How to configure an Extended Access List on Cisco Routers and IOS based Switches
Securing devices such as routers and switches from unauthorized access, restricting access between hosts or networks, protecting the perimeter of your network, and setting up IPSec tunnels are some of the tasks that require an understanding of access lists.
This short How To will show you how to configure an extended access list entry. The extended access list differs from standard access list in allowing you to configure source and destination IP Addresses, Source and Destination ports, and other parameters – including the times the access list is in effect (a very cool feature, in my opininion)!
This access list entry will be configured to allow the 192.168.1.0/24 network to send packets to the 10.1.1.0/24 network via IP. It will also log packets that match the access list, allowing you to determine whether traffic is flowing
from the 192.168.1.0/24 network to the 10.1.1.0/24 network.
***Note – the access entry is one way. If there is an access list configured on the return path, the source and destination networks in the access list entry below should be reversed and configured in that access list.
- Connect to your Cisco switch running IOS. This will be console, telnet, or ssh depending on how you’ve set it up.
- Type "enable" and press Enter to go to "enable" mode.
- Type "config t" and press Enter to go to "configure" mode.
- Type ”access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 log” and press Enter to configure the access-list entry.
- Type "interface interface" to go to interface configuration mode for the interface that the traffic from the 192.168.1.0/24 network will come through. Let’s assume for our purposes we are configuring the interface that is connected to the 192.168.1.0/24 network, and it is interface FastEthernet0/0.
- Type ”ip access-group 101 in”.
***Note – because there is only one entry in the access list the 192.168.1.0/24 network will only be allowed to send packets to the 10.1.1.0/24 network. This is because in a Cisco access-list only traffic that is explicitly allowed will be passed through.
- Type "exit" and press enter. Then Type "exit" and press enter again to get back to enable mode.
- Type "wri mem" and press Enter to save your configuration.