Imagine you're the network engineer for a company that needs to allow HTTP and HTTPS traffic to its web server but block all other traffic from the internet, while also permitting internal users to access only the finance server on a specific port. Extended ACLs are your scalpel. They filter packets based on source and destination IP addresses, protocol, and port numbers, giving you granular control. This chapter covers exam objective 5.6: Configure and verify extended ACLs, a core skill for the CCNA 200-301.
Jump to a section
Think of an extended ACL as a security checkpoint at an embassy. The guard doesn't just check nationality (source IP); they also check the visitor's purpose (destination IP and port). For example, only diplomats (specific source IPs) can enter the consular section (specific destination IP) to apply for visas (port 443). A standard ACL would only check nationality, letting in any diplomat even if they wanted to go to the cafeteria. The extended ACL guard has a detailed list: "Allow diplomats from Country A to go to the visa office on port 443; allow maintenance staff (source IP) to enter the boiler room (destination IP) on port 22; block everyone else." The guard processes each visitor by matching all criteria: source, destination, and requested service (port). If a visitor matches a permit rule, they are allowed; if they match a deny rule, they are turned away. If no rule matches, the default is to deny (implicit deny). The guard also notes the direction: inbound visitors (inbound ACL) versus outbound employees (outbound ACL). This mirrors how an extended ACL processes packets: it examines source IP, destination IP, protocol (TCP/UDP), and port numbers, and applies the action (permit/deny) based on the first matching entry. The implicit deny at the end is like the guard's default response: "If you're not on the list, you're not getting in."
What Are Extended ACLs?
Extended ACLs are a type of access control list that filters IP packets based on multiple criteria: source IP address, destination IP address, protocol (IP, TCP, UDP, ICMP, etc.), and optionally source and destination port numbers. They are used to implement security policies, control traffic flow, and protect network resources. Extended ACLs are more granular than standard ACLs, which only filter on source IP.
Extended ACLs are identified by numbers 100-199 and 2000-2699 (modern range) or named ACLs. The Cisco CCNA 200-301 exam expects you to configure numbered extended ACLs (100-199) and named extended ACLs.
How Extended ACLs Work
When a packet enters or exits an interface, the router checks the ACL applied to that interface in the given direction. The ACL is a sequential list of permit or deny statements. The router evaluates the packet against each statement in order; as soon as a match is found, the action (permit/deny) is executed and no further statements are processed. If no match is found, the implicit deny any denies the packet.
Extended ACLs can check:
Source IP address (with wildcard mask)
Destination IP address (with wildcard mask)
Protocol: tcp, udp, icmp, ip, etc.
For TCP/UDP: source and destination port numbers (or ranges using lt, gt, eq, neq)
For ICMP: ICMP type and code
Established connections (for TCP, using the established keyword to match packets with ACK or RST bits set)
Configuring Extended ACLs
Extended ACLs are configured in global configuration mode. The syntax:
access-list [100-199 | 2000-2699] [permit | deny] protocol source-ip source-wildcard [operator port] destination-ip destination-wildcard [operator port] [established] [log]For named ACLs:
ip access-list extended name
[permit | deny] protocol source-ip source-wildcard [operator port] destination-ip destination-wildcard [operator port] [established] [log]Example: Allow HTTP traffic from any source to server 192.168.1.10, deny all other traffic:
access-list 101 permit tcp any host 192.168.1.10 eq 80
access-list 101 deny ip any anyNote: The host keyword means a specific IP (wildcard 0.0.0.0). any means 0.0.0.0 255.255.255.255.
Applying ACLs to Interfaces
ACLs must be applied to an interface in a specific direction (in or out) using the ip access-group command:
interface GigabitEthernet0/0
ip access-group 101 inDirection is from the perspective of the router: "in" means packets entering the interface, "out" means packets leaving the interface.
Verification Commands
Use show access-lists to view all ACLs:
Router# show access-lists
Extended IP access list 101
10 permit tcp any host 192.168.1.10 eq 80 (12 matches)
20 deny ip any any (5 matches)The match count shows how many packets matched each line.
Use show ip interface [interface] to see which ACLs are applied:
Router# show ip interface GigabitEthernet0/0
...
Inbound access list is 101
Outbound access list is not setExtended ACL Placement
Place extended ACLs as close to the source as possible to filter traffic early, reducing unnecessary traffic across the network. Standard ACLs are placed close to the destination because they only check source IP. Extended ACLs can check destination, so they are effective near the source.
Implicit Deny and Sequence Numbers
Every ACL ends with an implicit deny ip any any. This is not shown in the configuration but is always present. Sequence numbers (like 10, 20) are automatically assigned and can be used to insert or delete lines.
Troubleshooting Tips
Check direction: A common mistake is applying the ACL in the wrong direction.
Check order: The first match wins; if a permit statement comes after a deny that matches, the deny applies.
