00:00:00 - We've left routing protocols and now are moving directly into
00:00:04 - access lists. The rules of the ACL, or the access control list.
00:00:10 - Access lists are one of the core pieces of CISCO routers. Meaning,
00:00:14 - you're going to be using them for all sorts of things, and that's
00:00:17 - going to be the first topic that we talk about as we get into
00:00:20 - access lists. They're not just for access. Even though that's what
00:00:24 - they're named, you'll use them for all kinds of stuff, and that's
00:00:27 - the first thing we'll talk about.
00:00:29 - Then we'll turn our attention to the security aspects of
00:00:33 - access lists, in the sense that your CISCO router has the ability
00:00:37 - to be a pretty sophisticated firewall, allowing specific traffic
00:00:41 - in and out of the network. That's using ACLs for security.
00:00:45 - So we'll talk about ways to do that, and the final topic will
00:00:48 - be the types of ACLs that's able to do that. When you say
00:00:51 - access control list, that is more of an umbrella of many different
00:00:56 - categories of topics, two of which are the most important standard
00:01:01 - and extended access control lists. We'll look at what those are
00:01:04 - and what the differences are.
00:01:06 - Access lists are everywhere in the CISCO world. It's one of those
00:01:11 - concepts that you'll hear repeated again and again and again.
00:01:15 - And it's almost unfortunate that CISCO named them access lists.
00:01:19 - I think they should have name them identifier lists, because
00:01:23 - every time somebody thinks of an access list, they think of
00:01:25 - access and they think, oh, this is like a firewall kind of
00:01:29 - thing to control access. Now that's one of the things that they
00:01:32 - can be used for, but there are many more things that they can
00:01:37 - be applied to and used for that access would be somewhat confusing.
00:01:40 - So there's my proposal. We'll go ahead and change the name to
00:01:44 - identifier lists because that's exactly what they do: identify
00:01:49 - traffic to be allowed or permitted or denied. Now I know even
00:01:55 - using that terminology you're thinking, okay, permitted or denied
00:01:59 - to get out of the network or come into the network. You're thinking firewall.
00:02:03 - That's what I think when I think of it. And you can see
00:02:06 - right here what they are, a list of permit or deny statements. Permit
00:02:09 - 192.168.2.50 that host, deny
00:02:13 - 192.168.1.0/24 that whole subnet.
00:02:16 - Permit just port 80 for 184.108.40.206
00:02:20 - Now this list of permit or denies really is
00:02:26 - almost better translated - see, look at this, I'm changing all the words. Allow
00:02:30 - or stop.
00:02:33 - Okay, I'm just making this up as I go, all right. Let me talk about how
00:02:37 - they can be used and I think that will shed a lot more light
00:02:40 - on what I mean. The number one way that people think about access
00:02:44 - lists being used is for access control. Where in the true sense of
00:02:48 - the word they are permitting and denying traffic. So for example,
00:02:51 - I might have a router right here connected off to the internet and
00:02:55 - as traffic comes in or leaves that router I can say, well who
00:02:59 - are you. Because if you're not invited here, you are denied. You
00:03:03 - cannot get in from the internet into my network. Or as they're going out
00:03:06 - it'll say, who are you, are you allowed to access the internet
00:03:09 - or are you allowed to access that website on the internet. That access
00:03:13 - control, and that's where permit and deny really make sense
00:03:17 - in our heads. But
00:03:19 - access lists can also be used for NAT. So for example,
00:03:23 - let's say this is our access list up here, this list of statements
00:03:26 - right here. We might apply it in such a way that says, this IP
00:03:32 - address is permitted to be translated using NAT off
00:03:37 - to the internet. As a matter of fact, if you look at this series
00:03:40 - the next topic we're going to be talking about is configuring
00:03:43 - NAT from the command line. We'll go through some of the concepts
00:03:46 - and configurations and we'll see how this is applied. But that's
00:03:50 - one of the things we'll do is we'll say, we're going to create
00:03:52 - an access list and say that these hosts are permitted to be
00:03:55 - translated or denied from being translated. That doesn't mean
00:04:00 - they're being denied from accessing the internet as a whole
00:04:03 - they're just being denied from the NAT process. They're not going to
00:04:05 - be translated to a public IP address when they go out. You could use it
00:04:10 - for quality of service. Tweak this example a little more and
00:04:14 - have this same list, I could say this host is permitted
00:04:17 - to receive priority on the network. That's what quality of
00:04:21 - service is all about, is prioritizing some traffic and deprioritizing
00:04:26 - others. So I can say that this host gets priority, so if there's
00:04:30 - congestion and things are being dropped, you know, the network's
00:04:33 - kind of overwhelmed - well that host is going to move to the front
00:04:36 - because they're permitted to receive prime priority they're
00:04:40 - allowed to move to the front. The one below says nine one eight
00:04:44 - 192.168.1.0 right here. If we apply it to quality
00:04:48 - of service, they are not denied from getting out or denied
00:04:51 - from accessing the internet like access control; they're denied
00:04:54 - from perhaps receiving priority.
