Cisco CCNA ICND2 640-816

Access-Lists: Configuring ACLs, Part 2

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

00:00:00 - Alright, as I promised we are going to pick up with this video right
00:00:04 - where the previous one left off. So if you haven't seen the
00:00:07 - standard access lists video, jump back
00:00:10 - and check out that one first because extended is a little more complex. We're going
00:00:14 - to pick up with the second set of scenarios, scenario three and four,
00:00:17 - using extended access lists to permit or deny IP and
00:00:22 - TCP access and also explaining many of the other things
00:00:25 - that they're able to do. So let's get going.
00:00:28 - I'd like to approach the extended access lists the same
00:00:32 - way that I approached the standard in that before we jump into this
00:00:36 - scenario three and four on the whiteboard here, I'd like to
00:00:40 - talk about the syntax in general and then we'll, we'll hit these,
00:00:43 - these scenarios directly. Now, I do have to warn you before we
00:00:47 - get going with the extended access lists that some people consider
00:00:52 - the extended access lists the most difficult concept in CCNA.
00:00:56 - I don't think it's that bad, but I do think that the syntax
00:00:59 - can be a little frightening the first couple times through it.
00:01:03 - The first thing that we need to do is break down the extended
00:01:06 - access list into its major pieces. The command structure
00:01:11 - is just like the other one, we type in access list to start
00:01:14 - off and an identifier or a number from 100 to 199
00:01:19 - just like we saw in the previous video. Now, that identifier
00:01:23 - tells the router you're creating an extended access list.
00:01:27 - From there you have your permit or deny just like the standard
00:01:30 - and then we see our differences. We get to choose what protocol
00:01:34 - we would like to permit or deny. Examples of that might be
00:01:38 - like TCP or UDP or there's, there's some other ones we'll talk
00:01:43 - about in just a moment. We then type in our source information
00:01:49 - and then we follow that up. I'm going off my little white pad here. We
00:01:53 - follow that up with our destination
00:01:57 - information. So I might say something like access list 100
00:02:01 - permit the TCP protocol from this IP address to
00:02:06 - that IP address. Not too bad when you think about it that way but
00:02:10 - there are more options that you'll have to weed through like port
00:02:13 - numbers and stuff like that which, which we will get into as
00:02:16 - we get into
00:02:18 - scenario four right there. So what I'd like to do is, is just walk
00:02:22 - through a syntax of a couple access list commands and then we'll look
00:02:26 - at the scenarios specifically.
00:02:29 - To demo this I'd like to jump on to router three. It's a good
00:02:32 - place to just try some syntax. On router three I'll get into global config
00:02:36 - mode and do access list and a question mark. There's our options
00:02:40 - as we saw before. Extended access list is any number from 100
00:02:44 - to 199. I'll pick 150 right in the middle.
00:02:48 - It comes up and says, do you want to deny, dynamic. That's, that's some of the other
00:02:52 - options and we're not going to talk about every option with
00:02:55 - these extended access lists. We'll say deny, permit or remark.
00:02:59 - So we'll say access list 150, let's do a deny. It comes up. Now we're
00:03:05 - given our protocol options. If you're wanting the OSI model,
00:03:08 - these are all the protocols at layer four of the
00:03:12 - OSI model. TCP, UDP, you see those at the bottom. But we also see
00:03:16 - ICMP, ESP, that's used for VPN connections. There's many different
00:03:22 - options in here, but let me just focus in on what we need at
00:03:25 - the CCNA level. There, there's four different protocols, IP, TCP,
00:03:30 - UDP, and ICMP, okay?
00:03:37 - Now, TCP and UDP we already know about. Those protocols
00:03:42 - are used, you know, as a reliable connection or an unreliable
00:03:45 - connection. Things like web browsing, FTP sessions, Telnet
00:03:49 - sessions, SSH, there's all, you know, email, SMTP, they all
00:03:54 - use reliable connections. Most of our applications do. Things like
00:03:58 - voice over IP, video streaming, online games, instant messengers,
00:04:03 - those all use UDP-based communication because they're all unreliable.
00:04:07 - So, if, depending on what kind of applications
00:04:11 - we're using we could choose those protocols. But we also see
00:04:14 - ICMP.
00:04:16 - ICMP is the Internet Control Message Protocol. The, it's
00:04:21 - used for a lot of things, but the primary application you want
00:04:25 - to remember for it for the CCNA level is ping.
00:04:30 - Anytime you ping something it is using the ICMP protocol.
00:04:35 - Technically a ping is an echo and an echo reply. Think about
00:04:39 - a submarine, underneath you're going bong, sending out a sonar
00:04:43 - and you expect to hear that back to see where things are. In the
00:04:46 - same sense, the ping command sends out a message known as an
00:04:49 - ICMP echo and the device that receives it sends back an echo reply.
00:04:54 - That's technically how ping works. But ICMP is used
00:04:57 - for a lot of different things, that's, ping is I would guess
00:05:01 - the most famous of them all.
00:05:03 - Last but not least is the IP protocol. That one is used, and you can
00:05:08 - see that right here in this list, oops, right here,
00:05:12 - to encompass everything. For example, if I were to say
00:05:17 - deny TCP,
00:05:20 - then I'd only be denying TCP applications for something.
00:05:23 - Like maybe I want to deny one host from accessing another completely.
00:05:28 - If I deny TCP, that would just deny TCP applications but they'd
00:05:31 - still be able to use UDP or ICMP, things like that.
00:05:35 - If I just denied one of the other ones, you'd miss them all.
00:05:39 - IP is everything. As you can see in that description right there
00:05:42 - it says any Internet protocol is encompassed in that. So if I said
00:05:46 - deny IP, that means TCP, UDP, you know, all these.
00:05:52 - Everything is denied.