Check wildcard masks: A wildcard mask of 0.0.0.0 means match the exact IP (use host keyword).
Use log keyword to log matches for debugging.
Remember the implicit deny: If you only have permit statements, all other traffic is denied.
Interaction with Other Features
Extended ACLs can be used with:
NAT: ACLs can define which traffic is translated.
Route maps: ACLs can match prefixes for policy-based routing.
QoS: ACLs can classify traffic.
VTY lines: Access-class (uses standard ACL) to restrict management access.
Named Extended ACLs
Named ACLs allow easier management. Example:
ip access-list extended BLOCK_SMTP
deny tcp any any eq 25
permit ip any anyThen apply:
interface GigabitEthernet0/1
ip access-group BLOCK_SMTP inNamed ACLs can be edited by sequence number, e.g., 10 deny tcp any any eq 25 can be removed with no 10.
Extended ACLs and TCP Established
The established keyword matches TCP packets that have the ACK or RST bit set, indicating an established connection. This is used to allow return traffic for outbound connections while blocking inbound new connections. Example:
access-list 102 permit tcp any any establishedThis allows return traffic for TCP sessions initiated from inside. Note: This is not stateful; it only checks bits. For stateful inspection, use a firewall.
Identify traffic to filter
Determine the traffic you need to permit or deny. For example: allow internal users (subnet 192.168.1.0/24) to access the web server (10.0.0.10) on port 443, and deny all other traffic from internal users to the server. Also, allow internet users to access the public web server (203.0.113.10) on port 80 and 443. Document the source, destination, protocol, and port numbers.
Create extended ACL entries
Use the `access-list` command with a number (100-199) or a name. For example, to permit internal users to the server on HTTPS: `access-list 110 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq 443`. To permit internet to public server: `access-list 110 permit tcp any host 203.0.113.10 eq 80` and `access-list 110 permit tcp any host 203.0.113.10 eq 443`. Finally, add a deny all: `access-list 110 deny ip any any` (optional, but explicit deny helps with logging).
Apply ACL to interface in correct direction
Apply the ACL to the interface closest to the source of the traffic you want to filter. For internal users accessing the server, if the server is on a different interface, apply the ACL inbound on the internal interface: `interface GigabitEthernet0/0` then `ip access-group 110 in`. For internet traffic, apply inbound on the external interface. Use `show ip interface` to verify.
Verify ACL with show commands
Use `show access-lists 110` to see the ACL entries and match counts. If no matches, use `debug ip packet` with caution (CPU intensive). Use `show ip interface GigabitEthernet0/0` to confirm the ACL is applied. Test with ping or telnet from a source to verify permit/deny behavior.
Edit ACL without removing entire list
For numbered ACLs, you cannot edit individual lines; you must remove the entire ACL and reapply. For named ACLs, you can use sequence numbers. Example: `ip access-list extended MY_ACL` then `no 10` to remove line 10, or `15 permit tcp any any eq 22` to insert a line between 10 and 20. Always reapply if needed.
Troubleshoot common issues
Check direction: if traffic is not filtered, the ACL may be applied out instead of in. Check order: a deny before a permit may block traffic. Check wildcard masks: `0.0.0.255` matches the last octet, but `0.0.0.0` matches exact IP. Use `log` keyword to see matches in syslog. Ensure the implicit deny is not blocking desired traffic.
In a typical enterprise, extended ACLs are used to enforce security policies at network boundaries. For example, at the internet edge, an extended ACL on the outside interface (inbound) permits only specific services (HTTP, HTTPS, SMTP) to the public servers and denies everything else. This protects internal infrastructure from unsolicited inbound traffic. A common configuration is:
access-list 101 permit tcp any host 203.0.113.10 eq 80
access-list 101 permit tcp any host 203.0.113.10 eq 443
access-list 101 permit tcp any host 203.0.113.11 eq 25
access-list 101 deny ip any any logThen applied inbound on the internet-facing interface. The log keyword helps identify scanning attempts.
Another scenario is segmenting internal networks. For instance, the finance department (10.1.1.0/24) should only access the finance server (10.2.2.10) on port 3306 (MySQL). An extended ACL on the finance server's interface (inbound) permits only that traffic:
access-list 120 permit tcp 10.1.1.0 0.0.0.255 host 10.2.2.10 eq 3306
access-list 120 deny ip any any logThis prevents other users from reaching the finance server.
Performance considerations: ACLs are processed in hardware (Cisco Express Forwarding) for most platforms, but large ACLs with many entries can consume TCAM resources. Typically, keep ACLs under a few hundred entries. Misconfiguration can cause outages: applying an ACL with only permit statements will implicitly deny all other traffic, potentially blocking critical services like DHCP or routing protocols. Always test ACLs in a lab or during maintenance windows. Use show access-lists to monitor match counts and ensure traffic is being permitted/denied as expected.
