Access Control Lists (ACLs) are sequential filters used by routers to permit or deny packets based on specific criteria. While Standard ACLs are limited to checking source IP addresses, Extended ACLs offer granular control, filtering based on source, destination, protocol, and port numbers.
Extended ACL Range
Extended Numbered ACLs utilize the ranges 100 to 199 and 2000 to 2699. Using these numbers tells the IOS parser to compile extended filtering logic instead of standard logic.
1. Extended Numbered ACL Syntax
The command structure for an extended numbered ACL is:
Router(config)# access-list [100-199] [permit|deny] [protocol] [source_ip] [source_wildcard] [destination_ip] [destination_wildcard] [operator port]
Key Parameters Defined:
- Protocol: The transport/network layer protocol (e.g.
ip,tcp,udp,icmp). Choosingipmatches all protocols inside the IP payload. - Source/Destination: Define specific host IPs, subnet ranges (using wildcard masks), or use the keyword
any. - Operator & Port: Defines comparison rules like
eq(equal),neq(not equal),gt(greater than), orlt(less than) followed by port names (likewww,domain,telnet) or numbers (like80,53,23).
Examples:
Block host 192.168.1.5 from accessing web server 10.0.0.100 while permitting all other IP traffic:
Router(config)# access-list 101 deny tcp host 192.168.1.5 host 10.0.0.100 eq 80 Router(config)# access-list 101 permit ip any any
2. The Implicit Deny Any Any Rule
Every ACL has an invisible statement appended to the very bottom: deny everything else. If a packet does not match any permit/deny line in the list, it is automatically discarded.
Implicit Deny Trap
If you create an ACL containing only deny statements, the ACL will block 100% of all traffic. Since the specific traffic is denied, the rest is discarded by the implicit deny. Always include at least one permit statement or a final permit ip any any line if you want to filter selectively.
3. Placement Rules (Standard vs. Extended)
To optimize router resources, apply ACLs according to Cisco's standard guidelines:
- Standard ACLs: Place as **close to the destination** as possible. Since standard ACLs only check the source, placing them too close to the source might block traffic intended for other valid destinations.
- Extended ACLs: Place as **close to the source** as possible. Because they check destination and port parameters, they can filter packets before they consume router bandwidth traversing the WAN link.
Applying to an Interface:
Use the ip access-group command under interface mode, specifying direction (in or out):
Router(config)# interface GigabitEthernet0/1 Router(config-if)# ip access-group 101 in
ACLs use Wildcard Masks (inverse subnet masks) to determine which bits of an IP address to match. A wildcard bit of 0 means "match this bit exactly", and a bit of 255 means "ignore this octet".
- Match a single host: IP
192.168.1.10wildcard0.0.0.0(shortcut:host 192.168.1.10). - Match a /24 subnet: IP
192.168.1.0wildcard0.0.0.255. - Match a /30 subnet: IP
10.0.0.0wildcard0.0.0.3.