Cisco CCNA ICND2 640-816

Access-Lists: Configuring ACLs

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

00:00:00 - Configuring access lists. I've always found the best way to
00:00:05 - learn access lists and to get familiar with the syntax is to
00:00:08 - do them again and again and again. It's kind of like subnetting.
00:00:11 - The more you practice, the better you get at it. So that's how I've structured
00:00:15 - this configuring access lists video. I'd like to walk through
00:00:18 - four separate scenarios with you that take the concepts that
00:00:21 - we've learned in the previous video and apply them in practical
00:00:25 - scenarios. Now looking at these scenarios, they don't make much
00:00:28 - sense right here, but this is going to be what I'm testing on
00:00:31 - and in each one of those scenarios, as we construct a new access list
00:00:35 - for each one of those requirements.
00:00:39 - So if you're ready, I'm ready. Let's get going.
00:00:41 - All right. Here is our configuration landscape. You can see the
00:00:45 - four scenarios spelled out on the bottom of the network diagram.
00:00:49 - But before we even get into those scenarios and start working through each
00:00:52 - one of them and setting up the configuration, I'd like to talk
00:00:55 - a little bit about access lists generalities. How do you
00:00:59 - configure access lists in general? You can see our scenarios are saying
00:01:03 - use a standard access list or an extended access list. But before
00:01:06 - we even accomplish those objectives let's talk about just how
00:01:09 - to use access lists. What I'd like to do is take us to a router
00:01:12 - and that will allow us to see this configuration and I'll just
00:01:16 - walk through some -- some samples. And then we'll do the real deal.
00:01:19 - We'll go through these scenarios one by one. So let me bring up the router connection
00:01:22 - and put it in the middle of the screen here.
00:01:26 - Just get things cleared off. You can see we're on router 3 right
00:01:30 - now to start things off. And this will just be, you know, a nice generic place
00:01:33 - to go. To set up access lists, we're going to go into global
00:01:37 - configuration mode and use the command access list. Now if you haven't
00:01:42 - gotten used to the context sensitive help -- the question mark as
00:01:44 - of yet, now's a good time. Access lists will almost need you
00:01:49 - to use that going through there because very few people remember
00:01:52 - all the pieces off the top of their head. Now you can see all these
00:01:55 - lists. I type in access lists and it says okay type in a number one through
00:01:59 - 99 if you would like to create a standard access list.
00:02:03 - If you would like to create an extended, go ahead and type in number 100
00:02:06 - through 199 and that will configure one of those.
00:02:09 - Now you can see as we go through this list, there's plenty of other
00:02:11 - ones like IPX address access list; MAC address access list. You
00:02:15 - can permit or deny based on MAC address. But a lot of these
00:02:18 - protocols we just don't use any more like IPX or DECnet.
00:02:22 - So we're gonna stick to IP access lists. Now you can see right here, we've
00:02:27 - got the standard and extended, but notice right here
00:02:33 - and right here is an IP access list for standard and
00:02:38 - extended in an expanded range. So what they're saying is if
00:02:41 - you run out of lists, meaning you've -- you've exceeded 99 lists;
00:02:46 - number one, I'll tell you, you've created way too many access lists
00:02:49 - if that's the case. But CISCO says we'll let you do it. Here
00:02:52 - is a 700 or so more access lists that you can create
00:02:56 - using that expanded range for each one of them. So let's start
00:02:59 - off with the standard extended access list. I'm just going to say
00:03:03 - access list 1. I could type in any number from one to
00:03:06 - 99 and it would work just fine. I'm just using one
00:03:09 - because I like it. So I hit the question mark and it says okay
00:03:13 - is this going to deny or permit?
00:03:17 - Or would you like to leave a remark in this access list? So
00:03:20 - we'll say this -- this first entry is going to be a deny entry.
00:03:25 - Remark by the way just leaves comments so you can see what
00:03:28 - the access list is about. So I'll type in deny; hit a question mark and
00:03:31 - it says would you like to match
00:03:34 - a host name if you're using DNS; very few people do that or
00:03:38 - IP address. Would you like to match any or a single host?
