Extended Access Control Lists (ACLs): Fine-Grained Network Traffic Filtering

Learn how to use extended access control lists (ACLs) for granular control over network traffic. This guide explains how extended ACLs allow filtering based on source/destination IP addresses, protocols, and port numbers, enhancing network security and management.

Extended Access Control Lists (ACLs): Fine-Grained Network Traffic Filtering

What is an Extended Access List?

An extended access list (ACL) is a powerful tool for controlling network traffic. Unlike standard ACLs, which filter traffic based only on the source IP address, extended ACLs provide more granular control. They allow you to filter traffic based on the source IP address, the destination IP address, the protocol type (TCP, UDP, ICMP, etc.), and port numbers. This allows for much more precise control over what traffic is allowed or denied on your network.

Key Features of Extended Access Lists

  • Filters based on source and destination IP addresses, protocol type, and port numbers.
  • Allows for filtering specific services (like FTP or Telnet).
  • Uses numbered ACLs (100-199 and 2000-2699) or named ACLs.
  • Rules are processed sequentially (top to bottom); the first matching rule determines the action.
  • Implicit deny at the end of numbered lists (traffic not explicitly permitted is denied).
  • Individual rules can be removed from named ACLs; numbered ACLs require deleting the entire list to remove a rule.

Example: Configuring an Extended ACL

Let's say you have three departments (Sales, Finance, Marketing) on a network, each with its own subnet:

  • Sales: 172.16.40.0/24
  • Finance: 172.16.50.0/24
  • Marketing: 172.16.60.0/24

You want to implement these rules:

  • Block FTP (port 21) access from Sales to Finance.
  • Block Telnet (port 23) access from Sales and Marketing to Finance.
  • Allow all other traffic.

1. Creating a Numbered Extended Access List:

Numbered Extended ACL

R1(config)# access-list 110 extended
 deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21
 deny tcp any 172.16.50.0 0.0.0.255 eq 23
 permit ip any any

2. Applying the Numbered Access List:

Applying the Numbered Access List

R1(config)# interface fa0/1
R1(config-if)# ip access-group 110 out

Creating a Named Extended Access List

Named ACLs offer better management. You can add or remove individual rules without needing to recreate the entire list. Here's an example that implements the same rules as the numbered ACL above:

Named Extended ACL

R1(config)# ip access-list extended block_access
 deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21
 deny tcp any 172.16.50.0 0.0.0.255 eq 23
 permit ip any any

(Applying this named list to an interface would use the same command structure as above but would reference block_access instead of 110.)

Conclusion

Extended ACLs provide more granular control over network traffic than standard ACLs. They are an essential tool for implementing detailed security policies and managing network access. The use of named ACLs is generally preferred for more manageable and maintainable configuration files.