🔐

Extended ACLs in Cisco Networking

Jun 17, 2025

View transcript

Overview

This lecture covers extended Access Control Lists (ACLs) in Cisco networking, focusing on configuration, differences from standard ACLs, editing methods, and practical examples for CCNA exam preparation.

Configuring Numbered and Named ACLs

  • Numbered ACLs can be configured in either global config mode or named ACL config mode.
  • Named ACL config mode allows editing of individual entries and manual sequence number assignment.
  • Using named ACL config mode for numbered ACLs enables easier deletion and insertion of entries.

Editing ACLs

  • Delete individual ACL entries using the NO command with a sequence number in named ACL config mode.
  • Numbered ACLs configured in global config mode can only be deleted entirely, not per entry.
  • Sequence numbers allow insertion of new entries between existing ones.
  • The IP ACCESS-LIST RESEQUENCE command resequences ACL entry numbers to create space for future entries.

Extended ACLs vs Standard ACLs

  • Extended ACLs can match on protocol, source/destination IP, and source/destination port numbers.
  • Extended numbered ACL range: 100–199 and 2000–2699; standard ACL range: 1–99 and 1300–1999.
  • Extended ACLs are more precise and flexible than standard ACLs.

Matching Criteria for Extended ACLs

  • Protocols can be matched by name (TCP, UDP, ICMP, EIGRP, OSPF) or protocol number (e.g., 6 = TCP).
  • Entries specify protocol, source IP (with mask or HOST), destination IP (with mask or HOST), and optional port numbers.
  • TCP/UDP port numbers can be matched with EQ (equal), GT (greater), LT (less), NEQ (not equal), and RANGE.
  • Each entry matches traffic only if all specified conditions are met.

Configuration and Placement of ACLs

  • Place standard ACLs close to the destination; place extended ACLs close to the source.
  • Apply ACLs inbound or outbound based on source and destination of restricted traffic.
  • Use PERMIT IP ANY ANY at the end to allow all other unmatched traffic.

Example and Practice Questions

  • DENY UDP 10.0.0.0 0.0.255.255 HOST 192.168.1.1 blocks UDP from 10.0.0.0/16 to 192.168.1.1.
  • DENY ICMP HOST 172.16.1.1 192.168.0.0 0.0.0.255 blocks pings from 172.16.1.1 to 192.168.0.0/24.
  • PERMIT TCP 10.0.0.0 0.0.255.255 HOST 2.2.2.2 EQ 443 allows HTTPS from 10.0.0.0/16 to 2.2.2.2.

Verification and Troubleshooting

  • Use SHOW IP INTERFACE (not BRIEF) to check applied ACLs on interfaces.
  • Use SHOW ACCESS-LISTS and check the running configuration for ACL details.

Key Terms & Definitions

  • ACL (Access Control List) — Set of rules controlling network traffic based on various parameters.
  • Standard ACL — Matches only the source IP address.
  • Extended ACL — Matches source/destination IP, protocol, and port numbers.
  • Named ACL — ACL identified by a custom name instead of a number.
  • Sequence Number — Numeric order for ACL entries, used for precise editing.
  • Protocol Number — Numeric value identifying a protocol in the IPv4 header (e.g., 6 for TCP).
  • Wildcard Mask — Inverse mask used for specifying IP address ranges in ACLs.

Action Items / Next Steps

  • Memorize standard and extended ACL number ranges and common protocol numbers for the CCNA exam.
  • Practice configuring, editing, and applying extended ACLs in lab environments.
  • Review supplementary materials: Anki flashcards and Packet Tracer lab.
  • Read Boson ExSim explanations and attempt related practice questions.

Full transcript