00:05:55 - So let's, let me first show you an example of that one. I'll say
00:05:59 - deny IP and it says what, what source address would you like
00:06:04 - to deny? I'll say
00:06:08 - just to pick on HostA. We will deny that address and it says what
00:06:13 - wildcard mask would you like? Well, since it's just a single host,
00:06:16 - a specific wildcard mask will work. Now, I hit the question mark and it says, okay, what,
00:06:21 - what destination do you want to deny? So I'll say the destination
00:06:25 - will be, just for this example,
00:06:29 -
00:06:32 - followed up with the wildcard mask,
00:06:36 - question mark, and now it's given me some options. Do you want to
00:06:40 - set DSCP? Do you want to check non-initial fragments? Do you want to log
00:06:45 - anytime this happens? You know, is there specific time ranges?
00:06:48 - All these options
00:06:51 - are part of the CCNP track. So we're not going to do that.
00:06:55 - You can see at the very end is return, and most, I'll tell you, most
00:06:58 - of these options are rarely used. So I'm gonna hit enter and
00:07:04 - I've now created my first extended access list. What it does, access
00:07:07 - list 150 denies this source from accessing this destination
00:07:13 - using any protocol in the TCP/IP protocol suite.
00:07:18 - Going back to that syntax I wrote up there, you know, deny, protocol,
00:07:22 - source, and destination. So I know what you're thinking. It's not too bad, right?
00:07:27 - Not too bad at all. It's not if you, if you look at it that way.
00:07:30 - But it is pretty long. And also, you know, realize that you
00:07:33 - could combine things up, you know. If we were going back here,
00:07:36 - access list 150, deny this source. I could do space question mark
00:07:40 - and I'll say, instead of putting the IP address like I did
00:07:43 - up here, I can also put, you know, host
00:07:47 - and that would do exactly the same thing.
00:07:50 - There's different ways to write it, you know. This is using a wildcard mask.
00:07:53 - This is using the host keyword. But functionally that
00:07:57 - and that are the same thing. The IP protocol is, is I would say
00:08:02 - the easiest one to permit or deny because
00:08:06 - it's just saying from this IP address to that IP address.
00:08:09 - Now, let's look at we'll say TCP. Access list 150 deny,
00:08:15 - let's do instead of IP. And remember this is just. I'm showing the
00:08:18 - syntax. I'm not looking for any specific mission here.
00:08:21 - We'll say I'm gonna deny the TCP protocol from, and we can
00:08:26 - see that same host
00:08:30 - space question mark.
00:08:33 - It says what wildcard bits,, so specifically
00:08:37 - that host. And now we'll start seeing a little bit of difference.
00:08:42 - With the TCP protocol it says, okay, well, TCP can have port
00:08:48 - numbers, meaning you might not want to deny the whole TCP
00:08:52 - protocol. You may just want to deny a certain port.
00:08:57 - Now here's the catch. If I go in here and type in deny TCP
00:09:01 - without wildcard mask and I say,
00:09:05 - oh, oh, I only want to deny that guy from surfing the web.
00:09:09 - I could put equal to, you can see eq, match only a given port number,
00:09:16 - space question mark. And then it says, okay, well, what, what, port do you want? And it gives
00:09:19 - a lot of the common ports that people will use in here,
00:09:22 - or they can say right up top you can just type in the number.
00:09:27 - So you might say, well, I want to deny that host from using port 80,
00:09:31 - which is HTTP, web access, surfing the web. Now, there's the problem.
00:09:36 - When we type that in,
00:09:39 - we're denying this source and this source port number.
00:09:46 - It's time for a little review. Remember, when, whenever we have
00:09:50 - a computer that is surfing the Internet, you are going to,
00:09:55 - we'll say I'll just put When this computer
00:10:00 - goes out, it's going to be going to the destination port number 80
00:10:05 - which is how knows that you're accessing
00:10:10 - the web services on there, not email or not anything like that,
00:10:13 - destination port number. But the computer, when you go and surf
00:10:17 - the website, generates a source port number at random, meaning
00:10:24 - Firefox or Internet Explorer or Safari. Whatever web browser you're
00:10:28 - using will automatically be assigned a port number. We'll say,
00:10:32 - and it's going to be greater than 1024,
00:10:35 - we'll say 3192, okay.
00:10:38 - So when you transmit to you'll come from a
00:10:42 - source of 3192 to a destination of 80
00:10:45 - and that's how Google knows to send you to the web services.
00:10:48 - And when it sends that web page back to you, it will send to a destination
00:10:52 - of 3192 from a source of 80, and that's
00:10:56 - how your computer knows to give it to the Internet Explorer
00:10:59 - window or Firefox window because that window has been assigned
00:11:03 - for a time that specific port number.
00:11:07 - Now, rarely, if ever, will you ever know what source port number
00:11:12 - a computer is going to be generating because it's at random.
00:11:16 - So when we come back here to this syntax, this is where
00:11:19 - it's very easy to get tripped up because you type in
00:11:24 - outsource of this and we say equal to 80 but we're denying
00:11:27 - that host from using the source port of 80.
00:11:32 - Remember this host is the one surfing the web. It's never going to come
00:11:36 - from a source port of 80. It's only going to be going to
00:11:40 - a destination port of 80.
00:11:43 - So how do we fix that? Well, you can see right here I typed in deny TCP
00:11:48 - from this source IP address and now it's giving me the option to type in
00:11:51 - port numbers but I'm not going to take that option. I'm not going
00:11:55 - to put in a port number at this point. I'm just going to say the whole host,
00:11:57 - deny, you know, any source port number from accessing
00:12:02 - and now we can move on to the destination. If I'm talking about
00:12:05 - the Internet, I'll say any. Deny this source from accessing
00:12:10 - any destination using, and now I hit the question mark, and
00:12:14 - the port numbers are still there. You see that? Equal to a port number.
00:12:18 - Not equal to a port number. Less than a port number.
