creating extended ip access list on cisco router

Access control lists (ACLs) provide a means to filter packets by allowing network traffic to cross specified interfaces. It controls whether a passing packet is allowed or denied to a destination (outbound or inbound) and takes an appropriate action. You will first have to create the ACLs and then apply to a specific interface.
There are 3 popular types of ACL: Standard, Extended and Named ACLs. We are only focusing standard IP Access List in this example.

Extended access uses numbers from 100 to 199 and checks both the source and destination IP address of all packets.

Extended Access Control List

In this example we will define an extended access control list that will allow any network traffic from 10.20.1.0/24 to cross in the Fa0/1 interface outbound. It will apply any IP address in this network (10.20.1.1-10.20.1.254) that is going out of the interface.


Router# conf t
Router(config)# access-list 101 permit IP 10.20.1.0 0.0.0.255 any
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 101 out
Router(config-if)#end
Router#

In the above example we created ACL 101 and allowed 10.20.1.0/24 network traffic to cross the interface and reach any destination network. We applied the ACL to FastEthernet 0/1 for outbound traffic.
So the two steps involved are creating the Access Control List and applying it to an specific interface, inbound or outbound.

Take a look at this other example that will allow only FTP connection from a local network to a specific host on another network. You would apply this to the router interface of the FTP machine.


Router# conf t
Router(config)# access-list 102 permit tcp10.20.1.0 0.0.0.255 host 10.30.1.1 eq 20
Router(config)# access-list 102 permit tcp10.20.1.0 0.0.0.255 host 10.30.1.1 eq 21
Router(config)# access-list 102 deny any any
Router(config)#interface Fa0/2
Router(config-if)#ip access-group 102 in
Router(config-if)#end
Router#

For the same way, we can control the HTTP and Telnet access to specified server.

Router# conf t
Router(config)# access-list 102 permit tcp10.20.1.0 0.0.0.255 host 10.30.1.1 eq 80
Router(config)# access-list 102 permit tcp10.20.1.0 0.0.0.255 host 10.30.1.1 eq 23
Router(config)# access-list 102 deny any any
Router(config)#interface Fa0/2
Router(config-if)#ip access-group 102 in
Router(config-if)#end
Router#

Publisher: abdirahman isse

Share this post