00:04:58 - So you see, I could keep going down this list, you know. Demand
00:05:01 - dial routing, policy routing, route filtering, making french toast.
00:05:04 - Okay, access lists don't make French toast but the point
00:05:08 - is that this is a partial list. This is one of those concepts
00:05:12 - you'll see repeating itself again and again and again in the CISCO
00:05:15 - world because there are many times - just think, any time
00:05:20 - that you're on a CISCO router and you need to say, these are going
00:05:24 - to be allowed or these are going to be denied to any process
00:05:28 - and you just need to identify a group of IP addresses, that is where
00:05:32 - an access list comes in.
00:05:35 - When we talk about access lists initially, we'll talk about
00:05:38 - using them for security. And as we move into some of the other
00:05:42 - topics like NAT, that's where we'll expand some of those other uses.
00:05:45 - I just wanted to initially make sure you know, these - even though they're called
00:05:49 - access lists, access is just one of the ways that you can use
00:05:52 - them. So if you're using an access list for security, it's like
00:05:57 - hiring a guard for your router to stand on an interface. Here's
00:06:02 - the idea. We've got this guard right here that we've
00:06:05 - assigned to stand on the fast ethernet 0/0 interface.
00:06:10 - Now as soon as we give that guard a list, he is going to screen
00:06:16 - all of the traffic either coming in or going out of that interface,
00:06:21 - depending on how we apply this access list, and say whether
00:06:24 - it's allowed or denied. So before we talk about the guards
00:06:27 - processing, let's first talk about the rules of the access
00:06:32 - list. When you create an access list, it is literally just
00:06:35 - a list of statements like you see right here. It is read from top to bottom
00:06:41 - and it will stop at the first match. So for example, we have
00:06:45 - this guard who has a list in the first statement in their list number
00:06:48 - one right here, says deny 10.1.5.1. So let's
00:06:53 - say he's filtering traffic coming this direction, he's going to ask that
00:06:57 - packet - let's say that this is 10.1.5.10,
00:07:01 - the guard will ask and say, are you 10.1.5.1?
00:07:04 - Packet says, no sir. And he says, okay, are you 220.127.116.11?
00:07:09 - You can see statement number two in the list. By
00:07:11 - says, no sir. And then we come down here, you can see my little
00:07:14 - permits or whatever. You know, this list can go on and on.
00:07:18 - We might say something like permit 10.0.0.0/8.
00:07:22 - Wow, that's big, because that says permit everything
00:07:27 - starting with 10. You see the subnet mass right there. It's a Class A
00:07:32 - subnet mass. So everything permitted with 10 allowed. So said that
00:07:35 - third statement and says, are you 10 dot anything? And the packet says,
00:07:39 - yes sir, I am. And he says, well in that case then you are permitted.
00:07:43 - You may proceed through into the router and access whatever
00:07:46 - resources that you have. So the list is read from top to bottom
00:07:50 - and it stops at the first match. What if this packet were 10.1.5.1
00:07:54 - coming in? Well the guard would say, are you 10.1.5.1
00:07:58 - as his first question, and when the packet says yes, it
00:08:02 - says, smash and the guard hits it with its gun right there and the packet
00:08:06 - is destroyed and dropped. Now even though the third statement
00:08:09 - in this list says permit everything starting with 10,
00:08:13 - since the list is read in order it never gets that far. So
00:08:18 - you can see that the order is very important when you create
00:08:22 - an access list. Now let's say we did something like this. Let's
00:08:25 - say we gave the guard a list that the very first statement, I kind of
00:08:29 - reorder it right here, is permit 10.0.0.0/8.
00:08:33 - the same statement we put down there. Well if that's
00:08:37 - the case, then this packet 10.1.5.1 comes
00:08:40 - in and the guard's first question is, are you 10.0.0.0/8?
00:08:43 - and the packet says, well yes I am. Even though
00:08:47 - statement number two denies that packet,
00:08:51 - the guard never gets that far. Because it says, well if you match
00:08:55 - that first statement than you are allowed to go, you may proceed
00:08:58 - through. It never hits statement number two.
00:09:01 - That's why the order is very important. Now the second rule
00:09:05 - is equally important: the invisible implicit deny at the bottom
00:09:09 - of an access list. You can see that this list says deny all.
00:09:14 - But when you're configuring this list on a router, you don't
00:09:16 - see that there. Meaning you just start adding statements to your list.
00:09:20 - You say okay, statement one is this, statement two is that, is
00:09:23 - this, but all along there's this invisible Deny All at the very
00:09:28 - bottom of that list that just keeps getting pushed further
00:09:30 - and further down the more statements that you add to this list.
00:09:34 - So I guess you could state it in a way that says, if
00:09:38 - you are not explicitly permitted in that access list, and
00:09:45 - you reach the bottom, you will be denied. There's no question
00:09:49 - about it. If you make your way all the way down through that list,
00:09:52 - you're going to hit the invisible deny at the bottom of the
00:09:55 - list. Now you as an administrator can change that whole logic.
00:10:00 - You could actually, if you wanted to as you're typing your list, you
00:10:03 - could say deny this, deny that, deny this, and then add a statement
00:10:07 - that says, permit anyone. So you could put a permit
00:10:13 - I'll just put per all - permit all before it gets to this invisible
00:10:18 - deny. So the guard will be going through this list and saying,
00:10:21 - this, and keep going and then say, oh, well then I guess you're permitted.
00:10:25 - So it never actually reaches the deny all, but do know that
00:10:28 - the deny all is still there, you're just not making it down to the
00:10:32 - bottom. It is an invisible implicit deny.
00:10:35 - Now lastly, and this is one of the most difficult things when you're
00:10:39 - first getting into access lists, is the application.
00:10:43 - Access lists are applied to an interface inbound or outbound.
00:10:50 - Meaning you're going to create this list, and we'll say this
00:10:53 - is list number five. The access lists are actually numbered, and
00:10:57 - we'll get deeper into this as we look at the config. So this is
00:11:00 - number five with all these statements, and you're gonna say
00:11:03 - I am going to assign list number five inbound on fast ethernet
00:11:08 - 0/0. That application affects everything in
00:11:12 - the access list. When you say inbound, think about things coming
00:11:18 - in to that interface.
00:11:20 - So that would be, let's say, if there's a switch over here connected
00:11:24 - to a rest of a network or maybe this interface is
00:11:28 - a DSL connection to the internet, or you know, it could be connected
00:11:32 - to anything. As things come in to that router,
00:11:37 - that's where the access list will be applied. The best way
00:11:41 - I can describe to think about access lists and their applications
00:11:45 - is for you to become a router.
00:11:49 - Literally. Right now - this is, you know, this is video
00:11:52 - you're in the privacy of your own home or in a cubicle.
00:11:56 - Just relax and hold out your arms by your side. Come on, come
00:12:01 - on, arms out, hold them out. You can just put your fingers out
00:12:04 - if you're ashamed. You hold out your arms and you say okay, my right
00:12:08 - arm, as I'm looking out at my right arm which is pointing to
00:12:11 - the wall where I'm standing right now, my right arm is my fast
00:12:14 - ethernet 0/0. My left arm, that's a serial port.
00:12:19 - Let me put my arm down for a moment. That's serial 0/0.
00:12:23 - over here on the router. I - my torso, me, am the middle and I am
00:12:28 - the router itself. So when I think about access lists being
00:12:31 - applied, if I think of them being applied outbound, serial zero,
00:12:37 - if I were to put out right here, look out your arm, that's your
00:12:40 - left arm that's pointing to wherever it is. If I apply an access list
00:12:43 - outbound serial 0/0, that's going catch traffic
00:12:47 - coming from me, the router, leaving that serial 0/0
00:12:52 - to go to whatever this connects to over here. It could be the
00:12:56 - internet, could be whatever. So as traffic's going that way.
00:13:00 - So if somebody accesses me from the internet,
00:13:04 - the outbound access list does not apply. I mean again, hold out
00:13:07 - your arm. Your arm is - your left arm - serial 0/0. If
00:13:10 - you think about packets coming in your arm from your fingetips,
00:13:14 - traveling up your wrist all the way through to your shoulder
00:13:17 - blade and into you, that came inbound serial zero. Coming
00:13:21 - in. Now we can apply an access list outbound on fast ethernet
00:13:26 - 0/0, that's your right arm. Again, hold out your right
00:13:29 - arm. Imagine - okay, both arms. Both arms are our and our
00:13:32 - right. Imagine your left arm, serial 0/0, is connected
00:13:35 - to the internet. A packet just came from the internet. It's from a website
00:13:39 - It's coming in your left arm, coming into your torso, you
00:13:42 - are the router. You're looking at the packet and you go oh, well I'm looking
00:13:46 - at the destination IP address. I see that that needs to go on my
00:13:49 - right arm, my fast ethernet 0/0. so you send it out and all of a sudden you
00:13:53 - notice - wait a sec, there's an access list applied outbound
00:13:58 - on fast ethernet 0/0. That's where this guard walks into
00:14:01 - the wire and now looks at that packet you're trying to
00:14:04 - send out your right arm and says, are you allowed? When we look
00:14:07 - at this list.
00:14:08 - So when you're thinking about applying access lists, become a
00:14:13 - router. Be -- you know, you are the router, your appendages
00:14:17 - are the different interfaces of the router. I still, to this
00:14:20 - day, even after working with CISCO -- I don't hold out my whole arm
00:14:24 - I hold out fingers because people look at me with less
00:14:28 - I just hold out a finger on each side and I think, okay, this is
00:14:31 - the interface, this is the other interface. If you apply the
00:14:36 - access list wrong,
00:14:38 - if for instance you meant to apply it inbound but you accidentally
00:14:41 - applied it outbound, it can destroy your whole company. And I
00:14:45 - say that is because I mean -- okay, I'm not even going to get
00:14:49 - into that. But this is -- it can have some very serious ramifications
00:14:53 - We'll talk about that as we get deeper into it.
00:14:56 - before we go any deeper, let's talk about the types of access
00:15:00 - lists that are out there. I always think access lists are like
00:15:03 - a category, they're like Skittles -- there's many different kinds of them.
00:15:07 - You see right here that we have standard and extended access lists, and
00:15:10 - that's going to be where we're spending most of our time in
00:15:12 - this series, is these are the main ones that we're going to
00:15:16 - be using in this series and in the real world to permit
00:15:19 - or deny different traffic types from being processed. Will come
00:15:23 - to spend plenty of time on those on the next slide, so let's
00:15:26 - just jump down to what we're not going to talk about. There
00:15:30 - are plenty of different types of access lists. I just want to give
00:15:33 - you an overview. Dynamic access lists are access lists that
00:15:37 - expand and shrink depending on who's going through at the time.
00:15:42 - Let me give you an example of a dynamic access list use. You could
00:15:46 - have somebody that
00:15:49 - maybe has a username and password that they use to access
00:15:53 - the internet, because not everybody at your company is allowed
00:15:56 - internet access. What you can do is you can set up a dynamic
00:16:00 - access list that says, if this username and password comes
00:16:04 - in, meaning is typed in either via Telnet or it could be, you know, typed in
00:16:09 - through a webpage -- there's different ways to set up dynamic
00:16:12 - access lists. If this username and password is typed in, allow
00:16:15 - that PC access for a certain amount of time. So for example,
00:16:20 - somebody could be sitting at a PC and they're like oh, I need
00:16:23 - to access the internet. So they open a webpage and it says, all what
00:16:26 - your username and password, and they type that username and password
00:16:28 - in and it creates an access list, it gives that guard that's standing
00:16:32 - at the router a new access list that says, this PC or
00:16:35 - this IP address is now allowed for this certain amount of
00:16:39 - time or until they close the web browser, you can set it up many
00:16:42 - different ways. Actually, I take it back, we are going to be talking
00:16:46 - about established access lists, so we'll -- or they're also known
00:16:49 - as reflexive -- which are -- I'll talk about that later.
00:16:54 - We're going to talk about all of that on the next slide.
00:16:58 - Time-based access lists -- we're not going to talk about in here; that's
00:17:00 - part of the CCNP track. Time-based is where
00:17:04 - the access list is active for a specific amount of time or
00:17:08 - time range. So with that you could say for example, internet
00:17:12 - access is allowed in my company after hours. Meaning during
00:17:17 - the hours of 8 AM to 5 PM, if that's your business hours,
00:17:20 - internet access will be blocked. But as soon as you pass 5 PM,
00:17:23 - that access list is removed or
00:17:27 - revoked, if you will, and allowed all night long until the morning
00:17:31 - comes around and as soon as 8 AM comes back again it
00:17:34 - blocks. Context-based access control, also known as CBAC, and that is now
00:17:39 - been renamed to the IOS firewall, is part of the CCSP,
00:17:44 - the security professional track. And that is where you truly
00:17:48 - turn on firewall features on your router, which enhances
00:17:52 - the capabilities of, well I guess you could say every access
00:17:55 - list in the sense that it begins inspecting all the traffic
00:17:58 - that's going through. I'm not getting too deep into that because
00:18:01 - that is a whole feature set that's discussed in the CCSP
00:18:05 - but you can think of that
00:18:07 - as a way to turn your router, your CISCO IOS router, into
00:18:12 - capabilities similar to the CISCO firewall line. Most of
00:18:16 - you may have heard of a CISCO PIX firewall or a CISCO ASA
00:18:20 - firewall. That's the firewall products they sell. That features
00:18:24 - is what allows your router to do most of what the PIX firewall
00:18:27 - and ASA firewall do.
00:18:30 - Now let's turn our focus to the three specific access list types
00:18:33 - we'll be discussing in the CCNA series: standard, extended, and
00:18:38 - reflexive. Standard access lists match only based on source
00:18:44 - address, and I guess I could be more specific with that. Source
00:18:48 - IP address. So I can say that you are permitted or denied based
00:18:53 - on who you are, but not really what you're accessing or how you're accessing
00:18:57 - that device. So for example, if I have the internet right here
00:19:01 - and this host, we'll say 192.168.1.100
00:19:05 - is not allowed access the internet. I could just
00:19:09 - create a standard access list that says, deny
00:19:14 - 192.168.1.100, and that does it.
00:19:18 - That's all you type in there. It says deny. I can apply that
00:19:22 - maybe outbound on the internet connection -- remember, hold out
00:19:26 - your arms there -- and that would deny that host from getting
00:19:28 - out onto the internet only based on source I can't really say
00:19:33 - they can't access these sites on the internet, you know,
00:19:36 - be selective with what sites, nor can I say they can't access the
00:19:40 - internet using TCP port 80, which is the web surfing
00:19:44 - protocol, but maybe use other protocols to access the internet.
00:19:47 - It's just based on source. So this has the lowest processor utilization of
00:19:52 - any access list because whenever you apply an access list your
00:19:55 - router, the processor gets bumped up a little bit because it
00:19:59 - has to check every every single packet going through against
00:20:01 - the access list, but if you use a standard access list it only
00:20:05 - has to check the source IP address. It doesn't have to look at
00:20:08 - anything else, so it doesn't really slow the router down too
00:20:10 - much. The effect of this access list depends on the application
00:20:14 - Meaning, when I say deny
00:20:18 - 192.168.1.100, if I came
00:20:21 - up to you and you were a network manager in a company and I
00:20:24 - said, I have created an access list that denies
00:20:28 - 192.168.1.100.
00:20:30 - Your next question would be, denies him from what? What
00:20:35 - do you mean? What are you denying them from? Well with
00:20:38 - the standard access list, that's all you can say, is they're denied where I
00:20:42 - apply. That's what I mean in that third mark there. Where I apply
00:20:46 - this access list
00:20:48 - is what determines the affect that it has. If I apply it out
00:20:52 - on serial zero, if that's what's connected to the internet,
00:20:56 - then they are denied from going out that interface and getting
00:20:59 - internet access. If I deny them out fast ethernet zero slash
00:21:03 - that might deny them from and accessing an accounting
00:21:07 - server or that subnet that the fast ethernet 0/1 attached
00:21:11 - to. Now here's a question. If I create this access list and apply
00:21:15 - it inbound on this interface and this little diagram my major
00:21:20 - maybe that's fast ethernet 0/0,
00:21:24 - they're denied from everything. Meaning I might as well unplug
00:21:29 - that cable -- for that host, anyway, assuming there's no other
00:21:32 - hosts on this network -- because as soon as they try to come
00:21:36 - in the router, as soon as they try to get out their default gateway,
00:21:39 - you know, come in that interface, the router's going to say, oh, I'm sorry,
00:21:42 - you can't come in here. Goodbye. Hang up, you know, probably that
00:21:46 - America Online sound, goodbye, you know. And they are disconnected
00:21:50 - from the whole network. That's why where you apply these things
00:21:52 - can have some severe effects.
00:21:55 - Now down here, extended access lists match based on source and destination
00:22:01 - address, along with protocol, along with source and destination
00:22:05 - port number. Now I want to hit that little third mark I put under
00:22:08 - the extended access lists. These do take some time to learn.
00:22:12 - I've had many people that I've talked to that just whole
00:22:18 - extended access list, it's scary. It's one of the -- because the syntax
00:22:21 - can be so long. I can essentially say with an extended access
00:22:25 - list, you are denied from accessing this host using TCP port
00:22:34 - 80 during these times of day, during -- you know, there's
00:22:38 - -- I don't want to get into all the access lists we're not talking about,
00:22:41 - but there's so much you can put in here. You can be very granular.
00:22:44 - So let's up our little host again. We've got that
00:22:48 - 192.168.1.100 connected to the internet.
00:22:52 - If I was -- or the heart -- if I was using an extended access list,
00:22:57 - I could say 1.100 is denied from accessing
00:23:01 - we'll say google.com,
00:23:05 - google.com's IP address, using TCP -- that's the
00:23:10 - protocol that I'm talking about. I'm not talking about protocol as in TCP/IP,
00:23:14 - I'm talking about protocols like TCP and UDP and so on. TCP destination
00:23:19 - port 80, which is web surfing. So at that point when they
00:23:23 - go out, the access list says, are you going to Google? Because
00:23:26 - if so, let me check if you're using TCP. Oh, you are? And you're
00:23:30 - using destination port 80? Then you're denied. But I could then say, but you're allowed
00:23:34 - to use anything else. So we're biased against Google or
00:23:38 - something and want use Yahoo's search engine, so we can be very
00:23:42 - specific with that. It does have higher processor utilization
00:23:45 - and the syntax is pretty complex. We'll see that in a moment.
00:23:49 - Reflexive access lists allow traffic -- return traffic -- for
00:23:54 - requests that originated from the inside of your network. May
00:23:58 - explain that in English. We've got an internet connection here, right.
00:24:04 - The internet is a scary place. We don't want you
00:24:08 - know, uninvited traffic to just be able to come in from the
00:24:11 - internet. So initially your thought might be, well I don't know
00:24:16 - I want to deny everything, you know, deny all from the internet,
00:24:21 - and it sounds like a good idea. You know, any traffic that originates
00:24:24 - from the internet will be denied from getting into my router.
00:24:27 - But if you put a deny all on your internet connection, well you
00:24:31 - just killed it. The internet connection will no longer operate.
00:24:34 - If somebody surfs the web, they will go out this direction --
00:24:38 - will say out serial 0/0 -- and access the internet
00:24:42 - and that'll work just fine, but the problem is when the internet
00:24:46 - or whatever website they access, we'll say google.com, tries to
00:24:50 - return traffic to them. I mean, when -- it's strange to think
00:24:54 - about it that way, but when you access the internet sure you're
00:24:57 - going out, but the majority of the stuff is returned to you.
00:25:01 - I go to google.com to request the webpage, and Google sends it back
00:25:05 - to me. If I apply a deny all access list, the requests will get there
00:25:09 - just fine. It's the response that will be blocked.
00:25:14 - So that's why we need these reflexive access lists. A lot
00:25:17 - of people call them, officially, TCP established access
00:25:21 - lists. What it will do is when my host goes out, the router puts
00:25:26 - on a little pair of glasses and says, ah-ha.
00:25:30 - I just saw that host leave so the source address left to go
00:25:35 - access google.com or whatever google.com's IP address is.
00:25:39 - So I will create a reflexive or a return path for only google.com
00:25:47 - to respond, and only for them to respond to that specific
00:25:52 - requests. Meaning if Google just says, well I just want to try and slip
00:25:55 - some traffic in there for some other host right now, it's
00:25:59 - not going to happen because the little eyeglasses on the router
00:26:02 - saw the request that went out. It said, I will accept a response
00:26:05 - to this request but nothing else, nothing else is denied. Everything
00:26:09 - else is denied. And as soon as that host closes its session
00:26:14 - with Google, the TCP session ends. Remember the TCP3
00:26:19 - way handshake? That's what builds the session. Well, as soon as you close your
00:26:22 - web browser, it kills the TCP session and now the deny all rules
00:26:27 - again. Google.com will not be able to come in unless there's a specific
00:26:31 - invite for it to come back. It's a pretty powerful access list. It's only
00:26:35 - one line, it's amazing. But it has a big effect.
00:26:40 - Therein lies the rules of the access lists, or what access lists
00:26:44 - are all about. I hope I was able to convey that access lists
00:26:49 - are not just for access. They're going to be used for all kinds
00:26:52 - of things on our routers. Access is just one of the easiest ways
00:26:56 - to explain what access lists are all about.
00:26:59 - We looked at, as we went through, using access lists for security
00:27:03 - where the permit and deny statements are literally what is
00:27:06 - allowed in or out of an interface, depending on how you apply it.
00:27:10 - So access lists can be used for security if they're applied
00:27:13 - to an interface. The types of access lists are like Skittles.
00:27:17 - We saw standard, we saw extended, reflexive, dynamic, time-based
00:27:21 - access lists, there's all kinds of them. But primarily in what
00:27:25 - you do day-to-day on CISCO routers, you will be using standard
00:27:29 - and extended. So in the next video we're going to get into
00:27:32 - the configuration of standard and extended access lists, fully
00:27:36 - talk about what those options are, and apply them in some practical
00:27:39 - scenarios. I hope this has been informative for you and I'd like
00:27:42 - to thank you for viewing.