Extended Access Control List 101: Access and Privilege

Learn how User Migration with Okta reduced unexpected password resets and reduces help desk calls and support issues.

An extended access control list (ACL) can determine what traffic is allowed or denied access, acting as a gatekeeper for your network. It can give the system administrator setting up the network a higher degree of flexibility and control. It is highly customisable, allowing you to set rules regarding traffic on more than just the IP address. This can help to prevent network attacks while allowing the traffic you want to have access through. An extended ACL can be set up to block particular sources from having access via certain ports on targeted computers. In this way, you can manage traffic going out and coming in to a very specific degree.  

What is an extended access list (ACL)?

An access control list is a set of rules allowing or blocking traffic within a network, providing basic security. An extended access list is more flexible and customisable than a standard access control list. An ACL can tell a computer operating system what users have access rights to specific system objects, such as individual files or directories. An extended ACL can serve as an extension of a standard ACL with more specific parameters. This can increase network security while prioritising the flow of traffic within a network. Network security needs to constantly evolve as the world changes and threats evolve. It is even more important to restrict access to potential bad actors while still allowing necessary traffic through uninhibited for a smooth customer and employee interface and digital interaction.

Features of an extended ACL

A standard ACL allows or denies traffic access based on the source IP address, while an extended access control list can filter packets with a higher degree of specification. It can determine the types of traffic it allows or blocks beyond just the IP address to include TCP, ICMP, and UDP, for example. An extended ACL can filter traffic based on the following:

  • Source address
  • Destination address
  • Port number
  • Protocol
  • Time range

The extended ACL can be configured in many different ways to block potentially harmful traffic or attacks while allowing legitimate and necessary traffic through to individual destinations. Specific IP traffic in the number range of 100-199 and 2000-2699 can be prioritised. The extended access list is also generally applied close to the source.

Understanding Commands Used in an Extended ACL

The basic format of an extended access list is as follows: 

access-list access-list number [permit/deny] protocol source IP address

source-wildcard destination destination-wildcard [operator]

These commands explained are:

  • Access-list number: the number of the access list in the range that was previously specified
  • Permit: traffic allowed if conditions are met
  • Deny: traffic denied when conditions are met
  • Protocol: filtering allowed based on a particular protocol
  • Source IP address: the IP address or source from which packet is being sent
  • Destination-wildcard: indicates a source-wildcard to determine the destination IP address or range of IP addresses to save having to type each IP address individually
  • Operator: can indicate the port number when filtering by protocol and use the following options:
    • eq Equal: when the exact port is being monitored
    • gt Greater: specifies a range above a certain port number
    • lt Less than: specifies a range below a certain port number
    • neq Not equal: enables the access-list to be asserted to all but on port

How to set up an extended ACL

If a source is attempting unauthorised access within your network and you want to stop it without blocking all traffic between the two IP addresses, you will work to restrict access only between the specified ports. First, you will need to define the source IP address and block it with a wildcard mask. Next, you will need to input the destination you are attempting to restrict access to. This is where you will input the specific ports you are denying the access using statements like the following:

Router1# conf t

Router1(config)# access-list [access-list number] deny tcp host [source IP address or addresses] eq [port number]

Router1(config)# access-list [access-list number] deny tcp host [source IP address or addresses] eq [port number]

The first statement serves to block the target at the specific port destination, while the second repeats this for HTTPS. The “eq” command allows entry for specified ports. You can check this list by using the “Show Access List” command to ensure the extended ACL has all the necessary instructions.

Stopping the ‘deny all’ statement

When you merely add deny statements, the ACL contains an implicit “DENY ALL” statement that needs to be negated to allow the access you want and stop a complete network outage. This will not show up in the “Show Access List” command. To fix this, a permit statement needs to be added. An “any any” command will need to be used, otherwise all traffic not matching the access-list rules will be dropped. Bring up the access list using the number that is assigned to it and then add “Permit.” You will need to configure the permit to then include and allow IP addresses from all variations within the statement from any source to the destination address. This will deny only the statements you restricted previously and allow all other traffic.

Applying the ACL and determining direction

The extended ACL list can now be applied to an interface. The ACL should typically be placed as close to the source as possible. At this point, you will need to tell the traffic which direction to go. This uses an “in” or an “out” command to determine which direction the packet is traveling in. An inbound package will use the “in” command, while outbound uses “out.” Once the extended ACL is applied, the traffic you are blocking will have their access restricted, while the rest of the traffic is allowed to continue to travel from its source to destination. ACL lists must be configured before they are applied and then enabled.

ACL resources

ACL access lists are an important part of network security. Extended ACL lists allow for even greater levels of customisation to ensure that packets of traffic that are essential and necessary can travel between the source and destination, and traffic that is unauthorised or potentially hazardous is blocked or restricted. Configuring an extended ACL network can be time-consuming. There are companies, third-party entities, and resources that can help build the lists and offer tutorials on how to do so. The Cisco extended ACL tutorial can offer support and direction when building an extended ACL for your network.

References

The Study of Network Security With Its Penetrating Attacks and Possible Security Mechanisms. (May 2015). A Monthly Journal of Computer Science and Information Technology.

Access Agent: Improving the Performance of Access Control Lists. (April 2016). International Journal of Scientific & Technology Research.

Configuring Cisco IDS Blocking. (2003). Cisco Security Professional’s Guide to Secure Intrusion Detection Systems.

Cisco Content Services Switch. (2002). Managing Cisco Network Security (Second Edition).

Configuring IP Access Lists. (2007). Cisco.