Extended Access Control Lists (ACLs)

In this lesson we’re going to be taking a look at Extended Access Control Lists (ACLs). We’ll be discussing how ACLs operate, uses cases and the modes available on Cisco IOS devices.

Exam Topic

5.0 Security
5.2 Configure and verify infrastructure security features
5.2.a ACLs

Overview

Unlike standard ACLs, Extended ACLs provide us a much more in-depth method of filtering network traffic.

We can configure our extended ACL to filter based on the following:

  • Protocol
  • Port number
  • Source address
  • Destination address

When creating a standard ACL we have the option to use one of the following:

  • Numbered
  • Named

Personally, I find it easier to use named ACLs when creating ACLs so that they can be easily identified by anyone amending the configuration.

If we use numbers to create our standard ACL, we need to use a number between the following ranges in order for our Cisco IOS devices to understand it:

  • 100 – 199
  • 2000 – 2699

Extended ACLs can be extremely useful in a number of different scenarios: 

  • Restrict protocol access to network.
  • Permitting access for remote access (VTY)

Topology Setup

To provide a little bit of context whilst we complete the configuration, lets take a look at the topology we’ll be using.

Extended ACL Topology

In our example we’ll be restricting ICMP traffic from R2 on R1 using an extended ACL on R1.

Basic R1 Configuration

We’ll start by configuring our interfaces and networks on R1.

R1#configure terminal
R1(config)# interface loopback1
R1(config-if)#ip address 172.16.10.254 255.255.255.0
R1(config-if)#interface loopback2
R1(config-if)#ip address 172.16.20.254 255.255.255.0
R1(config-if)#interface loopback3
R1(config-if)#ip address 172.16.30.254 255.255.255.0
R1(config-if)#interface loopback4
R1(config-if)#ip address 172.16.40.254 255.255.255.0
R1(config-if)#exit

To start off, we’ll configure our networks behind R1 as loopback interfaces.

R1(config)#interface GigabitEthernet0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0

Next up, we’ll configure our interface connecting R1 to R2.

R1(config)#router eigrp 10
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#network 172.16.10.0 0.0.0.255
R1(config-router)#network 172.16.20.0 0.0.0.255
R1(config-router)#network 172.16.30.0 0.0.0.255
R1(config-router)#network 172.16.40.0 0.0.0.255

Finally, we’ll advertise our networks using EIGRP to allow us to route between the networks.

Basic R2 Configuration

We’ll do the same for R2 allowing us to route between our networks.

R2#configure terminal
R2(config)# interface loopback1
R2(config-if)#ip address 192.168.10.254 255.255.255.0
R2(config-if)#interface loopback2
R2(config-if)#ip address 192.168.20.254 255.255.255.0
R2(config-if)#interface loopback3
R2(config-if)#ip address 192.168.30.254 255.255.255.0
R2(config-if)#interface loopback4
R2(config-if)#ip address 192.168.40.254 255.255.255.0
R2(config-if)#exit

To start off, we’ll configure our networks behind R2 as loopback interfaces.

R2(config)#interface GigabitEthernet0/1
R2(config-if)#ip address 10.10.10.2 255.255.255.0

Next up, we’ll configure our interface connecting R2 to R1.

R2(config)#router eigrp 10
R2(config-router)#network 10.10.10.0 0.0.0.255
R2(config-router)#network 192.168.10.0 0.0.0.255
R2(config-router)#network 192.168.20.0 0.0.0.255
R2(config-router)#network 192.168.30.0 0.0.0.255
R2(config-router)#network 192.168.40.0 0.0.0.255

Finally, we’ll advertise our networks using EIGRP to allow us to route between the networks.

erification

Before we configure our extended ACLs, lets confirm we can ping between our networks.

R2#ping 172.16.10.254 source loopback 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.10.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

R2#ping 172.16.20.254 source loopback 2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.20.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

R2#ping 172.16.30.254 source loopback 3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.30.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

R2#ping 172.16.40.254 source loopback 4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.30.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

It’s looking good! We’ve can route from our networks on R2 to R1.

