Cisco CCNA ICND2 640-816

Access-Lists: The Rules of the ACL

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

00:00:00 - We've left routing protocols and now are moving directly into
00:00:04 - access lists. The rules of the ACL, or the access control list.
00:00:10 - Access lists are one of the core pieces of CISCO routers. Meaning,
00:00:14 - you're going to be using them for all sorts of things, and that's
00:00:17 - going to be the first topic that we talk about as we get into
00:00:20 - access lists. They're not just for access. Even though that's what
00:00:24 - they're named, you'll use them for all kinds of stuff, and that's
00:00:27 - the first thing we'll talk about.
00:00:29 - Then we'll turn our attention to the security aspects of
00:00:33 - access lists, in the sense that your CISCO router has the ability
00:00:37 - to be a pretty sophisticated firewall, allowing specific traffic
00:00:41 - in and out of the network. That's using ACLs for security.
00:00:45 - So we'll talk about ways to do that, and the final topic will
00:00:48 - be the types of ACLs that's able to do that. When you say
00:00:51 - access control list, that is more of an umbrella of many different
00:00:56 - categories of topics, two of which are the most important standard
00:01:01 - and extended access control lists. We'll look at what those are
00:01:04 - and what the differences are.
00:01:06 - Access lists are everywhere in the CISCO world. It's one of those
00:01:11 - concepts that you'll hear repeated again and again and again.
00:01:15 - And it's almost unfortunate that CISCO named them access lists.
00:01:19 - I think they should have name them identifier lists, because
00:01:23 - every time somebody thinks of an access list, they think of
00:01:25 - access and they think, oh, this is like a firewall kind of
00:01:29 - thing to control access. Now that's one of the things that they
00:01:32 - can be used for, but there are many more things that they can
00:01:37 - be applied to and used for that access would be somewhat confusing.
00:01:40 - So there's my proposal. We'll go ahead and change the name to
00:01:44 - identifier lists because that's exactly what they do: identify
00:01:49 - traffic to be allowed or permitted or denied. Now I know even
00:01:55 - using that terminology you're thinking, okay, permitted or denied
00:01:59 - to get out of the network or come into the network. You're thinking firewall.
00:02:03 - That's what I think when I think of it. And you can see
00:02:06 - right here what they are, a list of permit or deny statements. Permit
00:02:09 - 192.168.2.50 that host, deny
00:02:13 - 192.168.1.0/24 that whole subnet.
00:02:16 - Permit just port 80 for 200.1.1.1
00:02:20 - Now this list of permit or denies really is
00:02:26 - almost better translated - see, look at this, I'm changing all the words. Allow
00:02:30 - or stop.
00:02:33 - Okay, I'm just making this up as I go, all right. Let me talk about how
00:02:37 - they can be used and I think that will shed a lot more light
00:02:40 - on what I mean. The number one way that people think about access
00:02:44 - lists being used is for access control. Where in the true sense of
00:02:48 - the word they are permitting and denying traffic. So for example,
00:02:51 - I might have a router right here connected off to the internet and
00:02:55 - as traffic comes in or leaves that router I can say, well who
00:02:59 - are you. Because if you're not invited here, you are denied. You
00:03:03 - cannot get in from the internet into my network. Or as they're going out
00:03:06 - it'll say, who are you, are you allowed to access the internet
00:03:09 - or are you allowed to access that website on the internet. That access
00:03:13 - control, and that's where permit and deny really make sense
00:03:17 - in our heads. But
00:03:19 - access lists can also be used for NAT. So for example,
00:03:23 - let's say this is our access list up here, this list of statements
00:03:26 - right here. We might apply it in such a way that says, this IP
00:03:32 - address is permitted to be translated using NAT off
00:03:37 - to the internet. As a matter of fact, if you look at this series
00:03:40 - the next topic we're going to be talking about is configuring
00:03:43 - NAT from the command line. We'll go through some of the concepts
00:03:46 - and configurations and we'll see how this is applied. But that's
00:03:50 - one of the things we'll do is we'll say, we're going to create
00:03:52 - an access list and say that these hosts are permitted to be
00:03:55 - translated or denied from being translated. That doesn't mean
00:04:00 - they're being denied from accessing the internet as a whole
00:04:03 - they're just being denied from the NAT process. They're not going to
00:04:05 - be translated to a public IP address when they go out. You could use it
00:04:10 - for quality of service. Tweak this example a little more and
00:04:14 - have this same list, I could say this host is permitted
00:04:17 - to receive priority on the network. That's what quality of
00:04:21 - service is all about, is prioritizing some traffic and deprioritizing
00:04:26 - others. So I can say that this host gets priority, so if there's
00:04:30 - congestion and things are being dropped, you know, the network's
00:04:33 - kind of overwhelmed - well that host is going to move to the front
00:04:36 - because they're permitted to receive prime priority they're
00:04:40 - allowed to move to the front. The one below says nine one eight
00:04:44 - 192.168.1.0 right here. If we apply it to quality
00:04:48 - of service, they are not denied from getting out or denied
00:04:51 - from accessing the internet like access control; they're denied
00:04:54 - from perhaps receiving priority.