The CCNA 200-301 exam objective 5.6 expects you to configure and verify extended ACLs. You must understand the syntax, placement, and verification. Common exam traps:
Wrong direction: Candidates often apply the ACL in the wrong direction. Remember: "in" filters packets entering the interface; "out" filters packets leaving. For traffic from inside to outside, apply ACL inbound on the inside interface or outbound on the outside interface — both can work, but the exam expects specific placement.
Wildcard mask confusion: The wildcard mask is the inverse of a subnet mask. For a /24 (255.255.255.0), the wildcard is 0.0.0.255. Many candidates mistakenly use subnet masks. Remember: 0 means match exactly, 1 means ignore.
Implicit deny: If you configure only permit statements, all other traffic is denied. The exam may ask what happens to traffic not matching any permit. Answer: denied.
Order matters: The first match wins. A deny statement before a permit that matches the same traffic will block it. The exam may present a scenario where you need to insert a permit before a deny.
Port numbers: For TCP/UDP, you must specify the port using eq, gt, lt, neq, or range. Common ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 23 (Telnet), 25 (SMTP), 110 (POP3), 53 (DNS).
Established keyword: Used to allow return traffic for TCP. It matches packets with ACK or RST set. This is not stateful; it only checks bits.
Decision rule for scenario questions: Identify the source, destination, protocol, and port. Determine if the ACL should be applied inbound or outbound on which interface. Then check the order of entries. If the question asks "which traffic is denied?", look for the first matching deny or the implicit deny.
Extended ACLs filter on source IP, destination IP, protocol, and port (TCP/UDP).
Numbered extended ACLs use 100-199 and 2000-2699.
Named extended ACLs allow editing by sequence number.
Apply ACLs close to the source for extended ACLs.
Use `ip access-group` to apply ACL to an interface.
Implicit deny ip any any exists at the end of every ACL.
Wildcard mask: 0 = match, 1 = ignore; inverse of subnet mask.
Use `show access-lists` to verify matches and `show ip interface` to see applied ACLs.
These come up on the exam all the time. Here's how to tell them apart.
Standard ACL
Filters only on source IP address.
Uses numbers 1-99, 1300-1999.
Placed close to destination.
Cannot filter by protocol or port.
Simpler configuration but less granular.
Extended ACL
Filters on source IP, destination IP, protocol, and port.
Uses numbers 100-199, 2000-2699.
Placed close to source.
Can filter specific services like HTTP, SSH.
More complex but granular control.
Mistake
Extended ACLs can only filter on source IP and destination IP.
Correct
Extended ACLs can filter on source IP, destination IP, protocol, and port numbers (TCP/UDP), as well as ICMP type and code.
Many confuse extended with standard ACLs, which only check source IP.
Mistake
The wildcard mask for an extended ACL is the same as a subnet mask.
Correct
The wildcard mask is the inverse: 0 means exact match, 1 means ignore. For example, 255.255.255.0 becomes 0.0.0.255.
Candidates often use subnet masks directly without inverting.
Mistake
An ACL with only permit statements allows all traffic.
Correct
An ACL with only permit statements permits the specified traffic but denies all other traffic due to the implicit deny at the end.
The implicit deny is not visible but always present; candidates forget it exists.
Mistake
The order of ACL entries does not matter because the router will find the best match.
Correct
Order matters because the first matching entry is applied; subsequent entries are not evaluated. A deny before a permit that matches the same traffic will block it.
Candidates think ACLs work like routing tables with longest match, but ACLs are sequential lists.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Numbered ACLs do not support editing individual lines. You must remove the entire ACL with `no access-list <number>` and reconfigure it. Named ACLs allow editing by sequence number, which is more flexible. For the exam, know that named ACLs can be edited incrementally.
The direction is relative to the router interface. Inbound ACLs filter packets before they are routed; outbound ACLs filter packets after routing but before they exit the interface. You apply an ACL inbound on the interface where traffic enters, or outbound on the interface where traffic leaves. The choice depends on where you want to filter.
Use the `established` keyword for TCP: `permit tcp any any established`. This matches packets with ACK or RST set, which are return packets. However, this is not stateful; a better approach is to use a stateful firewall. For the exam, know that `established` is used for this purpose.
The implicit deny is an invisible rule at the end of every ACL that denies all traffic not matching any permit. It is not shown in `show access-lists`. You can make it explicit by adding `deny ip any any` at the end, which also allows logging. The exam expects you to remember its existence.
No, extended ACLs only filter IP packets. For non-IP protocols like IPX or AppleTalk, you would use other types of ACLs. However, CCNA focuses on IP ACLs.
You can apply the same ACL to multiple interfaces using `ip access-group` on each interface. The ACL is a single list; changes affect all interfaces it is applied to. This is common for consistent policy enforcement.
There is no hard limit, but platform resources (TCAM) limit the size. Typically, keep ACLs under a few hundred entries. The exam does not require a specific number, but understand that large ACLs can impact performance.
You've just covered Extended ACLs — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?