00:12:25 - You know, all these are port number options, but now, since we're typing
00:12:28 - it after the destination, we're talking about the destination
00:12:32 - port number. So the correct way to type in, if I was denying that host
00:12:36 - from surfing the web, I put equal to 80.
00:12:42 - Deny this protocol from this source horse, host number
00:12:46 - to this destination on the destination port number 80.
00:12:51 - Phoo, not quite as easy as the IP protocol, but that's how
00:12:57 - that, that's how you can write an extended access list.
00:13:03 - So with that in mind, what I would like to do is walk through both
00:13:08 - of these scenarios one by one and implement extended access
00:13:12 - lists in the best possible way.
00:13:14 - So Scenario 3: Use an extended access list to prevent HostA
00:13:19 - from accessing the R2 WAN link. Now when I see that, my
00:13:24 - initial thought goes to well, does that mean
00:13:27 - this IP address or does it mean the WAN link? Well, I would
00:13:33 - say it means the link, meaning prevent HostA from accessing
00:13:37 - this IP address or that IP, excuse me, that IP address, okay?
00:13:42 - So I'm going to,
00:13:46 - well, let's just clear all this off. First thing I'm going to do is go over to router three
00:13:51 - and I'm going to remove any access lists that's on there because
00:13:54 - I don't want any of those causing any confusion or conflicts
00:13:59 - with what we're about to do. We've got access list 25
00:14:02 - from the last video and 150. So I'll just do no access list 25.
00:14:07 - Wham, it's gone. No access list 150, wham, it's gone.
00:14:12 - So with, with that in place we now have no access
00:14:16 - lists created on this, this router. It's empty. And I'm going
00:14:20 - to hop over to router two to do this demonstration, to create
00:14:26 - this, this access list. Now, we'll talk about the placement of the extended
00:14:29 - access lists in a moment but let's first create it. It says prevent HostA
00:14:33 - from accessing the R2 WAN link. HostA is
00:14:37 - The R2 WAN link is this subnet.
00:14:41 - So it, notice it didn't specify any protocol.
00:14:45 - It didn't specify anything. So I'm assuming all access from that subnet.
00:14:49 - So I'm going to jump back up here, router two,
00:14:53 - and I'm going to go into global config mode and create an access list.
00:14:57 - We'll do access lists. Let's start at the first one of the
00:15:00 - extended range, access lists 100.
00:15:03 - I'll say I want to deny the IP protocol because in my
00:15:10 - scenario it says accessing the R2 WAN link, the whole WAN link. It doesn't
00:15:14 - matter what protocol. So I'm going to say complete access. No matter what
00:15:18 - protocol they're using is going to be denied. So I'm saying deny IP
00:15:22 - from the source. We'll say from the source host
00:15:27 - Now, you'll notice
00:15:32 - that I'm using the question mark the entire way through this
00:15:35 - access list. This is normal. Most people do use the question mark.
00:15:40 - And when you're on the CCNA exam, if certification
00:15:43 - is your focus, you will be able to use the question mark yourself
00:15:47 - in, in configuring this. So you can safely get used to it.
00:15:50 - So I'm going to say deny that host 10.50. Now I'm going to hit the question mark, and it's saying
00:15:54 - from what destination?
00:15:57 - Hmm, we'll just take a look. It says the R2 WAN link. So I have, I have
00:16:02 - two options here. I can either
00:16:06 - create one line and deny them, deny that host from that whole subnet,
00:16:10 - the 2.0 subnet, or I can put two lines in an access list
00:16:15 - and say deny it from that host and deny from that host
00:16:19 - and, and put it in two lines. Now, the best bet whenever you're considering
00:16:23 - access lists is to do it in as few lines as possible.
00:16:27 - The reason why is because the more lines your add, the more processing
00:16:30 - the router has to do. It's kind of like having a large routing
00:16:32 - table and it will slow the router down. So let's do it efficiently.
00:16:36 - Let's do it in one line. I'm going to say deny that host from accessing the destination
00:16:42 - address with a wildcard
00:16:48 - mask
00:16:52 - which says specifically 192.168.2 denying
00:16:57 - from accessing anything that has specifically 192.168.2
00:17:00 - and I don't care what comes after that. So anything
00:17:03 - that starts with this you will be denied from.
00:17:08 - This last actually doesn't matter. So do a question mark and it says, you know,
00:17:12 - here's all your logging, time range. We're not going to use any of those options.
00:17:15 - We're just going to hit enter, okay.
00:17:19 - Now, I have to remind you the same rules apply for extended
00:17:24 - access lists as they do for standard access lists. If you have
00:17:29 - an access list with all denies it will deny everything because
00:17:33 - at the bottom of this extended access list is an invisible
00:17:36 - implicit deny. So what I would say is after we're done doing
00:17:40 - what this scenario asks for, which is denying that host from accessing that
00:17:44 - WAN link, then we should be able to go in and permit everything else.
00:17:49 - Now, you remember from our extended access list that we typed
00:17:52 - in permit any but it won't take that with an extended.
00:17:57 - We have to type in permit and then what protocol. Well, for
00:18:00 - permitting everything, it's going to be the IP protocol, and we'll put from
00:18:04 - any source to any destination.
00:18:08 - That is how you do a permit everything using extended access lists.
00:18:12 - I'm going to type in show IP access list. By the way, show IP access list
00:18:17 - and show access list do the exact same thing.
00:18:20 - So sometimes I'll use one or do the other, what's ever on my mind at the time.
00:18:23 - And I can see there is my deny from that host to that subnet,
00:18:27 - and then I'm permitting everything else. Good. So we've got
00:18:32 - the access list written that will do what it needs to do, but
00:18:36 - now we have to apply it. Hmm, think about it.
00:18:42 - If you were looking for efficiency and for completing the task,
00:18:47 - you want to make sure that you deny that host, where would
00:18:50 - you apply that access list?