00:03:42 - So this is our big option. Let's say that I would like to deny
00:03:46 - we haven't talked about our scenarios yet, but I want to deny
00:03:48 - the host
00:03:53 - -- just -- just a nice random IP address. I'll do space question
00:03:58 - mark and now it's asking me what are your wild card bits?
00:04:03 - Ahh, wild card bits, where did we see that the before? OSPF.
00:04:08 - The open shortest path first routing protocol, we had to type
00:04:12 - in the wild card mask to type in what networks we would like
00:04:15 - to advertise. And now they're back to haunt us. Wild card bits
00:04:19 - are going to designate what is significant about there? Meaning,
00:04:22 - do you want to match that exact IP address? If so, go in and put
00:04:26 - zero, zero, zero, zero. Meaning, look at and you remember the wild
00:04:30 - card bits, zero means look at these -- look at 192. Look at 168.
00:04:34 - Look at 5. Look at 100. When that IP address comes
00:04:38 - through, identify it exactly and if that's it deny it.
00:04:42 - Now I can also go here and make it a little more broad. I can
00:04:45 - say -- well, I wouldn't put 5 0, but
00:04:50 - if I did this what that says is deny everything starting
00:04:55 - with 192. Look at that first octet; 168. So everything
00:04:59 - starting with 192.168 and then I don't
00:05:02 - care; I don't care, is what those means. What -- watch what happens.
00:05:06 - I'm going to hit enter and then I'm gonna type in show access list using the
00:05:11 - do command, so I can do it from global config mode. Look at what
00:05:14 - it did. It said it deny 192.168 -- ahh,
00:05:19 - zero zero. You catching that? It zoned out, it wiped out my
00:05:24 - 5.100 because it said I don't care what those
00:05:27 - are. You put 255s'. Now if I were to
00:05:31 - go back up there and do no access list 1 deny, you know, remove
00:05:34 - that and try it again and then I put, you know, 0.0 right there
00:05:40 - and then do my show access list. Now it's just saying specifically
00:05:44 - that host is there. The wild card bits disappear because if
00:05:48 - you notice it says you could put a return key after the
00:05:52 - and it would assume
00:05:55 - you're talking about that specific IP address. This wild card
00:05:58 - mask of all zeros is optional. Matter of fact, let me hit the up arrow
00:06:02 - and put in a no in front of that; wipe that out. I could type in access
00:06:06 - list 1 deny and check this out I could say host
00:06:12 - And now when I hit question mark
00:06:15 - it doesn't even give me the option for a wild card mask because I've
00:06:19 - specified just that host. So what I've showed you there was essentially
00:06:24 - two ways to accomplish the same thing -- three ways to accomplish
00:06:27 - the same thing of denying a specific IP address. So
00:06:30 - that's -- that's essentially our line one of the access list.
00:06:35 - Now I'm going go in there, I'm going to say access list 1; it's the same list
00:06:41 - permit with a wild
00:06:47 - card mask of Now let's do a show
00:06:53 - access list --
00:06:57 - if we could type. Now right here you can see first entry or what
00:07:03 - the router is calling sequence ten and we'll talk about those
00:07:06 - numbers in just a moment. First entry says deny;
00:07:09 - second line says permit everybody else
00:07:14 - that starts with 192.168.5.
00:07:17 - So that's how we create a standard access list is we just identify
00:07:21 - the source IP addresses we want to permit or deny. Now remember,
00:07:25 - think back to the rules we talked about in the previous videos.
00:07:29 - At the bottom of this access list is an implicit, invisible
00:07:34 - deny. Meaning, if you are not something that starts with
00:07:39 -, you will be denied. You'll be
00:07:43 - prevented from accessing whatever this access list is preventing you
00:07:46 - from accessing.
00:07:49 - Speaking of that, let's apply this. Creating access lists
00:07:53 - you could do all day long. But they won't actually go
00:07:57 - into effect until you apply them. So you've seen the access list command.
00:08:01 - Here's how you apply.
00:08:02 - Go back to that network diagram and we're on router 3.
00:08:05 - We need to identify what direction we want to apply from.
