Answers: Extended Named ACLs 1

By Chris August 3, 2016 09:10

No muss, and just a little fuss with thinking about SNMP, today’s lab is mostly about how to match packets with an extended numbered ACL. Do the lab for yourself, and check here when you’re done.


Figure 1: Two Router ROAS Topology

Example 5: R1 Config



The primary use of access-lists is to control which traffic is allowed to come in and go out of the interfaces of a device. On Cisco devices there are a number of different ways to configure them; for IPv4 the two main methods are via the use of standard or extended ACL’s. Standard ACL’s are simpler and only allow matching based on the source IP host or network of the traffic. Extended ACL’s are more complex and allow matching on both source and destination host or network as well as matching based on the protocol being used. It is important to note however that ACL’s are not limited to the blocking or permitting of specific traffic, they are also used in a number of different features from Network Address Translation (NAT) to route-maps.

With this lab you were tasked with configuring an extended named ACL that would be used to block specific traffic. In particular, the two requirements ask that you match packets coming from servers, which means that the source TCP or UDP port in those packets will be used to match the well-known ports used by those servers. The first requirement asked you to match packets from a specific server, while the second requirement asked that you match packets coming from an entire subnet.

For that first requirement, you needed to match the specific server address ( with the host parameters, and the destination subnet with the parameters. Beyond that, for three consecutive commands, the ACL needed a separate statement to match each service noted in the requirements, for the well-known port used by Telnet (23), SSH (22), and SNMP (161), and for the correct transport protocols (see example 1).

For the second requirements, the logic works the same, except that the source field in each case matches the source subnet with the parameters.

The last step is to apply the ACL to the appropriate interface. It is considered best practice to apply standard ACLs to the interface that is closest to the destination and extended ACLs to the interface that is closest to the source. In this case since you are configuring an extended ACL you are looking for the interface that is closest to the source. Since R1 is configured with a Router-on-a-Stick (ROAS) configuration the closest interface would be a sub-interface not a physical interface. The source network is which is located off R1’s G0/2.3 sub-interface, so the answer applies the ACL inbound on this interface using the ip access-group ThisACL in command.

Finally, note that this lab glossed over one SNMP issue. As worded, the lab exercise requirements mentioned Telnet, SSH and SNMP server. As it turns out, SNMP does not often use client and server terms. However, the device using well-known UDP port 161, which is matched by an IOS ACL with the snmp keyword, is the SNMP agent running on the networking device. So, in the literal sense, the ACL listed here is correct. However, many people incorrectly think of the Network Management Station as the the server; if that was your intent, then note that the NMS would not send packets with source UDP port 161, but rather with destination UDP port 161 when communicating to SNMP agents throughout the network.

Extended Named ACLs 1
Answers: CLI Miscellany 1
By Chris August 3, 2016 09:10
Write a comment


  1. Gbenga August 20, 23:05

    Wow! This is concise and educative. Thank you Wendell

    Reply to this comment
  2. certskills August 22, 16:42

    Sure thing, Gbenga! Glad you like the format.

    Reply to this comment
  3. Yurii December 12, 07:52

    ‘the well-known port used by Telnet (21), SSH (22), and SNMP (161)’
    maybe did you mean Telnet (23)?

    Reply to this comment
View comments

Write a comment

Leave a Reply to Gbenga Cancel reply


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.