00:18:54 - Option A, we can apply that access list as the host comes in.
00:18:58 - You know, remember this is on a VLAN so it's going to be coming
00:19:01 - in right here on this default gateway. That's option A that we could,
00:19:05 - we could apply it. We could apply it in the direction inbound.
00:19:09 - As that host comes in it's going to ask are you that source?
00:19:12 - Are you accessing that destination? If so, you're denied. That's our first option.
00:19:16 - Second option is we could apply it
00:19:21 - outbound right here. And as that goes out, the router two would
00:19:27 - ask are you the source? Are you trying to access that destination? If so,
00:19:30 - you are denied. So we'll call that option B. Options C, we could
00:19:35 - apply it inbound right here. So as it gets a router three it will say
00:19:40 - are you that host? Are you accessing the WAN link? If so, you are denied.
00:19:44 - You are on a certification exam. D is none of the above.
00:19:50 - What, what letter do you pick?
00:19:53 - Remember, we're after efficiency and we're after accomplishing
00:19:57 - the objective. The correct answer is A. B would
00:20:05 - accomplish the objective. It would work if I put it at B.
00:20:10 - But it would cause unnecessary processing, meaning as HostA comes
00:20:14 - into the FastEthernet 0/0 it will be able to check
00:20:18 - and say, are you this host, 10.50? The host will answer, yes, I am.
00:20:22 - The router will say, are you trying to access this destination,
00:20:26 - you know, the 2.0 subnet? And the host will answer, yes, I am.
00:20:29 - So before the router even has to allow it into itself,
00:20:34 - into that default gateway, it will say, well, since those two
00:20:37 - criteria are true, you are denied.
00:20:41 - Now, if we applied it outbound, the second option, option B, on
00:20:46 - router two, HostA would get into the router, meaning it would
00:20:50 - come in, the router would say, are you this host and are
00:20:53 - you going to this destination? The host would say yes. So it would say, okay, great,
00:20:56 - I don't have an access list here so let me look up in the routing table.
00:20:59 - Okay, it looks like you need to go out 0.0/1/0.
00:21:02 - So let's go ahead and route you over. So the packet would be moved
00:21:05 - from the Ethernet interface to the WAN interface, but before
00:21:09 - it's sent the router would say, oop, I see there is an access list
00:21:12 - outbound on that interface. Let's check you. Oh, you don't match.
00:21:16 - You will be denied and dropped. The problem is that squiggly line
00:21:19 - right there. It had to process that in order to make that determination.
00:21:23 - So now we come to the next best practice rule of Cisco.
00:21:28 - Standard access lists should be applied closest to their destination
00:21:34 - because in a standard access list, remember we're talking
00:21:36 - scenario one and two there, you can't say what they're denied from.
00:21:40 - So by putting it to a close you may deny them from too much.
00:21:45 - So you can think of it as standard, I'll just put stand
00:21:50 - equals destination.
00:21:54 - Extended, the best practice is to apply them as close as possible
00:21:59 - to the source because you can in an extended access list
00:22:04 - say what they are denied from. So if we can get, you know, if,
00:22:08 - if we could, you know, if it were possible to apply it on the switch, by golly,
00:22:12 - do it there, you know, if, if you can, because as that host is coming
00:22:16 - into that interface, we can say, are you this host? Are you trying
00:22:19 - to go there if? If you are, you're denied. You've prevented it from even being
00:22:23 - processed by the router. But applying access lists on switches
00:22:26 - is part of CCNP track. We're not going to talk about that here.
00:22:29 - But, so the closest source that we have is our router and
00:22:34 - its default gateway. So let's go back on to router two.
00:22:39 - I'll do a show IP interface brief just to verify. There is
00:22:43 - FastEthernet 0/0.1 And you know what,
00:22:46 - before I apply this access list, I want to make sure that HostA
00:22:49 - can indeed access that WAN link. Let's bring up our connection
00:22:53 - to HostA. Whoa, he's a little off there.
00:22:56 - I'm going to ping, it is replying, and 2.2.
00:23:00 - It is replying. So it is able to ping 2.1 and 2.2
00:23:05 - and why not? Let's do this. I'll also ping
00:23:09 - 3.1 because I want, oops, 3.1
00:23:13 - because I want to make sure. Sure enough we can get to 3.1 which is
00:23:16 - on the other end of the WAN connection. So what I'm going to do is
00:23:19 - go on to that router under the FastEthernet 0/0.10
00:23:23 - which is Host A's default gateway. And the same command as before,
00:23:27 - IP access group
00:23:30 - 100, the name of our access list or number, and
00:23:35 - what direction in.
00:23:38 - Now again, with extended access lists, it especially is important
00:23:42 - to hold out your arms and really determine which direction
00:23:45 - it's as that source comes in that FastEthernet 0/0.10
00:23:51 - that is going to be processed. If it were going out,
00:23:54 - if I applied it in the outbound direction, the source would be seen
00:23:58 - as if it were leaving that interface which is not true.
00:24:01 - That would probably mean it's coming from somewhere else on the network
00:24:04 - than, than that interface. So we've applied it in, right? Let's do a show
00:24:10 - access list 100. It looks like it's there. No, no
00:24:14 - packet hits yet. Let's jump back over to the host.
00:24:19 - Alright, let's do a clear screen and we'll do ping
00:24:23 - Look at that, destination net unreachable.
00:24:28 - Ping, destination net unreachable.
00:24:32 - Reply from our router, 10.1, you are being denied.
00:24:36 - Let's jump on over to our router and hit that up arrow,
00:24:39 - and look at that. We are getting matches now on that deny
00:24:42 - to Now, I've got a question
00:24:46 - for you.
00:24:48 - What do you think? Will HostA, we just verified HostA cannot access
00:24:52 - 2.1. It cannot access 2.2. Will HostA be able
00:24:59 - to ping 3.1 or this IP address on router three?