Configuration

Let’s start by taking a look at configuring our extended ACL on R1.

Configuring Extended Access-List

We’ll start off by configuring a numbered extended ACL. The first thing we need to do is create the ACL on our device.

R1#configure terminal
R1(config)# ip access-list extended 100

We can create the numbered extended ACL using the ip access-list extended command, followed by the number we want to allocate to it. In this example, I’ll use 100.

Remember, the number we use for our extended ACL needs to fall into the numbers outlined earlier in the lesson.

R1#configure terminal
R1(config)# ip access-list extended FILTER_R2

Alternatively, we can our extended ACL to use a name using the ip access-list extended command, followed by the name of our ACL – FILTER_R2.

We then need to add our ACL rules, known as Access Control Entries (ACEs).

R1(config-ext-nacl)#permit ?
  <0-255>  An IP protocol number
  ahp   Authentication Header Protocol
   eigrp  Cisco’s EIGRP routing protocol
  esp    Encapsulation Security Payload
  gre    Cisco’s GRE tunneling
   icmp  Internet Control Message Protocol
   igmp   Internet Gateway Message Protocol
  ip    Any Internet Protocol
  ipinip  IP in IP tunneling
  nos   KA9Q NOS compatible IP over IP tunneling
   ospf  OSPF routing protocol
   pcp   Payload Compression Protocol
   pim   Protocol Independent Multicast
   tcp   Transmission Control Protocol
   udp   User Datagram Protocol

Unlike standard ACLs, we now have the ability to filter traffic on protocol – in this example, we’ll filter based on ICMP.

R1(config-ext-nacl)#permit icmp ?
  A.B.C.D Source address
  any   Any source host
  host   A single source host

We now have the option to filter traffic using a source address, single host or allowing any source.

We’ll use source address to filter our networks.

R1(config-ext-nacl)#permit icmp 192.168.10.0 0.0.0.255 ?
  A.B.C.D Destination address
  any   Any destination host
  host   A single destination host

We then need to decide where we want to restrict our traffic going using either a destination address, destination host or any destination.

We’ll use specify the any command to filter traffic to any destination.

R1(config-ext-nacl)#permit icmp 192.168.10.0 0.0.0.255 any
R1(config-ext-nacl)#permit icmp 10.10.10.0 0.0.0.255 any

Our final command looks like this. Our next step is to assign this to an interface on R1.

What the rule is permitting is:

Allow ICMP traffic from 192.168.10.0/24 to any network

R1(config)#interface GigabitEthernet0/0
R1(config-if)#ip access-group FILTER_R2 in

The next step is to apply our extended ACL to an interface.As we want to restrict ICMP from R2 we need to apply this to interface GigabitEthernet0/0. We can achieve this using the ip access-group command followed by either the number allocated to our ACL or the name. Finally we need to specify if we want to restrict traffic routing outbound from the interface or inbound to the interface, this is achieve with in or out.

Verification

Now that we’ve configured our extended ACL and applied it to GigabitEthernet0/0, we now need to verify our configuration.

R1#show ip access-lists FILTER_R2
Extended IP access list FILTER_R2
    10 permit icmp 192.168.10.0 0.0.0.255 any

We can confirm the rules applied to our extended ACL using the show ip access-lists command.

R1#show run | inc interface | access-group
interface GigabitEthernet0/0
 ip access-group FILTER_R2 in
interface GigabitEthernet0/1
interface Serial2/0
interface Serial2/1

Using the filters built into the show run command we can see that our extended ACL is applied to interface GigabitEthernet0/0.

R2#ping 172.16.10.254 source loopback1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.10.254, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

To confirm our ACL is working, lets ping one of our R1 networks from our loopback 1 interface (192.168.10.0/24). This is permitted by our ACL.