00:08:09 - Let's say that we want to protect router 3 from receiving
00:08:14 - messages from that host that we denied,
00:08:18 - right? So I -- I can apply
00:08:21 - inbound on serial 0/0. Remember, hold out your arms
00:08:25 - just like I talked about in the previous video, identify your direction
00:08:28 - as things are coming in that serial interface; that's where
00:08:32 - I want to deny that specific host. So that's where we need
00:08:36 - to apply it, serial 0/0. So let's jump into interface
00:08:40 - serial 0/0 and here's the apply command -- IP access
00:08:46 - - group.
00:08:50 - I don't know; I know you're thinking I thought it would be access list. I don't know
00:08:53 - why they chose access group but they did. Access group applies
00:08:57 - it and it says what access lists number would you like to apply?
00:09:01 - And you think well I configured access list 1 so let's apply that.
00:09:04 - I'll put access group 1; question mark, inbound or outbound. Well, we identified
00:09:10 - on that network diagram we would like to filter it as it comes
00:09:13 - into our router. So
00:09:17 - I'll put in; question mark. And it says go ahead and press return. So now I have
00:09:21 - applied that on router 3. It is allowing -- let me do a show I --
00:09:26 - or hang on -- let me put do -- do show access list.
00:09:30 - It is allowing anything with
00:09:34 - to come in or that -- that five subnet to come in. And this host,
00:09:38 - that specific host will be denied. Also, the implicit deny catches
00:09:42 - everything that does not start with
00:09:45 - You see a message come up across the screen --
00:09:49 - look at this, neighbor is down; the hold
00:09:53 - time or the dead timer expired.
00:09:55 - You want to know what just happened? We just severed connectivity to router 3.
00:09:59 - The neighbor, is speaking
00:10:02 - of router 2. It just says I lost my connectivity to router 2. The reason
00:10:07 - why is because router 2 was coming in and -- and EIGRP was
00:10:11 - sending hello packets sourced with the IP address
00:10:15 - Well, according to our access list, the implicit
00:10:20 - deny is killing anything with 192.168.2
00:10:23 - because it doesn't start with 192.168.5. You see how
00:10:27 - dangerous access lists can be. I'm gonna hit the upper arrow and undo that; I'm gonna do no
00:10:31 - IP access group 1 in and we should see our neighbor relationship
00:10:35 - restored with EIGRP. Yup, now we're up. We're back online because
00:10:40 - we're not coming from that. So that's -- that I just wanted to give
00:10:43 - you before we get into this scenarios. The general syntax of
00:10:47 - working with access lists. Now with that in place, let's look at scenario
00:10:51 - one. Use a standard access list to block HostA from accessing
00:10:57 - HostB. And I have these hosts in place. We're going to be able to
00:11:00 - test this. HostA accesses HostB by going through router 2 through
00:11:06 - router 3, out and then ping right here. Now, I don't have his IP address.
00:11:10 - Let me wipe that off. HostB is.50.
00:11:16 - So I'd like to start things off by going
00:11:19 - to HostA and doing a ping to HostB to make sure that
00:11:22 - we can access it right now.
00:11:25 - HostA is right here; the -- the role of HostA will be a remote
00:11:30 - connection to my laptop. So, let me just do an IP config
00:11:34 - on this guy. And you can see that I have the local area
00:11:38 - connection; that's my LAN interface -- --
00:11:41 - jump back to the network diagram --
00:11:46 - So this is HostA right here. Now you can see the wireless
00:11:50 - connection. This is how I'm connecting to it via remote desktop.
00:11:53 - it just because these laptops are in another room. You can
00:11:57 - ignore this whole thing right here. Pretend it just does not
00:12:00 - exist because this is the interface that's actually being used.
00:12:03 - You can see this one doesn't even have a default gateway. So right -- so I'm on HostA
00:12:08 - and I'm going to do, I'll even do one better than a ping. Let's do a
00:12:12 - trace route to HostC; correct?
00:12:19 - HostB -- HostB is
00:12:22 - I'm gonna do a trace route dash (-) D; otherwise, it takes forever.
00:12:28 - All right. So we can see that HostA went to
00:12:33 - then 2.2 ; then 3.50. Let's
00:12:37 - verify that against the diagrams. Started off with 10.1. So HostA
00:12:41 - it's in a VLAN, so it came over here, to its subinterface right
00:12:46 - there -- 10.1. The router took it and routed it back out
00:12:50 - over here to 2.2,
00:12:53 - there's 2.2. And then it finally hit the host -- 3.50 over there.
