Advanced IP Access Control Lists Notes

Extended Numbered IP Access Control Lists

Work in the same way as standard ACLs, however provide additional functions. Extended ACLs can also filter by the protocol type field in the TCP UDP header.

Extended ACLS used access-list numbers (100-199 and 2000-2699 )

R1(config)#access-list 101 permit protocol source_IP des_IP

Protocol type options

IP
TCP
UDP
ICMP
OTHERS...


Extended ACL logic 

access-list 101 deny tcp any any - deny all tcp traffic to and from any hosts
access-list 101 deny ip host 1.1.1.1 host 2.2.2.2 - deny traffic between host 1 and host 2
access-list 101 deny udp 1.1.1.0 0.0.0.255 any - deny udp packets going from 1.1.1.0 to any destination

In an extended ACL access-list each and every parameter must match or else the ACL does not apply to that packet.

Matching TCP and UDP Port Numbers

when tcp or udp keywords are used in the ACL source and destination ports can optionally be configured.

access-list 101 permit protocol source_IP source_port des_IP dest_port

source_port and dest_port are configured with 5 different legends

eq, not eq, < (less than), > (greater than ) and range ( x to y values )

Both source_port & dest_port are optional, we'll see why below

access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

This access list is allowing traffic from the 172.16.1.0 network to access the 172.16.3.0 network but only with a dest_port of 21 for FTP.

We now see that we can get pretty picky on which packets are allowed by adding a source_port as well.

Here is another just to get familiar

access-list 101 permit udp 1.0.0.0 0.255.255.255 lt 1023 any

permits all traffic from 1.0.0.0 network to access any network as long as the destination port is less than 1023.

CCNA Extended IP Access List Configuration Commands

access-list access-list number { deny | permit } protocol source source-wildcard destination destination-wildcard [ log | log-input ]

access-list access-list-number {deny | permit } {tcp | udp} source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

Named ACLs and ACL Editing

Can be used for filtering packets, plus for many other purposes. Just like numbered ACLs, named ACLs have standard and extended lists.

Named ACLs vs Numbered ACLs


  • Names are easier to remember for humans than numbered acls
  • use ACL subcommands not global commands to define the action and matching parameters
  • Better ACL editing tools ( cisco has since added some of these features to numbered ACLs aswell)
Covert Numbered ACLs to Named ACLs

Numbered ACLs

R1(config)#access-list 1 permit 1.1.1.1
R1(config)#access-list 1 permit 2.2.2.2
R1(config)#access-list 1 permit 3.3.3.3

Equivalent Named ACL

R1(config)#access-list standard duffney
R1(config-std-nacl)#permit 1.1.1.1
R1(config-std-nacl)#permit 2.2.2.2
R1(config-std-nacl)#permit 3.3.3.3


Named ACLs were invented to address the shortcoming of numbered ACLs. Numbered ACLs are difficult to edit because they are typically one line and most often have to be rewritten. Named ACLs can edit or delete any given line within it. Allow a much easier method of modification.

view ACLs with
R1#show access-list

R1(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255

removes the deny statement from the ACL

reflexive access lists - add additional security to the network by allowing the router to identify destination ports on incoming frames to avoid allowing potential hackers in through access lists.

dynamic acls - force a user to telnet into a router authenticate with a username and password. Then the router dynamically updates the ACL with the users ip and grants access.

timed-based acls - put a expiration on any given ACL