Extended ACL is more precise than standard ACL.Even we can block a particular ip or range of ip address or network address using extended acl. We can also allow certain hosts and block few as per our requirement using extended acl. Standard ACL is very light weight and hence consume less processing power while extended need more processing power.Here in this lab we will learn to configure and use Extended access-list using an example lab in cisco packet tracer.We will block our clients or a network to access certain servers and allow to access few servers.
We want to block all clients in network 1.0.0.0/8 to access server SERVER 0 and SERVER1 but can access SERVER2 and SERVER3
STEP 1:First Assign ip address to all as I have mentioned in above Diagram.
STEP2: Configure extended ACL rule on Router.
Router(config)#access-list 100 permit ip 1.0.0.0 0.255.255.255 192.168.0.1 0.0.0.0 Router(config)#access-list 100 permit ip 1.0.0.0 0.255.255.255 192.168.0.2 0.0.0.0 Router(config)#access-list 100 permit ip 1.0.0.0 0.255.255.255 192.168.0.3 0.0.0.0 Router(config)#access-list 100 deny ip 1.0.0.0 0.255.255.255 172.168.0.1 0.0.0.0 Router(config)#access-list 100 deny ip 1.0.0.0 0.255.255.255 172.168.0.2 0.0.0.0 Router(config)#access-list 100 deny ip 1.0.0.0 0.255.255.255 172.168.0.3 0.0.0.0
STEP 3:Tell the Router interface ETH0/0/0 to follow ACL RULE 100
Router(config)#int eth0/0/0 Router(config-if)#ip access-group 100 in
STEP 4:Now you can Verify Your ACL RULE.
Router#show access-lists Extended IP access list 100 10 permit ip 1.0.0.0 0.255.255.255 host 192.168.0.1 20 permit ip 1.0.0.0 0.255.255.255 host 192.168.0.2 30 permit ip 1.0.0.0 0.255.255.255 host 192.168.0.3 (1 match(es)) 40 deny ip 1.0.0.0 0.255.255.255 host 172.168.0.1 50 deny ip 1.0.0.0 0.255.255.255 host 172.168.0.2 60 deny ip 1.0.0.0 0.255.255.255 host 172.168.0.3
Learn Linux CCNA CEH IPv6 Cyber-Security Online 