00:12:57 - So it is taking the correct direction to end up reaching hostB.
00:13:01 - Good. Now I also have a remote desktop connection to HostB,
00:13:06 - which is over here -- let me just bring it into the window.
00:13:10 - This is HostB. Again, I have an IP config already
00:13:13 - up; there's 3.50. And I'm gonna do a ping to -- well, let's do a trace back.
00:13:18 - Trace route
00:13:23 - That's our original host -- ahhh, trace route dash D
00:13:29 - Otherwise, Windows tries to look up those IP addresses
00:13:32 - and figure out their name. There we go. That's -- that's what we thought
00:13:36 - 3.1 ; that's the Ethernet interface. 2.1; that's
00:13:39 - WAN link. So 3.1, 2.1 and then it's getting to HostA.
00:13:42 - So we have verified both HostA can access HostB. Now,
00:13:49 - use a standard access list to block HostA from reaching HostB. So
00:13:56 - I think the -- the first thing I want to do before we even get
00:13:59 - there is just pen this out on paper. It's always good to write down
00:14:03 - your access lists on paper before you put them into the command
00:14:06 - line interface and that goes for most configurations. So I want
00:14:10 - to create an access list that blocks HostA from accessing
00:14:12 - HostB. I'm gonna use the command just like we had before access
00:14:16 - list -- access dash list 1 or -- we'll use 10 for this example.
00:14:24 - It's just a number and I'm going to say deny -- now remember a
00:14:28 - standard access list can permit or deny based on
00:14:32 - source. Only the source IP address. So I'm gonna put deny host, remember
00:14:39 - that shortcut I just showed you a moment ago -- deny host
00:14:42 - and then I'll put the IP address:,
00:14:49 - which is deny that host; right? So that's what our access
00:14:54 - list should say; we should be denying it. Now with a
00:14:57 - standard access list, you cannot say denied from what because that's
00:15:01 - destination; that's what you need an extended for. So all we can say is
00:15:04 - that host is denied. Now
00:15:07 - couple things on that. If you have an access list that is
00:15:13 - only denying something and you apply it, you have denied
00:15:19 - everything. Think through it. Do you know why? Because at the bottom of every access
00:15:25 - list, is the invisible, implicit deny. So an access list that
00:15:29 - only has deny statements in it, will effectively deny everything
00:15:32 - if you permit. I mean, if we were to apply this we'll say you
00:15:35 - know, right here outbound or something in that -- that
00:15:38 - case it would check-in and say, "Okay, are you this host because if you are
00:15:41 - your denied." And then it would go to the next line, which is
00:15:43 - invisible, it's a deny everything and it says, "Oh, and by the way if
00:15:47 - you're not that host your also denied".
00:15:51 - So that's a -- a great warning to you because I've done this
00:15:55 - many times where you'll be on a router, you're -- you're quickly going through
00:15:58 - the config and you're like, oh, I just need to deny this one thing and apply. Wham!
00:16:02 - The router connection goes down. So we need to follow this
00:16:05 - up; I'll say access list 10; permit,
00:16:11 - and there's a couple ways we can do this. Let me bring us back
00:16:14 - to our -- our router here -- just to show the syntax. Access-list 10,
00:16:20 - permit and I'll do a question mark. Now, you can either -- you can either
00:16:24 - do it one of two ways. Permit any -- says any IP address. So going
00:16:30 - back to this, we have 10 deny host here and then we could put
00:16:34 - permit any.
00:16:36 - Let's try and squeeze it in over here -- permit any. And that would allow everything
00:16:40 - else -- so the implicit deny would never be reached. We can also put
00:16:43 - access list 10 and permit the IP address
00:16:48 - and follow it up with a wild card mask, which one do you think?
00:16:51 - To permit anything.
00:16:55 - That's it -- -- you're saying permit this
00:16:59 - IP address and then I don't care I don't care I don't care
00:17:02 - I don't care. Watch what happens if we do that.
00:17:05 - I'm gonna type show access list;
00:17:08 - I created access list 10, but look, the router recognized that and goes, "Oh, you
00:17:12 - typed that in, but you really meant any".
