config)# ip access-list extended WEB-TRAFFICRouter(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443Router(config-ext-nacl)# deny ip any anyRouter(config-ext-nacl)# exitCommon Port Numbers
Section titled “Common Port Numbers”| Service | Port | Protocol |
|---|---|---|
| HTTP | 80 | TCP |
| HTTPS | 443 | TCP |
| FTP Data | 20 | TCP |
| FTP Control | 21 | TCP |
| SSH | 22 | TCP |
| Telnet | 23 | TCP |
| SMTP | 25 | TCP |
| DNS | 53 | TCP/UDP |
| DHCP | 67, 68 | UDP |
| TFTP | 69 | UDP |
| POP3 | 110 | TCP |
| SNMP | 161 | UDP |
Using port names:
Router(config)# access-list 100 permit tcp any any eq wwwRouter(config)# access-list 100 permit tcp any any eq 80Both commands do the same thing (www = port 80).
Apply ACL to Interface
Section titled “Apply ACL to Interface”Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group 100 inExample: Allow Web Traffic Only
Section titled “Example: Allow Web Traffic Only”Router(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 80Router(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 443
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group 110 inNow only HTTP (80) and HTTPS (443) traffic from 192.168.10.0/24 is allowed outbound.
Example: Block Specific Host from Internet
Section titled “Example: Block Specific Host from Internet”Router(config)# access-list 120 deny ip host 192.168.10.50 anyRouter(config)# access-list 120 permit ip any any
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group 120 inTCP Established (Stateful Filtering)
Section titled “TCP Established (Stateful Filtering)”Allow outbound connections and their return traffic, but block inbound connection attempts.
Router(config)# access-list 130 permit tcp any 192.168.10.0 0.0.0.255 established
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group 130 outHow it works: The established keyword permits TCP packets with ACK or RST flags set (indicating an existing connection). Blocks new inbound connections from the internet.
Common pattern (inbound + outbound ACLs):
! Outbound: Allow inside hosts to access webRouter(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 80Router(config)# access-list 110 permit tcp 192.168.10.0 0.0.0.255 any eq 443
! Inbound: Only allow return trafficRouter(config)# access-list 120 permit tcp any 192.168.10.0 0.0.0.255 established
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group 110 inRouter(config-if)# ip access-group 120 outNamed Extended ACL Example
Section titled “Named Extended ACL Example”Router(config)# ip access-list extended ALLOW-WEBRouter(config-ext-nacl)# remark Permit HTTP and HTTPS from internal networkRouter(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 80Router(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq 443Router(config-ext-nacl)# exit
Router(config)# ip access-list extended RETURN-TRAFFICRouter(config-ext-nacl)# remark Only allow returning web trafficRouter(config-ext-nacl)# permit tcp any 192.168.10.0 0.0.0.255 establishedRouter(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group ALLOW-WEB inRouter(config-if)# ip access-group RETURN-TRAFFIC outAllow Specific Host, Block Others
Section titled “Allow Specific Host, Block Others”Router(config)# ip access-list extended RESTRICT-ACCESSRouter(config-ext-nacl)# remark Allow PC1 full internet accessRouter(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 20Router(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 21Router(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 22Router(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 23Router(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 80Router(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 443Router(config-ext-nacl)# permit udp host 192.168.10.10 any eq 53Router(config-ext-nacl)# permit tcp host 192.168.10.10 any eq 53Router(config-ext-nacl)# remark Deny all other internal hostsRouter(config-ext-nacl)# deny ip 192.168.10.0 0.0.0.255 anyRouter(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group RESTRICT-ACCESS inAllow ICMP (Ping)
Section titled “Allow ICMP (Ping)”Router(config)# access-list 100 permit icmp any anyAllow ping echo-reply only (returning pings):
Router(config)# access-list 100 permit icmp any any echo-replyAllow DNS
Section titled “Allow DNS”DNS uses both TCP and UDP on port 53.
Router(config)# access-list 100 permit udp any any eq 53Router(config)# access-list 100 permit tcp any any eq 53Block Specific Protocol
Section titled “Block Specific Protocol”Router(config)# access-list 100 deny tcp any any eq 23Router(config)# access-list 100 permit ip any anyBlocks Telnet (port 23), allows everything else.
Edit Extended ACL
Section titled “Edit Extended ACL”View sequence numbers:
Router# show access-listsExtended IP access list 110 10 permit tcp 192.168.10.0 0.0.0.255 any eq www 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443Remove and replace a line:
Router(config)# ip access-list extended 110Router(config-ext-nacl)# no 10Router(config-ext-nacl)# 10 permit tcp 192.168.20.0 0.0.0.255 any eq wwwRouter(config-ext-nacl)# exitInsert new line:
Router(config)# ip access-list extended ALLOW-WEBRouter(config-ext-nacl)# 15 permit tcp 192.168.15.0 0.0.0.255 any eq 443Router(config-ext-nacl)# exitRemove ACL from Interface
Section titled “Remove ACL from Interface”Router(config)# interface GigabitEthernet0/0/0Router(config-if)# no ip access-group 100 inDelete ACL
Section titled “Delete ACL”Router(config)# no access-list 100Or for named ACLs:
Router(config)# no ip access-list extended ALLOW-WEBVerify Configuration
Section titled “Verify Configuration”Router# show access-listsRouter# show access-lists 100Router# show ip access-listsRouter# show ip interface GigabitEthernet0/0/0 | include access listRouter# show running-config | section ip access-listCheck match statistics:
Router# show access-listsExtended IP access list 110 10 permit tcp 192.168.10.0 0.0.0.255 any eq www (245 matches) 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 (1843 matches)Example Scenarios
Section titled “Example Scenarios”Scenario 1: Allow SSH from management subnet only
Router(config)# ip access-list extended SSH-MGMTRouter(config-ext-nacl)# permit tcp 10.100.0.0 0.0.255.255 any eq 22Router(config-ext-nacl)# deny tcp any any eq 22Router(config-ext-nacl)# permit ip any anyRouter(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group SSH-MGMT inScenario 2: Block social media (example IPs)
Router(config)# ip access-list extended BLOCK-SOCIALRouter(config-ext-nacl)# remark Block FacebookRouter(config-ext-nacl)# deny ip any 31.13.24.0 0.0.7.255Router(config-ext-nacl)# remark Block TwitterRouter(config-ext-nacl)# deny ip any 104.244.42.0 0.0.0.255Router(config-ext-nacl)# permit ip any anyRouter(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/0/0Router(config-if)# ip access-group BLOCK-SOCIAL outScenario 3: Allow only email and web for guest network
Router(config)# ip access-list extended GUEST-INTERNETRouter(config-ext-nacl)# permit tcp 192.168.99.0 0.0.0.255 any eq 80Router(config-ext-nacl)# permit tcp 192.168.99.0 0.0.0.255 any eq 443Router(config-ext-nacl)# permit tcp 192.168.99.0 0.0.0.255 any eq 25Router(config-ext-nacl)# permit tcp 192.168.99.0 0.0.0.255 any eq 110Router(config-ext-nacl)# permit tcp 192.168.99.0 0.0.0.255 any eq 587Router(config-ext-nacl)# permit udp 192.168.99.0 0.0.0.255 any eq 53Router(config-ext-nacl)# deny ip 192.168.99.0 0.0.0.255 anyRouter(config-ext-nacl)# exit
Router(config)# interface GigabitEthernet0/1/0Router(config-if)# ip access-group GUEST-INTERNET in