00:04:58 - So you see, I could keep going down this list, you know. Demand
00:05:01 - dial routing, policy routing, route filtering, making french toast.
00:05:04 - Okay, access lists don't make French toast but the point
00:05:08 - is that this is a partial list. This is one of those concepts
00:05:12 - you'll see repeating itself again and again and again in the CISCO
00:05:15 - world because there are many times - just think, any time
00:05:20 - that you're on a CISCO router and you need to say, these are going
00:05:24 - to be allowed or these are going to be denied to any process
00:05:28 - and you just need to identify a group of IP addresses, that is where
00:05:32 - an access list comes in.
00:05:35 - When we talk about access lists initially, we'll talk about
00:05:38 - using them for security. And as we move into some of the other
00:05:42 - topics like NAT, that's where we'll expand some of those other uses.
00:05:45 - I just wanted to initially make sure you know, these - even though they're called
00:05:49 - access lists, access is just one of the ways that you can use
00:05:52 - them. So if you're using an access list for security, it's like
00:05:57 - hiring a guard for your router to stand on an interface. Here's
00:06:02 - the idea. We've got this guard right here that we've
00:06:05 - assigned to stand on the fast ethernet 0/0 interface.
00:06:10 - Now as soon as we give that guard a list, he is going to screen
00:06:16 - all of the traffic either coming in or going out of that interface,
00:06:21 - depending on how we apply this access list, and say whether
00:06:24 - it's allowed or denied. So before we talk about the guards
00:06:27 - processing, let's first talk about the rules of the access
00:06:32 - list. When you create an access list, it is literally just
00:06:35 - a list of statements like you see right here. It is read from top to bottom
00:06:41 - and it will stop at the first match. So for example, we have
00:06:45 - this guard who has a list in the first statement in their list number
00:06:48 - one right here, says deny 10.1.5.1. So let's
00:06:53 - say he's filtering traffic coming this direction, he's going to ask that
00:06:57 - packet - let's say that this is 10.1.5.10,
00:07:01 - the guard will ask and say, are you 10.1.5.1?
00:07:04 - Packet says, no sir. And he says, okay, are you 5.3.1.2?
00:07:09 - You can see statement number two in the list. By
00:07:11 - says, no sir. And then we come down here, you can see my little
00:07:14 - permits or whatever. You know, this list can go on and on.
00:07:18 - We might say something like permit 10.0.0.0/8.
00:07:22 - Wow, that's big, because that says permit everything
00:07:27 - starting with 10. You see the subnet mass right there. It's a Class A
00:07:32 - subnet mass. So everything permitted with 10 allowed. So said that
00:07:35 - third statement and says, are you 10 dot anything? And the packet says,
00:07:39 - yes sir, I am. And he says, well in that case then you are permitted.