00:17:15 - Now I -- I don't want you to think ones better than the other. One's
00:17:18 - definitely shorter, but they -- they're both equal; you can type it in
00:17:21 - either way; that'll work fine. So I'm gonna do no access list
00:17:25 - 1 and a no access list 10 because there's still one more
00:17:29 - thing we have to figure out. This is the access list we need to
00:17:32 - create. Now my question to you -- where do we put it? And in
00:17:38 - what direction do we apply it? If you want to please pause the
00:17:42 - video and think through that. Identify where we're coming from
00:17:46 - and identify where we're going to. Okay, pause now.
00:17:49 - Okay, you're back right? You've -- you've paused it; right? No, you -- you
00:17:52 - didn't pause it. Pause it. Okay, now you're back. HostA, right here is
00:17:57 - going to be accessing HostB. There's three, four -- four different
00:18:02 - places that we could apply this. We could apply it as HostA comes in
00:18:09 - to its default gateway. This is a valid place to apply that access
00:18:13 - list. I could apply it on fast Ethernet 0/0.10 inbound.
00:18:17 - Now if I did that,
00:18:20 - I mean I know we've got VLANs here; it's a, you know, a little
00:18:24 - not as clear as what it would be if we didn't have VLANs
00:18:28 - but by applying this in it would be as if HostA were connected
00:18:32 - to its router. And we said, "Okay, as you come in your default
00:18:36 - gateway's IP address, you will be denied". If we do that,
00:18:41 - well, will we accomplish our objective? Yes, HostA will not be
00:18:45 - able to access HostB.
00:18:47 - However, HostA will also lose access to everything else we've
00:18:52 - denied too much. So
00:18:55 - we can't apply it in right there. We could apply it out right
00:19:01 - here. And that as HostA when, you know, came in that interface, it would start routing
00:19:06 - them. But as it saw, "Oh, I'm gonna send you out this link", it would be denied. Problem with
00:19:10 - that: you've denied too much. Now I know in this picture right here,
00:19:14 - it looks like, oh, well that -- that would accomplish our objectives
00:19:16 - and it would. But what if router 3 had another connection to,
00:19:20 - you know, some other router down here in some other network
00:19:23 - that we didn't want to deny HostA from reaching? Well, that would deny too much.
00:19:27 - So -- let me just keep that imaginary network there for now.
00:19:32 - So other potentials, we could apply it inbound right here
00:19:36 - but same problem. As soon as he tried to come in router 3
00:19:39 - he wouldn't be able to get out to this mystery network over here.
00:19:42 - The best place to put this is as he goes out, again, hold
00:19:47 - your arms out -- you are a router; as the HostA goes out,
00:19:52 - the router 3 Ethernet 0/0 interface is gonna say you
00:19:57 - are denied. Now the argument could be well, what if there's
00:20:01 - other hosts on that network? Well, unfortunately using standard
00:20:05 - access lists, that's the best that we can do. Because we can't
00:20:09 - say what he's denied from, so the best practice and here's -- here's
00:20:12 - the rule that CISCO recommends -- the best practice with standard
00:20:16 - access lists is to place them as close as possible to the destination.
00:20:24 - Whatever destination you're trying access, put it as close as you
00:20:28 - can to there, because if you put it too close to the host; too
00:20:32 - close to the source is what I should say, he may deny them from
00:20:35 - too much. Since we can't say what they're denied from, they have
00:20:39 - to get all the way across the network to the -- near the destination
00:20:42 - just to find out they're dropped. It's kind of a bummer. HostA is all
00:20:45 - excited, you know? I'm going. I'm going. It's crossing the WAN link; I'm getting to the
00:20:49 - the router and wham! It dies as soon as it tries to exit that interface.
00:20:52 - But that's all we can do with the standard access list. So let's
00:20:55 - make it happen. Again, let's try it one more time just to make sure
00:20:58 - we're working. I'm gonna ping And we are
00:21:03 - working; this is from HostA.
00:21:05 - So with that in place, let's go to router 3 and put this in action.
00:21:10 - I'm on -- hey, I'm there right now. I'll do access list.
00:21:14 - Oh, let's use 25. I like using nice random numbers. Remember,
00:21:18 - we're specifying a standard access list. I'm going to deny the
00:21:23 - host 192.168. -- he was 10.50.
00:21:30 - I don't know why I keep forgetting that --10.50.
