Prerequisite – Access-lists (ACL), Standard Access-list
Access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network.
Extended Access-list –
It is one of the types of Access-list which is mostly used as it can distinguish IP traffic therefore the whole traffic will not be permitted or denied like in standard access-list. These are the ACL that uses both source and destination IP address and also the port numbers to distinguish IP traffic. In this type of ACL, we can also mention which IP traffic should be allowed or denied. These use range 100-199 and 2000-2699.
- Extended access-list is generally applied close to the source but not always.
- In the Extended access list, packet filtering takes place on the basis of source IP address, destination IP address, port numbers.
- In an extended access list, particular services will be permitted or denied.
- Extended ACL is created from 100 – 199 & extended range 2000 – 2699.
- If numbered with extended Access-list is used then remember rules can’t be deleted. If one of the rules is deleted then the whole access list will be deleted.
- If named with extended Access-list is used then we have the flexibility to delete a rule from the access list.
Here is a small topology in which there are 3 departments namely sales, finance, and marketing. The sales department has a network of 172.16.10.40/24, the Finance department has a network of 172.16.50.0/24, and the marketing department has a network of 172.16.60.0/24. Now, we want to deny the FTP connection from the sales department to finance department and deny telnet to the Finance department from both the sales and marketing departments.
Now, first configuring numbered extended access – list for denying FTP connection from sales to finance department.
R1# config terminal R1(config)# access-list 110 deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21
Here, we first create a numbered Access-list in which we use 110 (used from extended access-list range) and deny the sales network (172.16.40.0) to make an FTP connection to the finance network (172.16.50.0).
Note – Here, as FTP uses TCP and port number 21. Therefore, we have to specify the permit or deny the condition according to the need. Also, after eq, we have to use the port number for the specified application layer protocol.
Now, we have to deny telnet connection to finance department from both sales and Marketing department which means no one should telnet to finance department. Configuring for the same.
R1(config)# access-list 110 deny tcp any 172.16.50.0 0.0.0.255 eq 23
Here, we have used the keyword any which means 0.0.0.0 0.0.0.0 i.e any IP address from any subnet mask. As telnet uses port number 23 therefore, we have to specify the port number 23 after eq.
R1(config)# access-list 110 permit ip any any
Now, this is the most important part. As we already know there is an implicit deny at the end of every access list which means that if the traffic doesn’t match any of the rules of Access-list then the traffic will be dropped.
By specifying any any means that source having any IP address traffic will reach finance department except the traffic which it matches the above rules that we have made. Now, we have to apply the access-list on the interface of the router:
R1(config)# int fa0/1 R1(config-if)# ip access-group 110 out
As we remember, we have to apply the extended access-list as close as possible to source but here we have applied it to close to the destination because we have to block the traffic from both sales and marketing department, therefore, we have to apply it close to the destination here otherwise we have to make separate access-list for fa0/0 and fa1/0 inbound.
Named access-list example –
Now, considering the same topology, we will make a named extended access list.
R1(config)# ip access-list extended blockacl
By using this command we have made an access-list named blockacl.
R1(config-ext-nacl)# deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21 R1(config-ext-nacl)# deny tcp any 172.16.50.0 0.0.0.255 eq 23 R1(config-ext-nacl)# permit ip any any
And then the same configuration we have done in numbered access-list.
R1(config)# int fa0/1 R1(config-if)# ip access-group blockacl out