00:25:04 - Think about that. What do you think?
00:25:07 - Jeopardy music enters here. The answer to that question is yes.
00:25:12 - Now, wait a sec, you might be thinking. He, he is using the WAN
00:25:17 - link to get there.
00:25:20 - That's true. He is using the WAN link to get there, but the WAN link
00:25:23 - is never in a destination field of the IP header. And this
00:25:27 - is why it's so important to understand how networks communicate before
00:25:30 - you get to this point is because HostA, when it's engineering the packet,
00:25:35 - it will have some data. It will put its, you know, protocol which
00:25:38 - is TCP or UDP or ICMP, source and destination port number,
00:25:42 - source and destination IP address. If I were to ping
00:25:47 -, the source IP is 10.50
00:25:51 - which is HostA. The destination IP is 3.1.
00:25:55 - So when it comes in to router one and it looks at the access list, it's
00:25:59 - going to say, okay, are you that source, 10.50? And it says, yes, I am.
00:26:02 - And it says, are you trying to go to 2.0, the 2.0 subnet?
00:26:06 - And the host will say no, no, I'm not. I'm trying
00:26:10 - to go to 3.1. And so the router will say, okay, well,
00:26:14 - then I guess that access list does not match. I will go ahead
00:26:17 - and allow you through. So let's test it just be sure. I'm going to bring
00:26:20 - up that, that TeraTerm and you can see as of right now
00:26:23 - we've got the deny and we've got some permit traffic that has
00:26:28 - made its way through since, since I've been talking. I'll just hit it again.
00:26:32 - Some, something is going through. I'm not so sure what
00:26:35 - that is but we'll, we'll test it. I'll go to my host right here.
00:26:40 - You can see 2.1 and 2.2 are denied and I'll hit the up arrow and do 3.1, 3.1.
00:26:44 - There we go. And that is still going
00:26:49 - through successfully. We are getting replies coming back.
00:26:53 - And if I go back over to my
00:26:55 - show command I can see that the permits have been increasing
00:26:59 - because they are, they are being allowed through because of
00:27:03 - that reason I just mentioned. So scenario three, we can
00:27:08 - put a red check on that guy. We are good.
00:27:11 - Last but not least we'll hit scenario four and then I'll show you some
00:27:14 - of the tips and tactics and tricks of access lists.
00:27:19 - Scenario four says use an extended access list to prevent HostA from accessing
00:27:22 - the CBTNuggests homepage. Now, why you would ever want
00:27:27 - to do anything like that is beyond me, but we'll, we'll go ahead and
00:27:31 - do it for this example then we'll immediately remove the access list
00:27:34 - and forever revoke any such policy. So we have to prevent HostA from the
00:27:39 - CBTNuggets homepage. So immediately that triggers in my mind
00:27:43 - we're talking homepage. We're talking web access, somebody
00:27:47 - being able to access a web server that presents a homepage.
00:27:51 - So what I'm going to say in that case is that we need to deny, if we're
00:27:55 - talking in technical terms, HostA from using TCP
00:28:01 - port 80 destination port to access the CBTNuggets homepage. So now
00:28:07 - we come to a question, well, what's, what's the IP address
00:28:10 - of CBTNuggets web server? Well, let's go to our command line and we'll
00:28:15 - do a ping, alright.
00:28:19 - CBTNuggets is blocking ping traffic as many websites
00:28:24 - do because that, you can actually attack websites that allow
00:28:27 - ICMP, but that is the IP address that represents the homepage.
00:28:31 - So with that IP address in our knowledge, let's go ahead and I'll
00:28:37 - just copy that to my clipboard and stick a little textbox
00:28:42 - up here.
00:28:45 - Let me just pick a font. There we go. Paste. Not that font. How about that one?
00:28:53 - That's a little better. So we'll do
00:28:57 - I think I can read that.
00:29:00 - I can't read that. I'm going to make that a little larger.
00:29:07 - There we go. Alright, good.
00:29:12 - So that's the IP address that we're going to be
00:29:15 - denying access to. So, you know, before we even do that, I just
00:29:19 - want to make sure that I verify that we can access the
00:29:23 - CBTNuggets web page because, you know, denying access to something
00:29:26 - you don't verify you have access to in the first place is never
00:29:28 - any good. So we'll do, hit enter.
00:29:32 - It says transferring. Okay, sure enough there is the CBTNuggets
00:29:35 - web page. Good. So we verified that we can access it. Now, let's
00:29:40 - drop down to our router. And in this case we're also going
00:29:43 - to be on router two. Remember, denying with extended access lists should
00:29:47 - be done as close to the source as possible. So we're going to be applying
00:29:51 - it on that same interface.
00:29:54 - Now, this brings me to one of the rules of access lists. The rules
00:29:58 - of access lists is one ACL per
00:30:04 - interface, oh, I'm signing off the end here,
00:30:09 - per interface, per direction.
00:30:15 - So when we're saying I want to deny them from accessing the
00:30:20 - CBTNuggets web page, we're going to have to tack on, oops,
00:30:25 - to an existing access list that we already have there, meaning
00:30:28 - we have applied access list 100, one access list per interface
00:30:32 - to the FastEthernet 0/0.10 interface. That's
00:30:36 - our per interface, per direction inbound. We've applied it inbound
00:30:40 - and we're going to have to have that same policy. So what we're going to need
00:30:43 - to do is modify access list 100 to add this, this rule to it.
00:30:48 - So let's go ahead and go to
00:30:53 - router two. I'm going to do a show run, include lines that have access list 100 in it.
00:30:58 - That will filter my running output. Alright, so
00:31:02 - there's my config. Good.
00:31:04 - So I'm going to copy. I'm going to do a copy, open my ultra sophisticated notepad
00:31:14 - application and paste those lines in there. I'm going to back them up.