00:21:33 - So we follow that up with access list 25 permit
00:21:37 - any -- to permit everybody else because an access list of all denies
00:21:41 - denies everything. Get into interface and what interface was
00:21:45 - that? Let's do a
00:21:47 - do show IP interface brief; my all time favorite command.
00:21:51 - Oh, look at all those loop backs. This is the
00:21:55 - Ethernet 0/0 -- interface Ethernet 0/0
00:22:00 - and here's the command. IP access group
00:22:06 - 25; that's the access list number we want to apply and the
00:22:10 - direction will be out.
00:22:13 - I want to make sure I emphasize that one more time. As somebody
00:22:17 - is going out this interface, be the router -- be router
00:22:21 - 3, hold your arm out, your right arm is Ethernet 0/0.
00:22:25 - As somebody tries to leave your right arm, if they are the
00:22:29 - source, 10.50, they will be denied.
00:22:33 - Now let's watch it happen. Let's go into that host; hit the
00:22:38 - upper arrow and do that ping again.
00:22:41 - Look at that; we were successful up here and now it is coming
00:22:45 - back destination net is unreachable. Reply from;
00:22:50 - who is that?
00:22:53 - That's router 3. Sweet! So it's working. Now -- now watch this. I'm going to go
00:22:57 - back to router 3, and I'm gonna do my favorite verification command for
00:23:01 - access lists; show access list. It's simple. It works and it even
00:23:06 - shows how many matches you've had on each -- each one of those.
00:23:11 - It has denied 10.50 eight times; eight times when it
00:23:17 - was trying to access that host. Now you can see eight, let's just hit the -- hit the upper arrow
00:23:23 - and do that ping again. While it well -- whoa, holy cow!
00:23:26 - That was insane -- while that ping was going through, I was trying to be fast
00:23:30 - it didn't work. Look at that -- sixteen matches. So what does that tell me?
00:23:34 - It tells me that Windows Vista is sending two ping packets
00:23:39 - every single time it tries to ping.
00:23:42 - It shows four of them, but it must be sending two ping packets
00:23:45 - each time because each time I do this ping, you can see the
00:23:49 - counters increase,
00:23:52 - by eight. Interesting, I learned something new about Windows Vista.
00:23:55 - So with that, that's -- that's how we have accomplished scenario
00:24:00 - one. Block HostA from accessing HostB. Holy cow, look at that time
00:24:06 - I get so into this, I'm just, let's -- let's make this video an hour.
00:24:09 - No, let's not. Here's what I'm gonna do. I'm gonna do scenario one and two in this
00:24:14 - video and then we'll do scenario three and four. I'll make a part
00:24:20 - two to the access list configuration because I'm not gonna do it.
00:24:24 - Not going to make it through that extended access list and
00:24:27 - and meet my 30 to 40 minute time buffer.
00:24:32 - All right. So scenario two: use a standard access list to prevent HostA
00:24:38 - from Telnetting or SSHing to router 1. Essentially managing
00:24:43 - it remotely. What I am showing you as I do this is an extremely
00:24:47 - common use of standard access lists. By default CISCO routers
00:24:52 - allow anybody to Telnet or SSH into them as long
00:24:56 - as they have the right username and password. Now, couple that
00:24:59 - with the problem. CISCO routers will let you try passwords all
00:25:03 - day long. Meaning, they're not going to lock you out after you
00:25:06 - miss the password three times or five times and then you have to, you
00:25:09 - know, call an admin or something like that. They'll just let you keep trying
00:25:12 - keep trying, until someday, somebody's going to figure it out and
00:25:16 - break on in. So
00:25:18 - what a lot of people will do is only allow certain hosts to
00:25:23 - Telnet to the router. Let's -- let's see, we're on router 1
00:25:28 - right? Router 1 as of right now, let's just verify.
00:25:33 - HostA -- let me clear the screen -- HostA can ping router 1
00:25:40 -; that's router 1. And I'm gonna
00:25:43 - Telnet:
00:25:47 - Hass -- oh, no, we can't; he can't. There he is. So please don't log in
00:25:51 - oh, he guessed it; he's in. So he is able to access router 1.
