Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
5
Helpful
5
Replies

Extended ACL issue

Mark Alpha
Level 1
Level 1

‎07-13-2025 11:53 PM

Am getting a little obssed over networking over the last few days and decided to go for ccna and i started learning and reached ACL ,specifically extended ACLs ,but when i was trying a hands on in CPT i got stuck . since i dont have a proper mentor its all pretty messed up and it would take some time to figure it out . there would be some illogical mistakes but i kindly suppose you guys would correct me.

THE PROBLEM  is that i have configured a network containing one isp (router),a router ,3 switches and 2 PC under each switch ,so that i can create 3 networks ,routing done through intervlan (int g0/0.10, int g0/0.20, int g0/0.30) . the networks are 192.168.10.0(Admin n/w), 192.168. 20.0 (sales n/w),&  192.168.30.0 (IT n/w)  .
.
So using extended acls can i make admin to communicate with sales and IT ,but block the communication between sales and IT 

Labels:
0 Helpful
5 Replies 5

M02@rt37
VIP
VIP

‎07-14-2025 02:20 AM

Hello @Mark Alpha 

Please refer here:

https://www.computernetworkingnotes.com/ccna-study-guide/configure-extended-access-control-list-step-by-step-guide.html

--

One example about blocking sales -> IT and allow the rest.

ip access-list extended BLOCK_SALES_TO_IT
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any

--Apply this ACL on subinterface 0/0.20 in ingress:

interface GigabitEthernet0/0.20
ip access-group BLOCK_SALES_TO_IT in

--Follow this for others extended ACL

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

wajidhassan
Level 4
Level 4

‎07-14-2025 02:30 AM

Hi @Mark Alpha ,

Yes, extended ACLs can help you achieve that. You can allow Admin (192.168.10.0) to access both Sales (192.168.20.0) and IT (192.168.30.0), while denying traffic between Sales and IT.

Example:

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip any any

Apply the ACL in the correct direction on the router interface. This should give you the desired control.

Hope this helps!

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-14-2025 04:19 AM

So using extended acls can i make admin to communicate with sales and IT ,but block the communication between sales and IT

You can, but for your case, standard ACLs could too.  For your case, extended ACLs provide additional flexibility in where the ACL(s) might be applied.  Also in your case, if it were real-world, you might want to structure your ACL(s) to better support possible future network growth or changes, or even consider whether your current requirement is actually "correct".

For a growth example, what happens if a new subnet is added?

For a "correct" requirement examples, what if VoIP is being used or it's okay for non admin subnets to initiate access to the admin subnet?

I mention these latter considerations as it's easier, I believe, to learn the technology if you under its "why".  Also, good network engineering often depends on good requirement analysis.

Back to your specific example, if it can be done using just standard ACLs, how so?  As an extended ACL can be functionally written exactly like a standard ACL, can an extended ACL be written/used differently?  It can, but how and why do so?

Something like ChatGPT often isn't too great to assist learning.  Working out answering my last couple of questions, can be.

Mark Alpha
Level 1
Level 1
In response to Joseph W. Doherty

‎07-14-2025 10:18 AM

Yes you are right chatgpt was my 1st option to go for but it was also wrong about some logical things , then i found the community  , i m really happy that there is this community  

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Mark Alpha

‎07-14-2025 11:08 AM - edited ‎07-15-2025 07:36 AM

@Mark Alpha wrote:

, then i found the community  , i m really happy that there is this community  

Yea, it's fantastic.  Before I ever contributed, I learned a lot from reading various posts, still do.

For you, when you post a question, also make clear what you're looking for, regarding an answer.

For example, in this case, as well done in the earlier replies, "here's how it's done" were well provided.

In my case, since you mentioned you're "learning", possibly with the intent to obtain a CCNA, I broadened my reply to help you "learn", so you might not only answer a certification question, but also can do it for real, in the real-world.

For (hopefully) more learning . . .

Your two stated requirements are:

  • extended acls can i make admin to communicate with sales and IT
  • (and) block the communication between sales and IT

Again, for the above you could use standard ACLs too, and it's worthwhile knowing how, and how it compares with extended ACLs doing the same.

Regarding analysis of your requirements, as by default, everything can communicate with everything (assuming we're not explicitly blocking, and network is built for that [e.g. routing between subnet, etc.}), minimally we only need to block communication between sales and IT.

Also in networking, communication often implies two way, but one way is possible.  I.e. if we block just one way, is that sufficient, as it blocks two way, or do we need to explicitly block two way?

As ACLs are usually applied on L3 interfaces, the logical places we normally consider are egress or ingress at the leaf/end subnets or transit L3 interfaces.  Also remember, ACLs may be applied for ingress and/or egress traffic, per interface.

In your case, there are no transit interfaces.

If we consider the Sales interface and the IT interface. . .

On the Sales interface, we want to block IT traffic being sent to it, and the converse for the IT interface.

ip access-list standard BlockIT
 deny 192.168.30.0 0.0.0.255
 permit any

ip access-list standard BlockSales
 deny 192.168.20.0 0.0.0.255
 permit any

int g0/0.20
 ip access-group BlockIT out
int g0/0.30
 ip access-group BlockSales out

Remember, analysis of requirements?

What if we did:

ip access-list standard AllowAdmin
 permit 192.168.10.0 0.0.0.255

int g0/0.20
 ip access-group AllowAdmin out
int g0/0.30
 ip access-group AllowAdmin out

Do both of the above configs, cover the requirements?

Which is "better"?

Might we have another variation, some combination of the two, above, approaches?

Can you rewrite the above using extended ACLs?

If we use extended ACLs, should the ACLs be further modified and/or placed differently?  If so, why?

(NB: BTW, ideally, ACLs should drop ASAP, to avoid passing along traffic that we know is going to be dropped later, but, in real-world, ease of maintenance might be considered?

Advanced consideration:  what about FW like filtering, i.e. admin is allowed to open communication with IT or Sales, but neither can open communication with Admin?

Customers Also Viewed These Support Documents