00:31:18 - Because what I'm going to do is I'm going to
00:31:21 - delete that access list, no access lists 100, and recreate it.
00:31:26 - I'm going to show you a little more efficient way of doing this in just
00:31:29 - a moment, but for now this is what we're gonna do. I'm going
00:31:32 - to go in and I see the IP address right up there. I'm going to say
00:31:35 - access list 100 deny,
00:31:40 - and then I'll come up and say, okay, what protocol? Now, whenever you're
00:31:43 - surfing the web, you're using the TCP protocol. So instead
00:31:46 - of IP, I'm going to put TCP.
00:31:49 - The source IP address will be the host,,
00:31:52 - that's our HostA,
00:31:55 - question mark, and now it's asking for port number. But remember,
00:31:59 - and I'll emphasize it again, if we put the port number right after the
00:32:03 - source host, you're going to be talking about the source port
00:32:06 - number rather than the destination. When we're surfing the web or doing
00:32:09 - most things, we're going to a destination port and the source
00:32:12 - port is pretty random. So I'm going to go in and I'm just going
00:32:16 - to keep going with the destination. Instead of saying any destination
00:32:19 - point, I don't want to deny the host from the whole Internet.
00:32:21 - I just want to deny him from the CBTNuggets web page.
00:32:23 - So I'll say I want to deny him from the destination host. You can see that's an option,
00:32:29 - single destination host, and there's the IP address above the
00:32:32 - config, 128.242, 242.116.211.
00:32:37 - So I'm denying them from accessing
00:32:41 - that specific host which is the CBTNuggets web server. Now, if I just
00:32:44 - hit enter there, I've denied too much. They will not be able
00:32:49 - to use any TCP application to access the CBTNuggets
00:32:52 - web server. And in this case it just said deny them from
00:32:55 - the homepage, not all access. So I need to specify a port number.
00:33:00 - So I'm going to hit the question mark. You see there's plenty of options.
00:33:04 - I'm going to say equal to and specify the port number 80.
00:33:09 - Now, I want to mention that when I put equal to question mark, it puts
00:33:12 - a bunch of common port numbers that are right here, well, somewhat common.
00:33:16 - It's been a long, long time since I've heard of the Gopher protocol.
00:33:19 - It was one of the original ones on the Internet.
00:33:22 - That's not around anymore but, you know, it does give you, for example,
00:33:25 - www shows HTTP port 80. So I have an option here.
00:33:31 - I can either type in equal to www, that's a valid keyword,
00:33:37 - or I could use the option at the top of this which, and just put
00:33:40 - equal to and type in the port number, 80.
00:33:43 - I usually like using the port number rather than those keywords
00:33:46 - because I forget all the keywords. It's easier for me to remember
00:33:50 - the numbers of the
00:33:52 - protocols than all those names. So I type in equal to 80, enter.
00:33:57 - Good. I'm going to type in show access list 100 and let's take a look at it.
00:34:02 - Look at what the router did. It swapped out my 80 for www.
00:34:05 - He said, oh, yeah, I'll show you. It, it knows what it is. It will do that
00:34:10 - for and that's okay. So it says deny that host from accessing
00:34:13 - that host on equal to port 80 as the destination. Now, we need
00:34:18 - add a permit in there and we also need to make sure our scenario
00:34:22 - three objectives are accomplished. So what I'm going to do is I'm going to go back
00:34:26 - to my notepad. I need to add that as my second line and that is
00:34:31 - my third. So let's copy that back to our clipboard, and in TeraTerm
00:34:36 - which is what I'm using here, we can just right-click and that
00:34:39 - will automatically paste. So I've pasted those back in there.
00:34:42 - Let me get rid of my notepad.
00:34:45 - And now, if I do a show access list 100, I can see
00:34:51 - line 10 or sequence 10 or first line is denying port 80.
00:34:55 - Second line is denying the WAN link and third line is permitting everything else.
00:35:00 - So let's test it. I'm going to go back to my web browser. Oh, wait a sec,
00:35:06 - not that one.
00:35:07 - Where am I? Here we go. Go back to my web browser. And you know what,
00:35:12 - I'm going to go in here and
00:35:17 - clear the cache. Oh, where is that? Do you know, you know what I mean
00:35:21 - by that, the cache. How do you, content, block pop-up windows.
00:35:27 - Oh, what am I thinking? Maybe security. Passwords. Oh, come on. Privacy? Privacy.
00:35:34 - Oh, there we go. How about I do this? Always clear my private data when
00:35:39 - I close Firefox. I'll clear everything. The reason I'm doing
00:35:44 - this is because I want to make sure that when I close Firefox,
00:35:47 - web browsers cache web pages, meaning this will show up again
00:35:51 - next time without having to contact CBTNuggets.
00:35:53 - I don't want it to do that. I want to make sure that it, it tries to contact
00:35:56 - CBTNuggets and it says, you know, I'm going to clear it all
00:35:59 - and I'll wipe it out. Good, wham, it's gone. Now, when I open my Firefox,
00:36:04 - there we go, we've got the Firefox start page and that's going to Google.
00:36:08 - So I know my Google access is working okay. Let's, let's
00:36:11 - try another website first. I'll do dub, dub, dub dot.
00:36:16 - See, when you want to think of a website you never can.
00:36:19 - How about
00:36:27 - And what's happening right now is we're kind of hung here.
00:36:32 - There we go, Cisco Blog. Cisco Blog has now come up and we've, we've
00:36:36 - got access there. And before I even go to CBTNuggets,
00:36:39 - I'm going to hit the up arrow in here and see. Take a look. You see we haven't
00:36:43 - had any matches here or here but we've had 131
00:36:46 - matches on the permit because this host has been surfing
00:36:49 - the web. It took 131 packets to generate
00:36:52 - the Cisco Blog and Google homepage. So now let's do the ultimate test,
00:36:55 -
00:37:02 - Look at, I don't know if, can you see it at the bottom? It says connecting to
00:37:06 - I'm waiting. I'm waiting. I'm waiting.
00:37:14 - And while we're waiting, let's go ahead and come back here,
00:37:17 - hit the up arrow and do that show access list. Look at this.
00:37:21 - Look at that action. Nine matches have showed up on that statement.
00:37:24 - Let's go back. We're waiting and the connection has timed out,
00:37:28 - taking too long to respond. Frankly it's never going to be responding
00:37:31 - because it is being denied by this access list. It is no longer permitted.
00:37:36 - Excellent. Now that we've done that scenario four,
00:37:41 - we can remove that access list and never attempt such a silly,
00:37:45 - silly objective again. But that is, that is using the access
00:37:50 - list to block web access. Good. So at this point, you should
00:37:54 - have a little better idea of how to work with standard and
00:37:58 - extended access lists, just seeing those scenarios and putting
00:38:01 - them in place, seeing the general syntax of them. Practice makes perfect
00:38:05 - on those things. I would, I would say practice with yourself
00:38:08 - writing down, you know, this is something I need access to and here's
00:38:11 - how I access it. I always recommend, when somebody, whenever anybody
00:38:15 - how I access it. I always recommend, when somebody, whenever anybody
00:38:16 - should I set up a lab at home to practice this stuff? I say by all
00:38:20 - means do it. Cisco gear has become so cheap nowadays. And when
00:38:25 - I say Cisco gear, I mean stuff you can get off of eBay for
00:38:28 - practice in your own home lab. You can get a Cisco router for under
00:38:32 - 30 bucks nowadays that can route your home Internet connection.
00:38:35 - And that will give you the opportunity to go in there and try this out,
00:38:38 - come up with objectives of what you want to deny and
00:38:41 - practice using access lists because that's the only way that
00:38:44 - you'll be able to master those. Now, let me show you some cool
00:38:47 - tips and tricks of how to work with access lists.
00:38:51 - First things first, numbered access lists like we've been using
00:38:55 - all along have been
00:38:59 - enhanced in recent times by named access lists. Now, named access lists
00:39:05 - have been around for a long time but they've only recently
00:39:07 - begun to become very popular, and I'll show you a couple of features
00:39:11 - of them. Notice we've been typing in as we've been typing our access list
00:39:14 - commands access lists dah, dah, dah, dah, dah, and we type in our number. But Cisco
00:39:20 - has a nice little thing that you can do. You can type in IP
00:39:23 - access list, same, same command but look at, look at the difference.
00:39:29 - And now it comes up and says, would you like to create an extended,
00:39:32 - a standard access list, use resequencing features and, and some
00:39:36 - other things? But right here we can create our IP extended
00:39:41 - or our standard access list, same thing as the numbered but
00:39:44 - now we can specify. Let's say I want to create a extended access
00:39:48 - list since that's what we're talking about. Extended and I can type
00:39:51 - in word, meaning name. The great thing about typing in a name
00:39:55 - is you can be very descriptive in that name of what the access
00:39:58 - list does instead of just thinking, oh, yeah, access list 100,
00:40:02 - I think that's the one that denies HostA, right? Well, we can
00:40:05 - type in as the name deny HostA, nice and descriptive.
00:40:11 - Now, when I hit enter, you notice it takes me into NACL mode.
00:40:14 - That stands for named access control list. So I'm in NACL mode and
00:40:18 - now I can start adding in my permit and deny statements. I can say
00:40:21 - permit, you know, host
00:40:25 - Same syntax as the number. It's just you don't have type in access list 100
00:40:28 - in front of everything. So permit that host
00:40:32 - to access the host. I'm just giving some examples.
00:40:37 - Oh, you know what, I forgot the protocol. Permit the IP
00:40:41 - protocol or TCP or whatever you'd like to do. Permit the,
00:40:45 - I'll just put TCP as second, you know, and permit TCP to that host,
00:40:52 - and so on. We keep adding numbers. And now when I do a show IP access list,
00:40:56 - you can see that I have access list 100 and then I have access list
00:41:00 - deny HostA. It's much more easy to remember that.
00:41:04 - Now, I will tell you functionally these are the same. They do
00:41:07 - and they, they can accomplish the same exact things. It's just this
00:41:11 - one gives a nice name along with it. Now, only from the named
00:41:16 - access list mode can you edit access lists, and this is the
00:41:21 - big feature I want to show you.
00:41:23 - All along we've seen this 10, 20, 30 next to things, 10, 20, 30.
00:41:27 - That is known as a sequence number. Only recently
00:41:31 - has Cisco been adding that feature to their access lists,
00:41:35 - and what that allows you to do is to modify access lists after
00:41:38 - you create them.
00:41:40 - Before those sequence numbers came around, the only way to modify
00:41:43 - an access list was to do what I showed you before, copy it to notepad,
00:41:47 - delete the whole thing, and then kind of modify it in notepad and
00:41:50 - paste it all back in. It's kind of a pain. So what we can do
00:41:54 - with these sequence numbers is I can make modifications. You notice,
00:41:58 - let me hit the question mark, from named access list mode, it shows
00:42:01 - I can type in permit, deny, or even type in a sequence number.
00:42:06 - So maybe I wanted to squeeze something in like, you know, as you
00:42:10 - add it just keeps adding to the bottom of this access list.
00:42:13 - But I wanted to squeeze something in between these two. So I could
00:42:16 - type in before I did my permit command sequence number 15,
00:42:20 - permit, and then same thing. We'll say TCP from the host
00:42:25 - to host
00:42:29 -
00:42:31 - And now, when I go back and do my show command, you notice, look at that. Nice.
00:42:36 - I know, if you haven't seen access lists before, it's kind of like,
00:42:40 - oh, that's kind of cool. But I'm telling you, nice. That is such an improvement
00:42:45 - from what it used to be. And, and literally, you'd have to delete the whole
00:42:48 - thing and recreate it if you wanted to do something like that.
00:42:50 - So not only can we squeeze in but we can remove. I can say,
00:42:54 - oh, well, you know what, now that line 15 is in there,
00:42:57 - I don't want line 20.
00:43:02 - I can just type in no 20, no sequence number 20, and now when I go back you can see
00:43:06 - sequence 20 has disappeared. Nice.
00:43:09 - You know, it's, it's great. So we can modify these. And even, nowadays, we can
00:43:13 - even modify our numbered access lists but the way we do
00:43:17 - it is by, let me stop using the up arrow, I type in IP access list extended,
00:43:21 - but instead of typing in a name I can just say 100.
00:43:24 - And now I can make changes and I could say no, or most,
00:43:29 - no 20 on my access list 100. And when I do the
00:43:33 - show access list now, you can see line 20 has been removed.
00:43:37 - Pretty cool.
00:43:39 - So that is our way of modifying access lists using the named feature.
00:43:44 - Now, last but not least, what I would like to do is
00:43:48 - show you a reflexive access list.
00:43:53 - To review, what we talked about in the concepts video was maybe
00:43:58 - you wanted to create an access list that denied all Internet
00:44:01 - traffic into your organization. It's a good policy because you don't
00:44:04 - want uninvited Internet traffic to come on in. Well, if you create
00:44:08 - an access list that says deny IP any any
00:44:13 - from the Internet, you're going to deny everything including
00:44:17 - stuff that your clients were trying to get. So when you try and
00:44:20 - surf the Internet, when the response comes back, it will be denied.
00:44:24 - To fix that you can use a reflexive access list and let me
00:44:27 - show you how it works. I'm going to go on my router two, and let's, let's
00:44:31 - use a named access list since we've learned them. I'll type in IP,
00:44:35 - or actually this will be on router one. Let me jump over there.
00:44:39 - On router one I'll type in IP access list and we'll say it's extended.
00:44:43 - It must be an extended access list. And I'll say the name of that
00:44:47 - access list will be filter Internet. You see how these new names can
00:44:53 - be real nice? IP access list extended filter Internet. And under
00:44:56 - there I can say permit
00:45:01 - TCP traffic from any source to any destination, and I want to show you
00:45:05 - the keyword, established.
00:45:10 - That's it. That's a reflexive access list. Now when I come back
00:45:15 - I can go under my, let's see, what the Internet connection? Ethernet 0/1.
00:45:18 - I can go under Ethernet 0/1 on router one
00:45:23 - and type in IP access group filter Internet inbound.
00:45:28 - So what that does is under, let me jump back
00:45:37 - to the slide and diagram this out. Under Ethernet 0/1, as things are coming in,
00:45:42 - remember that direction, hold out your arms,
00:45:45 - in that interface from the Internet, it will go against that access list.
00:45:49 - Now, that access list says permit
00:45:53 - the TCP protocol from any source to any destination if it has been
00:45:56 - established. What established means is that there's been some requests
00:46:01 - from the inside that has established a TCP session with
00:46:05 - a host out here on the Internet. Once the host from the inside
00:46:09 - has established that, this host may come back in on that same
00:46:13 - response or for that same session and reply. That is known
00:46:17 - as established. If somebody else out here, we'll say this, this
00:46:22 - host, tries to come into the network but there was no established,
00:46:27 - then it's going to come on this line and, you know, the first line
00:46:29 - says permit anything that's been established. It will say, oop, sorry, you don't match
00:46:32 - because you're not established. And then the last line of that
00:46:35 - access list says deny IP any any. Remember the invisible implicit deny?
00:46:40 - So it will be automatically denied since it's not
00:46:43 - in already established connection.
00:46:47 - So that is using what's known as a reflexive access
00:46:50 - list to heavily filter your Internet connection.
00:46:54 - Whoo, I would say that is one of the most action-packed, dense
00:46:58 - videos I have ever recorded for CBTNuggets. There's more information
00:47:03 - in that video that I think I've packed into anything else. What I would
00:47:06 - recommend is extended access lists, while going through that
00:47:09 - and setting them up, it, you know, it seems only logical. It makes sense.
00:47:13 - It takes a while for it to soak in. So what I would say is
00:47:17 - it'd be good for you to try a few of these, you know, put up
00:47:20 - some objectives for yourself and to write out what you think
00:47:23 - would be a good access list to test that. I've been asked before,
00:47:26 - should I set up a home lab for the CCNA if I'm studying
00:47:29 - for that? And say if you can, by all means do it. You can get
00:47:33 - a Cisco router that's pretty good off of eBay for less than
00:47:37 - 30 bucks nowadays. They've dropped in price for some of
00:47:39 - the older ones and that's all you need to practice this, and that's
00:47:43 - I would say a great way to get some experience with extended
00:47:46 - access lists. Alright, so what we did was kind of wrapped up everything.
00:47:50 - We went through all of the standard and set up some standard access
00:47:54 - lists and the extended, and we expanded on that looking at
00:47:57 - the named access list, editing access list, and reflexive
00:48:01 - access list. The last thing I'll mention
00:48:05 - before we get into the next videos which are going to be on
00:48:08 - NAT, I did set up Internet access through router one for this video,
00:48:13 - which means I set up NAT on router one so that the host could
00:48:17 - access the Internet so we could do some cool demonstrations on
00:48:20 - blocking access. I am going to turn that off before we get into
00:48:24 - the next videos which is all about how to turn that back on
00:48:28 - because it, it seems kind of silly to get into NAT when you're
00:48:31 - thinking, but I thought you already had Internet access? We
00:48:35 - won't by the time we get into the NAT videos. So I hope this has been
00:48:39 - informative for you and I'd like to thank you for viewing.

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS