An extended access-list (100 – 199) is an ordered list of statements that can deny or permit packets based on source and destination IP address, port numbers and upper-layer protocols. Standard access list can deny or permit packets by source address only and permit or deny entire TCP/IP protocol suite. Therefore by extended, it means greater functionality and flexibility. Extended access list is a good example of “packet filtering” where the flow of data packets can be controlled in your network. It can filter based on source and destination, specific IP protocol and port number.
What do you include in your access list?
A good way to start is to gather the IP addresses for your network as well as the port numbers required by your applications. Your security policy would define what services to permit into and out of your network. Once you have a good understanding of what applications you must permit, the next factor would be what router interface you are going to apply the access list and which direction either inbound or outbound.
Note that an access list is an ordered list and therefore the sequence of your statements is crucial. Also, at the end of the list is an implicit deny of everything that is not permitted. The best security practice is to only allow packets that are explicitly permitted and deny everything else. The access list can always be modified to include needed services.
The following is the syntax for using an extended access list:
Access-list <number 100-199> <permit | deny> <protocol> <source> < sourcemask> <operator source port> < destination> <destination-mask> < operator destination port> <options> < log>
To understand better, I am going to break down the entries into fields:
- Access-list is the command use.
- access list number Extended IP Access List uses a number in the
- range of 100 to 199. This is a required field.
- permit or deny Allow or block traffic. This is a required field.
- protocol IP, TCP, UDP, ICMP, GRE and IGRP. TCP,
- UDP and ICMP use IP at the network layer.
- Source This is the Source IP address. This is a required field.
- source mask Wildcard mask; 0 indicate positions that must
- match, 1s indicate don’t care positions
- (inverted mask). This is a required field.
- operator source port lt, gt, eq, neq (less than, greater than, equal,
- not equal) and a port number.
- destination The destination IP address.
- destination mask Wildcard mask; 0 indicate positions that must
- match, 1s indicate don’t care positions
- (inverted mask)
- operator destination port lt, gt, eq, neq (less than, greater than, equal,
- not equal) and a port number
- options Typical is “established” to see if ACK or RST
- bits is set.
- Log logs to the router’s buffer or a syslog server.
Extended ACL Lab:
In this activity you will learn to configure and apply a Standard and Extended access list to control access to devices within the network lab as well as apply an access list as an access class to restrict telnet access to some devices.
In addition to the basic activity there are some bonus tasks that will challenge you to create additional Extended Access Control List to create a DMZ and allow certain types of traffic to and from some end devices while deny all external access to other devices.
The initial Packet Tracer configuration of all routers, switches, and end devices has been completed. In addition the router labeled ISP has been configured as a route generator to simulate the internet.
The initial and finished router startup configuration files have been supplied to allow those that wish to use GNS3 to complete the lab.
Search for Additional CCNA Labs: [adsense_id=”4″]
Extended ACL (330.4 KiB, 5,370 hits) Packet Tracer 5-3-3 By Cisco (48.3 MiB, 1,934 hits)
You do not have permission to download this file.
Posted in 
Tags:
Hey mate wheres the problem? There is a solution with configuration but there is no problem on the PT Activity??? LOL wtf