00:07:43 - You may proceed through into the router and access whatever
00:07:46 - resources that you have. So the list is read from top to bottom
00:07:50 - and it stops at the first match. What if this packet were 10.1.5.1
00:07:54 - coming in? Well the guard would say, are you 10.1.5.1
00:07:58 - as his first question, and when the packet says yes, it
00:08:02 - says, smash and the guard hits it with its gun right there and the packet
00:08:06 - is destroyed and dropped. Now even though the third statement
00:08:09 - in this list says permit everything starting with 10,
00:08:13 - since the list is read in order it never gets that far. So
00:08:18 - you can see that the order is very important when you create
00:08:22 - an access list. Now let's say we did something like this. Let's
00:08:25 - say we gave the guard a list that the very first statement, I kind of
00:08:29 - reorder it right here, is permit 10.0.0.0/8.
00:08:33 - the same statement we put down there. Well if that's
00:08:37 - the case, then this packet 10.1.5.1 comes
00:08:40 - in and the guard's first question is, are you 10.0.0.0/8?
00:08:43 - and the packet says, well yes I am. Even though
00:08:47 - statement number two denies that packet,
00:08:51 - the guard never gets that far. Because it says, well if you match
00:08:55 - that first statement than you are allowed to go, you may proceed
00:08:58 - through. It never hits statement number two.
00:09:01 - That's why the order is very important. Now the second rule
00:09:05 - is equally important: the invisible implicit deny at the bottom
00:09:09 - of an access list. You can see that this list says deny all.
00:09:14 - But when you're configuring this list on a router, you don't
00:09:16 - see that there. Meaning you just start adding statements to your list.
00:09:20 - You say okay, statement one is this, statement two is that, is
00:09:23 - this, but all along there's this invisible Deny All at the very
00:09:28 - bottom of that list that just keeps getting pushed further
00:09:30 - and further down the more statements that you add to this list.
00:09:34 - So I guess you could state it in a way that says, if
00:09:38 - you are not explicitly permitted in that access list, and
00:09:45 - you reach the bottom, you will be denied. There's no question
00:09:49 - about it. If you make your way all the way down through that list,
00:09:52 - you're going to hit the invisible deny at the bottom of the
00:09:55 - list. Now you as an administrator can change that whole logic.
00:10:00 - You could actually, if you wanted to as you're typing your list, you
00:10:03 - could say deny this, deny that, deny this, and then add a statement
00:10:07 - that says, permit anyone. So you could put a permit
00:10:13 - I'll just put per all - permit all before it gets to this invisible
00:10:18 - deny. So the guard will be going through this list and saying,
00:10:21 - this, and keep going and then say, oh, well then I guess you're permitted.
00:10:25 - So it never actually reaches the deny all, but do know that
00:10:28 - the deny all is still there, you're just not making it down to the
00:10:32 - bottom. It is an invisible implicit deny.
00:10:35 - Now lastly, and this is one of the most difficult things when you're
00:10:39 - first getting into access lists, is the application.
00:10:43 - Access lists are applied to an interface inbound or outbound.
00:10:50 - Meaning you're going to create this list, and we'll say this
00:10:53 - is list number five. The access lists are actually numbered, and
00:10:57 - we'll get deeper into this as we look at the config. So this is
00:11:00 - number five with all these statements, and you're gonna say
00:11:03 - I am going to assign list number five inbound on fast ethernet
00:11:08 - 0/0. That application affects everything in
00:11:12 - the access list. When you say inbound, think about things coming
00:11:18 - in to that interface.
00:11:20 - So that would be, let's say, if there's a switch over here connected
00:11:24 - to a rest of a network or maybe this interface is
00:11:28 - a DSL connection to the internet, or you know, it could be connected
00:11:32 - to anything. As things come in to that router,
00:11:37 - that's where the access list will be applied. The best way
00:11:41 - I can describe to think about access lists and their applications
00:11:45 - is for you to become a router.
00:11:49 - Literally. Right now - this is, you know, this is video
00:11:52 - you're in the privacy of your own home or in a cubicle.
00:11:56 - Just relax and hold out your arms by your side. Come on, come
00:12:01 - on, arms out, hold them out. You can just put your fingers out
00:12:04 - if you're ashamed. You hold out your arms and you say okay, my right
00:12:08 - arm, as I'm looking out at my right arm which is pointing to
00:12:11 - the wall where I'm standing right now, my right arm is my fast
00:12:14 - ethernet 0/0. My left arm, that's a serial port.
00:12:19 - Let me put my arm down for a moment. That's serial 0/0.
00:12:23 - over here on the router. I - my torso, me, am the middle and I am
00:12:28 - the router itself. So when I think about access lists being
00:12:31 - applied, if I think of them being applied outbound, serial zero,
00:12:37 - if I were to put out right here, look out your arm, that's your
00:12:40 - left arm that's pointing to wherever it is. If I apply an access list
00:12:43 - outbound serial 0/0, that's going catch traffic
00:12:47 - coming from me, the router, leaving that serial 0/0
00:12:52 - to go to whatever this connects to over here. It could be the
00:12:56 - internet, could be whatever. So as traffic's going that way.
00:13:00 - So if somebody accesses me from the internet,
00:13:04 - the outbound access list does not apply. I mean again, hold out
00:13:07 - your arm. Your arm is - your left arm - serial 0/0. If
00:13:10 - you think about packets coming in your arm from your fingetips,
00:13:14 - traveling up your wrist all the way through to your shoulder
00:13:17 - blade and into you, that came inbound serial zero. Coming
00:13:21 - in. Now we can apply an access list outbound on fast ethernet
00:13:26 - 0/0, that's your right arm. Again, hold out your right
00:13:29 - arm. Imagine - okay, both arms. Both arms are our and our
00:13:32 - right. Imagine your left arm, serial 0/0, is connected
00:13:35 - to the internet. A packet just came from the internet. It's from a website
00:13:39 - It's coming in your left arm, coming into your torso, you
00:13:42 - are the router. You're looking at the packet and you go oh, well I'm looking
00:13:46 - at the destination IP address. I see that that needs to go on my
00:13:49 - right arm, my fast ethernet 0/0. so you send it out and all of a sudden you
00:13:53 - notice - wait a sec, there's an access list applied outbound
00:13:58 - on fast ethernet 0/0. That's where this guard walks into
00:14:01 - the wire and now looks at that packet you're trying to
00:14:04 - send out your right arm and says, are you allowed? When we look
00:14:07 - at this list.
00:14:08 - So when you're thinking about applying access lists, become a
00:14:13 - router. Be -- you know, you are the router, your appendages
00:14:17 - are the different interfaces of the router. I still, to this
00:14:20 - day, even after working with CISCO -- I don't hold out my whole arm
00:14:24 - I hold out fingers because people look at me with less
00:14:28 - I just hold out a finger on each side and I think, okay, this is
00:14:31 - the interface, this is the other interface. If you apply the
00:14:36 - access list wrong,
00:14:38 - if for instance you meant to apply it inbound but you accidentally
00:14:41 - applied it outbound, it can destroy your whole company. And I
00:14:45 - say that is because I mean -- okay, I'm not even going to get
00:14:49 - into that. But this is -- it can have some very serious ramifications
00:14:53 - We'll talk about that as we get deeper into it.
00:14:56 - before we go any deeper, let's talk about the types of access
00:15:00 - lists that are out there. I always think access lists are like
00:15:03 - a category, they're like Skittles -- there's many different kinds of them.
00:15:07 - You see right here that we have standard and extended access lists, and
00:15:10 - that's going to be where we're spending most of our time in
00:15:12 - this series, is these are the main ones that we're going to
00:15:16 - be using in this series and in the real world to permit
00:15:19 - or deny different traffic types from being processed. Will come
00:15:23 - to spend plenty of time on those on the next slide, so let's
00:15:26 - just jump down to what we're not going to talk about. There
00:15:30 - are plenty of different types of access lists. I just want to give
00:15:33 - you an overview. Dynamic access lists are access lists that
00:15:37 - expand and shrink depending on who's going through at the time.
00:15:42 - Let me give you an example of a dynamic access list use. You could
00:15:46 - have somebody that
00:15:49 - maybe has a username and password that they use to access
00:15:53 - the internet, because not everybody at your company is allowed
00:15:56 - internet access. What you can do is you can set up a dynamic
00:16:00 - access list that says, if this username and password comes
00:16:04 - in, meaning is typed in either via Telnet or it could be, you know, typed in
00:16:09 - through a webpage -- there's different ways to set up dynamic
00:16:12 - access lists. If this username and password is typed in, allow
00:16:15 - that PC access for a certain amount of time. So for example,
00:16:20 - somebody could be sitting at a PC and they're like oh, I need
00:16:23 - to access the internet. So they open a webpage and it says, all what
00:16:26 - your username and password, and they type that username and password
00:16:28 - in and it creates an access list, it gives that guard that's standing
00:16:32 - at the router a new access list that says, this PC or
00:16:35 - this IP address is now allowed for this certain amount of
00:16:39 - time or until they close the web browser, you can set it up many
00:16:42 - different ways. Actually, I take it back, we are going to be talking
00:16:46 - about established access lists, so we'll -- or they're also known
00:16:49 - as reflexive -- which are -- I'll talk about that later.
00:16:54 - We're going to talk about all of that on the next slide.
00:16:58 - Time-based access lists -- we're not going to talk about in here; that's
00:17:00 - part of the CCNP track. Time-based is where
00:17:04 - the access list is active for a specific amount of time or
00:17:08 - time range. So with that you could say for example, internet
00:17:12 - access is allowed in my company after hours. Meaning during
00:17:17 - the hours of 8 AM to 5 PM, if that's your business hours,
00:17:20 - internet access will be blocked. But as soon as you pass 5 PM,
00:17:23 - that access list is removed or
00:17:27 - revoked, if you will, and allowed all night long until the morning
00:17:31 - comes around and as soon as 8 AM comes back again it
00:17:34 - blocks. Context-based access control, also known as CBAC, and that is now
00:17:39 - been renamed to the IOS firewall, is part of the CCSP,
00:17:44 - the security professional track. And that is where you truly
00:17:48 - turn on firewall features on your router, which enhances
00:17:52 - the capabilities of, well I guess you could say every access
00:17:55 - list in the sense that it begins inspecting all the traffic
00:17:58 - that's going through. I'm not getting too deep into that because
00:18:01 - that is a whole feature set that's discussed in the CCSP
00:18:05 - but you can think of that
00:18:07 - as a way to turn your router, your CISCO IOS router, into
00:18:12 - capabilities similar to the CISCO firewall line. Most of
00:18:16 - you may have heard of a CISCO PIX firewall or a CISCO ASA
00:18:20 - firewall. That's the firewall products they sell. That features
00:18:24 - is what allows your router to do most of what the PIX firewall
00:18:27 - and ASA firewall do.
00:18:30 - Now let's turn our focus to the three specific access list types
00:18:33 - we'll be discussing in the CCNA series: standard, extended, and
00:18:38 - reflexive. Standard access lists match only based on source
00:18:44 - address, and I guess I could be more specific with that. Source
00:18:48 - IP address. So I can say that you are permitted or denied based
00:18:53 - on who you are, but not really what you're accessing or how you're accessing
00:18:57 - that device. So for example, if I have the internet right here
00:19:01 - and this host, we'll say 192.168.1.100
00:19:05 - is not allowed access the internet. I could just
00:19:09 - create a standard access list that says, deny
00:19:14 - 192.168.1.100, and that does it.
00:19:18 - That's all you type in there. It says deny. I can apply that
00:19:22 - maybe outbound on the internet connection -- remember, hold out
00:19:26 - your arms there -- and that would deny that host from getting
00:19:28 - out onto the internet only based on source I can't really say
00:19:33 - they can't access these sites on the internet, you know,
00:19:36 - be selective with what sites, nor can I say they can't access the
00:19:40 - internet using TCP port 80, which is the web surfing
00:19:44 - protocol, but maybe use other protocols to access the internet.
00:19:47 - It's just based on source. So this has the lowest processor utilization of
00:19:52 - any access list because whenever you apply an access list your
00:19:55 - router, the processor gets bumped up a little bit because it
00:19:59 - has to check every every single packet going through against
00:20:01 - the access list, but if you use a standard access list it only
00:20:05 - has to check the source IP address. It doesn't have to look at
00:20:08 - anything else, so it doesn't really slow the router down too
00:20:10 - much. The effect of this access list depends on the application
00:20:14 - Meaning, when I say deny
00:20:18 - 192.168.1.100, if I came
00:20:21 - up to you and you were a network manager in a company and I
00:20:24 - said, I have created an access list that denies
00:20:28 - 192.168.1.100.
00:20:30 - Your next question would be, denies him from what? What
00:20:35 - do you mean? What are you denying them from? Well with
00:20:38 - the standard access list, that's all you can say, is they're denied where I
00:20:42 - apply. That's what I mean in that third mark there. Where I apply
00:20:46 - this access list
00:20:48 - is what determines the affect that it has. If I apply it out
00:20:52 - on serial zero, if that's what's connected to the internet,
00:20:56 - then they are denied from going out that interface and getting
00:20:59 - internet access. If I deny them out fast ethernet zero slash
00:21:03 - that might deny them from and accessing an accounting
00:21:07 - server or that subnet that the fast ethernet 0/1 attached
00:21:11 - to. Now here's a question. If I create this access list and apply
00:21:15 - it inbound on this interface and this little diagram my major
00:21:20 - maybe that's fast ethernet 0/0,
00:21:24 - they're denied from everything. Meaning I might as well unplug
00:21:29 - that cable -- for that host, anyway, assuming there's no other
00:21:32 - hosts on this network -- because as soon as they try to come
00:21:36 - in the router, as soon as they try to get out their default gateway,
00:21:39 - you know, come in that interface, the router's going to say, oh, I'm sorry,
00:21:42 - you can't come in here. Goodbye. Hang up, you know, probably that
00:21:46 - America Online sound, goodbye, you know. And they are disconnected
00:21:50 - from the whole network. That's why where you apply these things
00:21:52 - can have some severe effects.
00:21:55 - Now down here, extended access lists match based on source and destination
00:22:01 - address, along with protocol, along with source and destination
00:22:05 - port number. Now I want to hit that little third mark I put under
00:22:08 - the extended access lists. These do take some time to learn.
00:22:12 - I've had many people that I've talked to that just whole
00:22:18 - extended access list, it's scary. It's one of the -- because the syntax
00:22:21 - can be so long. I can essentially say with an extended access
00:22:25 - list, you are denied from accessing this host using TCP port
00:22:34 - 80 during these times of day, during -- you know, there's
00:22:38 - -- I don't want to get into all the access lists we're not talking about,
00:22:41 - but there's so much you can put in here. You can be very granular.
00:22:44 - So let's up our little host again. We've got that
00:22:48 - 192.168.1.100 connected to the internet.
00:22:52 - If I was -- or the heart -- if I was using an extended access list,
00:22:57 - I could say 1.100 is denied from accessing
00:23:01 - we'll say google.com,
00:23:05 - google.com's IP address, using TCP -- that's the
00:23:10 - protocol that I'm talking about. I'm not talking about protocol as in TCP/IP,
00:23:14 - I'm talking about protocols like TCP and UDP and so on. TCP destination
00:23:19 - port 80, which is web surfing. So at that point when they
00:23:23 - go out, the access list says, are you going to Google? Because
00:23:26 - if so, let me check if you're using TCP. Oh, you are? And you're
00:23:30 - using destination port 80? Then you're denied. But I could then say, but you're allowed
00:23:34 - to use anything else. So we're biased against Google or
00:23:38 - something and want use Yahoo's search engine, so we can be very
00:23:42 - specific with that. It does have higher processor utilization
00:23:45 - and the syntax is pretty complex. We'll see that in a moment.
00:23:49 - Reflexive access lists allow traffic -- return traffic -- for
00:23:54 - requests that originated from the inside of your network. May
00:23:58 - explain that in English. We've got an internet connection here, right.
00:24:04 - The internet is a scary place. We don't want you
00:24:08 - know, uninvited traffic to just be able to come in from the
00:24:11 - internet. So initially your thought might be, well I don't know
00:24:16 - I want to deny everything, you know, deny all from the internet,
00:24:21 - and it sounds like a good idea. You know, any traffic that originates
00:24:24 - from the internet will be denied from getting into my router.
00:24:27 - But if you put a deny all on your internet connection, well you
00:24:31 - just killed it. The internet connection will no longer operate.
00:24:34 - If somebody surfs the web, they will go out this direction --
00:24:38 - will say out serial 0/0 -- and access the internet
00:24:42 - and that'll work just fine, but the problem is when the internet
00:24:46 - or whatever website they access, we'll say google.com, tries to
00:24:50 - return traffic to them. I mean, when -- it's strange to think
00:24:54 - about it that way, but when you access the internet sure you're
00:24:57 - going out, but the majority of the stuff is returned to you.
00:25:01 - I go to google.com to request the webpage, and Google sends it back
00:25:05 - to me. If I apply a deny all access list, the requests will get there
00:25:09 - just fine. It's the response that will be blocked.
00:25:14 - So that's why we need these reflexive access lists. A lot
00:25:17 - of people call them, officially, TCP established access
00:25:21 - lists. What it will do is when my host goes out, the router puts
00:25:26 - on a little pair of glasses and says, ah-ha.
00:25:30 - I just saw that host leave so the source address left to go
00:25:35 - access google.com or whatever google.com's IP address is.
00:25:39 - So I will create a reflexive or a return path for only google.com
00:25:47 - to respond, and only for them to respond to that specific
00:25:52 - requests. Meaning if Google just says, well I just want to try and slip
00:25:55 - some traffic in there for some other host right now, it's
00:25:59 - not going to happen because the little eyeglasses on the router
00:26:02 - saw the request that went out. It said, I will accept a response
00:26:05 - to this request but nothing else, nothing else is denied. Everything
00:26:09 - else is denied. And as soon as that host closes its session
00:26:14 - with Google, the TCP session ends. Remember the TCP3
00:26:19 - way handshake? That's what builds the session. Well, as soon as you close your
00:26:22 - web browser, it kills the TCP session and now the deny all rules
00:26:27 - again. Google.com will not be able to come in unless there's a specific
00:26:31 - invite for it to come back. It's a pretty powerful access list. It's only
00:26:35 - one line, it's amazing. But it has a big effect.
00:26:40 - Therein lies the rules of the access lists, or what access lists
00:26:44 - are all about. I hope I was able to convey that access lists
00:26:49 - are not just for access. They're going to be used for all kinds
00:26:52 - of things on our routers. Access is just one of the easiest ways
00:26:56 - to explain what access lists are all about.
00:26:59 - We looked at, as we went through, using access lists for security
00:27:03 - where the permit and deny statements are literally what is
00:27:06 - allowed in or out of an interface, depending on how you apply it.
00:27:10 - So access lists can be used for security if they're applied
00:27:13 - to an interface. The types of access lists are like Skittles.
00:27:17 - We saw standard, we saw extended, reflexive, dynamic, time-based
00:27:21 - access lists, there's all kinds of them. But primarily in what
00:27:25 - you do day-to-day on CISCO routers, you will be using standard
00:27:29 - and extended. So in the next video we're going to get into
00:27:32 - the configuration of standard and extended access lists, fully
00:27:36 - talk about what those options are, and apply them in some practical
00:27:39 - scenarios. I hope this has been informative for you and I'd like
00:27:42 - to thank you for viewing.

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.

Bookmarks

Pick up where you left off watching a video.

Notes

Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Certifications:
Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.


Stay Connected

Get the latest updates on the subjects you choose.


  © 2014 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS