The Evolution of Remote Access: Why Traditional VPNs Are No Longer Enough
In today’s hyper-connected world, the need for secure remote access has never been greater. Employees work from home, freelancers collaborate ...
Read More 
Networks 
Applications 
Infrastructure 
Integrations Table of Contents
Cybersecurity 101 Categories
What is extended ACL (access control list)?
An Extended Access Control List (ACL) is a type of ACL used in networking, particularly in Cisco devices, to control traffic based on multiple criteria such as source and destination IP addresses, protocols, and port numbers. It provides more granular control compared to Standard ACLs, which can only filter traffic based on source IP addresses.
Features of Extended ACLs:
- Can filter traffic based on source and destination IP addresses.
- Can filter based on protocol types (e.g., TCP, UDP, ICMP, etc.).
- Can specify source and destination ports (e.g., HTTP, SSH, FTP).
- More complex and powerful than standard ACLs.
- Typically applied close to the source to filter traffic before it traverses the network.
Extended ACL Numbering Ranges:
- 100-199 (IP standard range)
- 2000-2699 (Expanded range)
Example: Configuring an Extended ACL on a Cisco Router
Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 101 deny ip any any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 101 in
Router(config-if)# exit
Explanation of the Commands:
- access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
- Allows TCP traffic from 192.168.1.0/24 to any destination on port 80 (HTTP).
- access-list 101 deny ip any any
- Denies all other traffic (implicit deny at the end).
- ip access-group 101 in
- Applies ACL 101 to the inbound traffic of the interface.
How do you apply an Extended ACL to an interface in Cisco IOS?
To apply an Extended ACL to an interface in Cisco IOS, follow these steps:
- Create the Extended ACL
First, define the ACL rules using the access-list command.
Router(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 101 deny ip any any
- This example allows HTTP traffic (TCP port 80) from 192.168.1.0/24 to any destination.
- The deny ip any any rule blocks all other traffic (implicitly added if not specified).
- Apply the ACL to an Interface
Once the ACL is defined, apply it to an interface using the ip access-group command.
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 101 in
Router(config-if)# exit
- ip access-group 101 in → Applies ACL 101 to inbound traffic on the interface.
Key Considerations:
- Inbound (in): Filters traffic before it is processed by the router.
- Outbound (out): Filters traffic after it has been routed.
- ACLs are processed top-down, so order matters.
- Always include a permit rule before a deny rule to avoid blocking necessary traffic.
Verifying the ACL Configuration
To check the ACL and interface application, use:
Router# show access-lists 101
Router# show ip interface GigabitEthernet0/0
What is the difference between applying an ACL inbound vs. outbound on an interface?
When applying an Access Control List (ACL) to an interface, you must choose whether to apply it inbound or outbound. The key difference lies in when the ACL is evaluated in relation to the traffic flow.
- Inbound ACL (ip access-group <ACL#> in)
- Traffic is filtered before it enters the router’s interface.
- The router checks the packet before processing it further.
- Efficient because unwanted traffic is dropped before routing decisions are made.
- Best used to block unwanted traffic as early as possible.
Example – Applying an Inbound ACL
Router(config)# access-list 101 deny tcp any host 192.168.1.10 eq 23
Router(config)# access-list 101 permit ip any any
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 101 in
Router(config-if)# exit
🔹 This blocks Telnet (TCP port 23) traffic destined for 192.168.1.10 before it enters the router.
- Outbound ACL (ip access-group <ACL#> out)
- Traffic is filtered after it has been processed by the router but before it exits the interface.
- The router makes a routing decision first, then checks the ACL.
- Best used when you want to control what leaves a network.
Example – Applying an Outbound ACL
Router(config)# access-list 102 deny icmp any any
Router(config)# access-list 102 permit ip any any
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 102 out
Router(config-if)# exit
🔹 This blocks all ICMP traffic (ping requests, etc.) leaving the GigabitEthernet0/1 interface.
General Best Practices
- Apply Inbound ACLs closest to the source of unwanted traffic.
- Apply Outbound ACLs closest to the destination when filtering outgoing traffic.
- Avoid using ACLs on both inbound and outbound directions on the same interface unless necessary.
How can an Extended ACL be used to restrict access to a specific web server using both HTTP and HTTPS?
An Extended ACL can be used to allow or block access to a specific web server by filtering traffic based on IP addresses and port numbers. Since web traffic uses:
- HTTP → TCP port 80
- HTTPS → TCP port 443
You can create an ACL that denies HTTP and HTTPS traffic to a specific web server while still permitting other traffic.
Example: Restrict Access to a Web Server (10.1.1.100)
Scenario:
- Web Server IP: 10.1.1.100
- Block all users from accessing this web server via HTTP & HTTPS.
- Allow all other traffic.
Step 1: Configure the Extended ACL
Router(config)# access-list 110 deny tcp any host 10.1.1.100 eq 80
Router(config)# access-list 110 deny tcp any host 10.1.1.100 eq 443
Router(config)# access-list 110 permit ip any any
Explanation:
- Deny TCP traffic to the web server on port 80 (HTTP).
- Deny TCP traffic to the web server on port 443 (HTTPS).
- Permit all other traffic (avoid blocking everything due to the implicit deny all at the end of ACLs).
Step 2: Apply the ACL to an Interface
Now, apply the ACL to an interface based on traffic direction:
- Inbound ACL: If users trying to access the web server are coming from the outside (Internet).
- Outbound ACL: If the web server is inside the network and users are internal.
Applying the ACL to an Inbound Interface
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 110 in
Router(config-if)# exit
- This blocks users from reaching the web server before the router processes the packet.
Applying the ACL to an Outbound Interface
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip access-group 110 out
Router(config-if)# exit
- This blocks traffic as it exits toward the web server.
Step 3: Verify the ACL
Use the following commands to confirm that the ACL is working:
Router# show access-lists 110
Router# show ip interface GigabitEthernet0/0
You can also try pinging the web server:
ping 10.1.1.100
- The ping should work (ICMP is not blocked).
- Web browsing (HTTP & HTTPS) should fail.
Variations & Additional Restrictions
- To block only specific users (e.g., 192.168.1.50)
- access-list 110 deny tcp host 192.168.1.50 host 10.1.1.100 eq 80
- access-list 110 deny tcp host 192.168.1.50 host 10.1.1.100 eq 443
- access-list 110 permit ip any any
- To allow access only from specific IPs (192.168.1.10)
- access-list 110 permit tcp host 192.168.1.10 host 10.1.1.100 eq 80
- access-list 110 permit tcp host 192.168.1.10 host 10.1.1.100 eq 443
- access-list 110 deny tcp any host 10.1.1.100 eq 80
- access-list 110 deny tcp any host 10.1.1.100 eq 443
- access-list 110 permit ip any any