Extended IP Access Control Lists and Configuration

Extended IP access control lists (ACLs) allow for filtering traffic based on both the source and destination IP addresses, as well as protocol type, port numbers, and other Layer 3 and Layer 4 criteria. They are numbered from 100 to 199 and 2000 to 2699.

The configuration of an extended ACL involves the following steps:

Enter global configuration mode:

configure terminal

Create the extended ACL using the access-list command followed by the ACL number and the permit or deny keyword. In this example, we will create ACL 101 to deny all Telnet traffic to a specific destination IP address:

access-list 101 deny tcp any host 192.168.1.10 eq telnet

(Optional) Add additional rules to the ACL using the same access-list command:

access-list 101 permit ip any any

In this example, we added a rule to permit any traffic that is not denied by the previous rule.

Apply the ACL to an interface using the ip access-group command followed by the ACL number and the interface name:

interface GigabitEthernet0/0

ip access-group 101 in

In this example, we applied ACL 101 to the incoming traffic on interface GigabitEthernet0/0. Note that extended ACLs have more granular filtering options, but they can also be more complex to configure. It’s important to test ACLs thoroughly before applying them in a production environment, to ensure that they do not inadvertently block desired traffic. Additionally, extended ACLs should be applied as close to the source as possible, to avoid filtering traffic that has already traversed the network.