The term "access-list" refers to a set of rules for controlling network traffic and reducing network attacks. ACLs are used to filter network traffic based on a set of rules defined for incoming or outgoing traffic.

Extended Access list -

This is one of the most commonly used types of access-list because it can distinguish IP traffic, so the entire traffic will not be permitted or denied as in a standard access-list. These are the ACLs that distinguish IP traffic by using both source and destination IP addresses as well as port numbers. We can also specify which IP traffic should be allowed or denied in this type of ACL. These ranges are 100-199 and 2000-2699

Features of Extended Access List -

• Extended access-list is typically used close to the source, but this is not always the case.
• Packet filtering occurs in the Extended access list based on source IP address, destination IP address, and port numbers.
• Specific services will be permitted or denied in an extended access list.
• The extended ACL range is 100 - 199, and the extended range is 2000 - 2699.
• Remember rules cannot be deleted if they are numbered with an extended Access-list. If one of the rules is removed, the entire access list is removed.
• We have the ability to delete a rule from the access list if it is named with extended Access-list.

Setting up -

Here is a simple organisational structure with three departments: sales, finance, and marketing. The networks for the marketing department are 172.16.60.0/24, the finance department is 172.16.50.0/24, and the sales department is 172.16.10.40/24. Now, we want to prevent the sales department from connecting through FTP to the finance department and the marketing and sales departments from telneting the finance department.

First, set up a numbered extended access list to block FTP connections from the sales department to the finance department.

1. R1# config terminal  
2. R1(config)# access-list 110   
3.             deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21   

Here, we first build a numbered Access-list and utilise 110 (taken from the extended access-list range) to deny the sales network's request to connect through FTP to the finance network (172.16.40.0). (172.16.50.0).

Note that TCP and port number 21 are used here since FTP. Therefore, depending on the situation, we must either specify the permit or reject the condition. Additionally, we must utilise the supplied application layer protocol's port number after eq.

Now, we must prevent the sales and marketing departments from connecting via telnet to the finance department, therefore nobody should do so. setting up for the same.

1. R1(config)# access-list 110   
2.             deny tcp any 172.16.50.0 0.0.0.255 eq 23  

Here, the phrase any denotes any IP address from any subnet mask, or 0.0.0.0 0.0.0.0. We must mention port number 23 after eq since telnet uses port number 23.

1. R1(config)# access-list 110 permit ip any  

This is the crucial thing right now. As we are previously aware, every access list has an implicit refuse at the end, meaning that if the traffic does not comply with any of the rules of the access-list, the traffic will be discarded.

Any traffic from a source with any IP address that complies with the aforementioned requirements will not enter the finance department via the specified method. We must now apply the access-list to the router's interface:

1. R1(config)# int fa0/1  
2. R1(config-if)# ip access-group 110 out  

As we recall, the extended access-list must be applied as close to the source as possible, but in this case, we applied it too close to the destination because we need to block traffic from both the sales and marketing departments; as a result, we must apply the extended access-list close to the destination otherwise we will need to create separate access-lists for fa0/0 and fa1/0 inbound.

Standard Access-list illustration -

Now we will create a named extended access list while keeping the same topology in mind.

1. R1(config)# ip access-list extended blockacl  

By using this command we have made an access-list named blockacl.

1. R1(config-ext-nacl)# deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21   
2. R1(config-ext-nacl)# deny tcp any 172.16.50.0 0.0.0.255 eq 23  
3. R1(config-ext-nacl)# permit ip any  

After that, we repeat the settings we did for the numbered access-list.

1. R1(config)# int fa0/1  
2. R1(config-if)# ip access-group blockacl out