Free CCNA | Extended ACLs | Day 35 | CCNA 200-301 Complete Course

Introduction

In this tutorial, you will learn about Extended Access Control Lists (ACLs), a crucial component of network security and traffic management in Cisco devices. This guide will break down the concepts of Extended ACLs, including their configuration, advantages, and practical applications, which are essential for passing the CCNA 200-301 exam.

Step 1: Understanding Numbered ACLs with Subcommands

• Numbered ACLs are used to control traffic based on specific criteria.
• They can be configured to allow or deny packets based on source and destination IP addresses, protocols, and port numbers.
• Example command to create a numbered ACL:

  access-list [number] [permit|deny] [protocol] [source] [wildcard] [destination] [wildcard]
  

• Replace the placeholders with appropriate values, such as:
  • [number]: A number between 1-199 for standard ACLs or 100-199 for extended ACLs.
  • [protocol]: Specify the protocol (e.g., TCP, UDP, ICMP).

Step 2: Advantages of Named ACL Configuration Mode

• Named ACLs offer greater flexibility and clarity compared to numbered ACLs.
• You can reference ACLs by name, making them easier to manage, especially in larger configurations.
• To create a named ACL, use the following command:

  ip access-list extended [name]
  

• Within the named ACL mode, you can add rules similar to numbered ACLs.

Step 3: Resquencing ACLs

• ACL entries can be rescheduled if necessary to change the order of evaluation.
• Use the command:

  ip access-list extended [name]
  

• Then, to reschedule an entry:

  sequence [number] [permit|deny] [protocol] [source] [wildcard] [destination] [wildcard]
  

• This command allows you to insert rules at specific positions in the ACL.

Step 4: Matching Based on Protocol

• You can specify protocols in your ACLs to control traffic flow effectively.
• Common protocols include TCP, UDP, and ICMP.
• Example to match ICMP:

  access-list 100 permit icmp any any
  

Step 5: Matching Based on Source and Destination IP

• Define rules based on source and destination IP addresses to control access.
• Wildcard masks can be used to specify ranges or single hosts.
• Example to permit traffic from a specific host to any destination:

  access-list 100 permit ip host [source_IP] any
  

Step 6: Matching TCP/UDP Port Numbers

• ACLs can filter traffic based on port numbers for TCP and UDP.
• To match a specific TCP port:

  access-list 100 permit tcp any eq [port_number] any
  

• Replace [port_number] with the desired port (e.g., 80 for HTTP).

Step 7: Extended ACL Entry Practice

• Practice creating and applying extended ACL entries with various conditions.
• Start by defining simple rules and gradually increase complexity by adding multiple criteria.

Step 8: Extended ACL Example

• Here’s a practical example of an extended ACL:

  access-list 100 permit tcp any host [destination_IP] eq 80
  access-list 100 deny ip any any
  

• This configuration allows HTTP traffic to a specific host while denying all other traffic.

Conclusion

In this tutorial, we covered the fundamentals of Extended ACLs, including their configuration, advantages, and application in network security. Understanding these concepts is vital for managing traffic effectively and is essential for the CCNA 200-301 exam. Next, consider practicing with real devices or simulators to reinforce your knowledge and skills in ACL configuration.