Extended Access List Configuration With Packet Tracer - www.ipcisco.com : www.ipcisco.com
Content Protection by DMCA.com

Extended Access Lists Configuration
With Packet Tracer

In this lesson we will focus on Extended ACL Configuration with Packet Tracer. We will use the below topology for our packet tracer configuration.

Extended acl with packet tracer

You can DOWNLOAD the Packet Tracer example with .pkt format HERE.

Like Standard ACL configuration example, we will use one router, one destination server and 3 PCS in common. The switches in the topology will onlu used for port need.

Extended ACLs are a little complex if we compare with Standard ACLs. With Extended ACLs, we can restrict or allow specific things like destination, protocol or port.

In this Extended ACL example, we will allow/deny ICMP protocol through the server. As you know, ICMP is ping protocol. Here, PC0 and PC1 will be allowed and PC2 will be denied.

Extended Access-List Configuration

Let’s start to configure router for our Extended ACL.

For Extended ACLs, we can use extended access-list number range 100 to 199. Here, we will use 100.

Router # configure terminal
Router (config)# ip access-list extended 100
Router (config-ext-nacl)# permit icmp host
Router (config-ext-nacl)# deny icmp host host host-unreachable
Router (config-ext-nacl)# end
Router # copy run start

Here, we permit the PC0 and PC1 with permit line and the used wildcard mask. We will talk about wildcard mask later. And you can also use “”, instead of “host”. It is the same meaning.

In the second permit/deny line, we denied ICMP from PC2 to server. Here, also we use host keyword to emphasize one ip host ip address.

Applying Extended Access-List to the Interface

Now, it is time to add this Extended access-list to the interface. We will add this access-list , to the fastethernet 0/1.

Router (config)# interface fastethernet 0/1
Router (config-if)# ip access-group 100 out
Router (config-if)# end
Router # copy run start

As you can see, we add the access list 100 to the interface fastethernet 0/1.

Extended Access-List Verification

After the Extended Access-list configuration, let’s verify the configuration. Here, we will ping from PCs to the servers and check if it is successful or not. For our configuration, PC0 and PC1 can ping the server, but PC2 can not. Because, we deny ICMP for PC2.

PC0> ping
PC1> ping
PC2> ping

extended access-list packet tracer

In this verification ping, you can see that, PCO and PC1 can ping the server. They are allowed for ICMP. But, PC2 can not ping the server. On router , ICMP protocol is restricted from PC2 to server.

extended access-list packet tracer

In this Extended Access-List example with Packet Tracer, we only see ICMP permit and deny. You can also do this with different protocol like telnet, ssh or different ports etc.

Third ACL Type : Named Access-List

As we have talked about, in the Standard Access-List lesson, there is also one access-list type too. This is Named Access-List. But here, we will not give additional example for Named Access-List. Because, it is almost the same as Extended Access-List. There is only a naming difference.

What is Wildcard Mask Simply?

At the end of this lesson, we can talk about wild card masks. You can see a very basic summary below that summarize wildcard masks.

Here, think about that you have got an ip address and your subnet mask is You would like to divide this subnet and, you will use another subnet mask. This subnet mask is

Firstly let’s convert this subnet mask to 1s and 0s to the binary version. After that, to find Wildcard mask, let’s change 1s to 0, 0s to 1. Our wildcard mask is ready! Simply you can think that Wildcard mask is reverse of subnet mask.

In this lesson, we have talekd about how to configure Extended Access-List with Packet Tracer on Cisco Routers.

You can DOWNLOAD the Packet Tracer example with .pkt format HERE.

About the Author
Gokhan Kosem is a telecommunation and network engineer. His ambition to IP networks and end-to-end system installation made him to prepare this web-site. By sharing his experiences about various networking protocols beside different system installation experiences and Cisco, Juniper, Alcatel-Lucent devices configurations, he is aimed to be helpful for his collegues in all over the world. He is currently lives in Istanbul, Turkey.

Leave a Reply

Copy Protected by Chetan's WP-Copyprotect.