Lab 12: Extended ACL — Precise Traffic Control
Standard ACLs match only sources — extended ACLs match source, destination, protocol and port. Block HTTP to a server while still allowing ping, and place the ACL correctly near the source. Difficulty: Intermediate+ · Time: ~30 min.
Lab objectives
- Write a named extended ACL matching protocol and port
- Permit ICMP but deny TCP/80 to one server
- Apply inbound close to the source
- Verify both behaviours and read counters
Topology & addressing
Router with LAN 192.168.10.0/24 (Gi0/0) and server segment 192.168.99.0/24 (Gi0/1); web server at 192.168.99.10 (HTTP enabled in PT).
Step-by-step configuration
ip access-list extended BLOCK-WEB | Named extended ACL — editable by sequence |
deny tcp 192.168.10.0 0.0.0.255 host 192.168.99.10 eq 80 | Block web traffic to that one server |
permit ip any any | Allow everything else (beat the implicit deny) |
interface gi0/0ip access-group BLOCK-WEB in | Extended ACL close to the SOURCE, inbound |
Verification
From a LAN PC: ping 192.168.99.10 works, but the web browser to the same server fails — protocol-level filtering in action. show access-lists shows the deny counter climbing with each attempt.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why place extended ACLs near the source?
They identify traffic precisely, so dropping it early saves bandwidth — unlike standard ACLs, they won't over-block.
What does eq 80 mean?
'Equal to port 80' — matching HTTP. eq 443 would match HTTPS, eq 22 SSH, and ranges are possible with gt/lt/range.
Why did ping still work?
The ACL denies only TCP port 80; ICMP falls through to permit ip any any — exactly the surgical control extended ACLs exist for.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.