00:25:56 - So our goal is to deny or prevent HostA from Telnetting or SSHing
00:26:01 - to router 1, but not affecting any other access. Meaning, if
00:26:06 - we were to -- to apply a standard access list just like we did
00:26:11 - on router 3, saying deny
00:26:15 - inbound on router 1, well, HostA sure -- he wouldn't be able
00:26:20 - to Telnet into router 1, but it wouldn't be able access the
00:26:22 - internet anyway either. He wouldn't -- wouldn't be able to do many things.
00:26:27 - As soon as he got to router 1, he'd be blocked. So you can apply a standard
00:26:32 - access list not only to an interface, but you can apply it
00:26:37 - to your VTY ports. Let's go to router 1 and I'll show you how.
00:26:42 - Pull up my connection here. Still on router 3, let's hop on over to router
00:26:47 - Pull up my connection here. Still on router 3, let's hop on over to router
00:26:49 - 1. Let's get all this out of our mind because we're done with router
00:26:51 - 3. All right. We're sitting on router 1. I'm gonna do
00:26:56 - well, let's -- let's just go right into it. Let's create the access
00:26:58 - list. On router 1 I'm going to type in access list and we're using still
00:27:03 - a standard access lists so something from 1 to 99.
00:27:06 - Access list, 70. Now as a side note, made me think
00:27:11 - of it when I hit the question mark. I don't know if you remember but
00:27:14 - when I hit the question mark on router 3, do you remember it had those
00:27:17 - IPX access lists in there, too? We don't see those on router
00:27:21 - 1 and it's a simple reason that router 1 has an IOS version,
00:27:26 - a software version, that doesn't support the IPX protocol or
00:27:30 - the DECnet protocol. You might -- might have saw me highlight
00:27:33 - that one I when I was on router 3. That's because those
00:27:35 - are old. Router 1 is new. It has a new IOS version and they
00:27:40 - discontinued support for those protocols. People don't use them anymore.
00:27:44 - So I'm just gonna use access list 70. So standard access list; question mark
00:27:49 - permit or deny. Now before I go any further,
00:27:52 - let me first mention, there's usually a little better strategy
00:27:56 - with picking access lists numbers than what I am showing you
00:28:00 - right now. Right now I'm just kind of randomly going in man
00:28:03 - like oh, let's throw a dart at the dart board; 70 sounds
00:28:06 - great. Usually people will go in order and they'll say okay one, access
00:28:09 - list one, okay. When they're done with that one they'll start and
00:28:12 - create another one two, and so on. Every access list could have
00:28:15 - hundreds or even thousands of lines in it. So there is
00:28:20 - practically no real limit on how long an access list can be. But
00:28:24 - do you remember that once you apply an access list, all those
00:28:27 - lines will take effect. So let me show you using a remark.
00:28:31 - I'm gonna type in access list 70; remark; question mark. It says comment up to two
00:28:36 - a hundred characters. I usually put my remarks in all capitals.
00:28:40 - This will deny HostA -- oops, A -- from Telnetting to R1.
00:28:48 - So I just put a nice little comment in there. Now I'll follow
00:28:52 - that up with -- oops, turn off my caps lock -- access list 70; deny and
00:28:58 - we'll do HostA. And I'll do it a little different this time. I'll do
00:29:01 -; that's HostA. Follow
00:29:06 - that up with that wild card mask of which
00:29:10 - says specifically that Host. Good. So I'm gonna hit enter, I've put in the
00:29:15 - deny. Now remember we have to add -- add at least one permit statement.
00:29:19 - So I'll say access list 70; permit everybody else, permit any.
00:29:24 - So it's the identical access list to what was on router
00:29:29 - 3. I'm gonna type in show access list
00:29:33 - 70 and you can see there it is -- access list 70. Oh, this
00:29:39 - IOS version doesn't show the remarks. Let me do a show
00:29:42 - run include lines that have access list 70. They -- they
00:29:48 - will show up in the running config. You can see that that's where
00:29:51 - we see our remarks. And some of the other IOS versions will actually
00:29:54 - put the remarks in the show access list command. So okay -- so we've
00:29:58 - got the access list. Now the question is where do we apply
00:30:02 - it? I already told you we can't apply it to the interfaces of router
00:30:07 - 1 or else we -- we would block HostA from reaching the internet.
