Extended Access Control Lists (ACLs) provide granular control over network traffic. Unlike Standard ACLs, which only filter based on the source IP address, Extended ACLs can filter based on source IP, destination IP, protocol, and specific port numbers.
Extended ACL Range
Extended ACLs use numbers in the range of 100-199 and the expanded range of 2000-2699.
1. Placement Rule: "Near the Source"
Extended ACLs should always be placed as close to the source of the traffic as possible.
- Why? Because Extended ACLs are very specific. If you know you want to deny traffic, it is better to drop it immediately before it travels across your entire network and wastes valuable bandwidth.
2. The Syntax & Attributes
Extended ACLs require you to specify the protocol, source, and destination. Here is an example using a subnet to explain the structure:
Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 80
| Attribute | Value in Example | Simple Explanation |
|---|---|---|
| ACL Number | 101 | Identifies this as an Extended list (Range 100–199). |
| Action | permit | Allows the traffic. (deny would stop it). |
| Protocol | tcp | The "language" being used (TCP for Web/SSH, UDP for DNS). |
| Source | 192.168.1.0 0.0.0.255 | The source IP network and wildcard mask (devices sending the data). In this case its /24 |
| Destination | 10.1.1.0 0.0.0.255 | The destination IP network and wildcard mask (devices receiving the data). In this case its /24 |
| Operator | eq | Matches a specific port. (eq = Equal to). |
| Port | 80 | The specific service (80 = HTTP Web traffic). |
Alternative: Using the "host" Keyword
If you need to filter traffic for exactly one device, you can use the host keyword instead of a
wildcard mask. Here is how that looks:
Router(config)# access-list 101 permit tcp host 192.168.1.10 host 10.1.1.50 eq 80
Common Port Numbers & Services
When filtering with Extended ACLs, you will frequently match against common TCP and UDP ports. You can use the port number or the protocol name in the command.
| Service | Protocol | Port Number | Extended ACL Command Example |
|---|---|---|---|
| FTP (Data) | TCP | 20 | access-list 101 permit tcp any any eq 20 (or eq ftp-data) |
| FTP (Control) | TCP | 21 | access-list 101 permit tcp any any eq 21 (or eq ftp) |
| SSH | TCP | 22 | access-list 101 permit tcp any any eq 22 |
| Telnet | TCP | 23 | access-list 101 permit tcp any any eq 23 (or eq telnet) |
| SMTP (Email) | TCP | 25 | access-list 101 permit tcp any any eq 25 (or eq smtp) |
| DNS | UDP / TCP | 53 | access-list 101 permit udp any any eq 53 (or eq domain) |
| HTTP (Web) | TCP | 80 | access-list 101 permit tcp any any eq 80 (or eq www) |
| HTTPS (Web) | TCP | 443 | access-list 101 permit tcp any any eq 443 |
3. Standard vs. Extended ACL Comparison
Use this table as a quick cheat sheet to remember the differences for the exam:
| Feature | Standard ACL | Extended ACL |
|---|---|---|
| Number Range | 1–99 and 1300–1999 | 100–199 and 2000–2699 |
| What it filters | Source IP only | Source/Dest IP, Protocol, and Port |
| Placement | Near the Destination | Near the Source |
| Best Use | Blocking a whole network | Specific services (Web, Email, SSH) |
4. Pro-Tip: Applying to the Interface
An ACL is just a "list" until you apply it to a physical port. It must be applied in a specific direction:
- Inbound (in): Filters packets before they enter the router.
- Outbound (out): Filters packets as they try to leave the router.
Router(config)# interface Gi0/0 Router(config-if)# ip access-group 101 in
5. Wildcard Masks for Extended ACLs
To target a whole group of IPs instead of just one host (using the host keyword) or everyone
(using the any keyword), you use Wildcard Masks. The wildcard mask acts as the
inverse of a subnet mask.
Using Wildcard Masks
If you want to permit a whole subnet (e.g., 192.168.1.0/24) to a destination server, use the network ID and
wildcard mask:permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.50 eq 80.