00:30:12 - And we'd block too much. So what we can do and this is a very
00:30:16 - unique feature for standard access lists; we can go under our
00:30:20 - VTY ports. Remember, VTY, line vty 0
00:30:25 - (space) 4. That's our Telnet ports. It may have been a little
00:30:28 - while since we've done that. So I'm under the Telnet ports and
00:30:31 - I want to apply an access list to the Telnet ports to prevent
00:30:35 - who can come in them. So I'm gonna type in and
00:30:40 - again, we go back to the question why did -- why did CISCO use IP
00:30:44 - access group to apply an access list to an interface? And you'll have the
00:30:48 - same question because the commands are different. They use the command
00:30:52 - access - class
00:30:55 - to apply an access list to VTY ports. They don't use access
00:30:59 - group; it's access class. It's functionally the same as the access
00:31:03 - group command, it's just for whatever reason you know that developers
00:31:07 - at CISCO were up a little late one night and they're like hey,
00:31:11 - why not? Let's make it access class. So I'm gonna type in access -- and also
00:31:15 - notice there's no IP on the front of that one. Just access
00:31:19 - class unlike, IP access group. So I'm gonna type in access class. I want to filter this
00:31:24 - using access list 70.
00:31:26 - And I want to filter incoming connections -- as people are coming
00:31:31 - in or Telnetting into this router on
00:31:36 - these VTY lines, I want to filter them based on that access list.
00:31:41 - 99.999999 percent of the time, you
00:31:44 - will always apply access class in the inbound direction. If
00:31:47 - you apply them outbound, weird things can happen; that's
00:31:50 - where you will suddenly randomly not be able to Telnet
00:31:53 - certain places from your router for some strange reason. So we're
00:31:57 - filtering it in. All right, cool. I'm gonna type in show access list 70.
00:32:04 - Check it out, we see it right there; looks good. Let's now go back
00:32:08 - to our client.
00:32:11 - He's still on the router so he's got an existing session
00:32:15 - I'm gonna kill. Hit the up arrow; Telnet
00:32:19 - Denied.
00:32:23 - Try it again. Denied. Totally denied and I'm coming back here to my -- oops,
00:32:30 - my session with router 1, do the show command and you can
00:32:35 - see the deny has now been matched six times for Telnet access.
00:32:39 - That tells me another interesting fact, every single time I
00:32:43 - tried to Telnet with Windows Vista, it sends three packets --
00:32:46 - three attempts to try and open that session before it finally says
00:32:49 - connect failed. Now okay, that's good -- that's good, we denied
00:32:53 - HostA, but what about the other hosts? Could HostB access
00:32:58 - that router because we didn't want to deny HostB, right? Well let's try it
00:33:02 - out. I'm gonna bring up HostB, right here. This is HostB 3.50.
00:33:06 - And let's Telnet from HostB to
00:33:09 - And look at that.
00:33:12 - HostB can still get in. And while we're Telnetted in on HostB, let's try
00:33:16 - this. I'm gonna do a show access list because we should
00:33:20 - see -- oops, oh, don't look -- don't look at that. You did not
00:33:26 - see that; that's for the next video. Show access list
00:33:31 - 70. Look at this: access list 70 is our Telnet access, still got
00:33:36 - the six denies for the 10.50, but look now the permit
00:33:40 - is getting matches as well, showing that HostB over here
00:33:45 - is being permitted to enter that. Good. So we now have completed
00:33:50 - scenario one and scenario two; prevented that and blocked telnet
00:33:54 - access for HostA.
00:33:58 - I'm going to freeze frame that network diagram with the first
00:34:02 - two scenarios completed as we transition into the next video
00:34:06 - which is going to pick up right where we left off. We've now
00:34:09 - completed standard access lists. Again, standard access lists
00:34:13 - are the fantastic because they're very easy on your processor
00:34:16 - but very limited in what's possible of denying only on the
00:34:21 - source address. So most people will use them for functions like VTY
00:34:26 - access, where you can be you -- where you apply it is very
00:34:29 - specific and you don't accidentally prevent somebody from reaching
00:34:32 - too much. In the next video, we'll pick up with the extended
00:34:35 - access lists. I hope this has been informative for you and I'd like to thank you for viewing.

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS