Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network....
Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network.

The two-exam CCNA process covers lots of innovative features, which better reflect the skills and knowledge you'll need on the job. Passing both exams is your first step towards higher-level Cisco certification, and trainer Jeremy Cioara has mapped these CCNA training videos to the 640-816 test. This CCNA training is not to be missed.

Here's how one user described Jeremy's training: "By the way, Jeremy Cioara has to be by far one of the BEST Cisco trainers I have ever had the privilege to learn from overall. He not only keeps your attention but his energy is contagious and he provides the information at a level where you grasp it rather easily."

The last day to take the 640-816 exam is Sept. 30, 2013. After that date, the only ICND2 exam available will be 200-101. CBT Nuggets has a training course for the 200-101 exam here.

All trademarks and copyrights are the property of their respective holders.
1. Review: Rebuilding the Small Office Network, Part 1 (33 min)
2. Review: Rebuilding the Small Office Network, Part 2 (28 min)
3. Review: Rebuilding the Small Office Network, Part 3 (23 min)
4. Switch VLANs: Understanding VLANs (16 min)
5. Switch VLANs: Understanding Trunks and VTP (39 min)
6. Switch VLANs: Configuring VLANs and VTP, Part 1 (35 min)
7. Switch VLANs: Configuring VLANs and VTP, Part 2 (39 min)
8. Switch STP: Understanding the Spanning-Tree Protocol (28 min)
9. Switch STP: Configuring Basic STP (21 min)
10. Switch STP: Enhancements to STP (29 min)
11. General Switching: Troubleshooting and Security Best Practices (29 min)
12. Subnetting: Understanding VLSM (18 min)
13. Routing Protocols: Distance Vector vs. Link State (26 min)
14. Routing Protocols: OSPF Concepts (30 min)
15. Routing Protocols: OSPF Configuration and Troubleshooting (39 min)
16. Routing Protocols: EIGRP Concepts and Configuration (32 min)
17. Access-Lists: The Rules of the ACL (27 min)
18. Access-Lists: Configuring ACLs (34 min)
19. Access-Lists: Configuring ACLs, Part 2 (48 min)
20. NAT: Understanding the Three Styles of NAT (20 min)
21. NAT: Command-line NAT Configuration (35 min)
22. WAN Connections: Concepts of VPN Technology (33 min)
23. WAN Connections: Implementing PPP Authentication (34 min)
24. WAN Connections: Understanding Frame Relay (28 min)
25. WAN Connections: Configuring Frame Relay (30 min)
26. IPv6: Understanding Basic Concepts and Addressing (34 min)
27. IPv6: Configuring, Routing, and Interoperating (23 min)
28. Certification: Some Last Words for Test Takers (13 min)
29. Advanced TCP/IP: Working with Binary (25 min)
30. Advanced TCP/IP: IP Subnetting, Part 1 (55 min)
31. Advanced TCP/IP: IP Subnetting, Part 2 (22 min)
32. Advanced TCP/IP: IP Subnetting, Part 3 (19 min)

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL


We've left routing protocols and now are moving directly into access lists. The rules of the ACL, or the access control list. Access lists are one of the core pieces of CISCO routers. Meaning, you're going to be using them for all sorts of things, and that's going to be the first topic that we talk about as we get into access lists. They're not just for access. Even though that's what


they're named, you'll use them for all kinds of stuff, and that's the first thing we'll talk about. Then we'll turn our attention to the security aspects of access lists, in the sense that your CISCO router has the ability to be a pretty sophisticated firewall, allowing specific traffic in and out of the network. That's using ACLs for security.


So we'll talk about ways to do that, and the final topic will be the types of ACLs that's able to do that. When you say access control list, that is more of an umbrella of many different categories of topics, two of which are the most important standard and extended access control lists. We'll look at what those are


and what the differences are. Access lists are everywhere in the CISCO world. It's one of those concepts that you'll hear repeated again and again and again. And it's almost unfortunate that CISCO named them access lists. I think they should have name them identifier lists, because every time somebody thinks of an access list, they think of access and they think, oh, this is like a firewall kind of thing to control access. Now that's one of the things that they


can be used for, but there are many more things that they can be applied to and used for that access would be somewhat confusing. So there's my proposal. We'll go ahead and change the name to identifier lists because that's exactly what they do: identify traffic to be allowed or permitted or denied. Now I know even


using that terminology you're thinking, okay, permitted or denied to get out of the network or come into the network. You're thinking firewall. That's what I think when I think of it. And you can see right here what they are, a list of permit or deny statements. Permit

00:02:09 that host, deny that whole subnet. Permit just port 80 for Now this list of permit or denies really is almost better translated - see, look at this, I'm changing all the words. Allow or stop. Okay, I'm just making this up as I go, all right. Let me talk about how


they can be used and I think that will shed a lot more light on what I mean. The number one way that people think about access lists being used is for access control. Where in the true sense of the word they are permitting and denying traffic. So for example,


I might have a router right here connected off to the internet and as traffic comes in or leaves that router I can say, well who are you. Because if you're not invited here, you are denied. You cannot get in from the internet into my network. Or as they're going out


it'll say, who are you, are you allowed to access the internet or are you allowed to access that website on the internet. That access control, and that's where permit and deny really make sense in our heads. But access lists can also be used for NAT. So for example,


let's say this is our access list up here, this list of statements right here. We might apply it in such a way that says, this IP address is permitted to be translated using NAT off to the internet. As a matter of fact, if you look at this series the next topic we're going to be talking about is configuring NAT from the command line. We'll go through some of the concepts


and configurations and we'll see how this is applied. But that's one of the things we'll do is we'll say, we're going to create an access list and say that these hosts are permitted to be translated or denied from being translated. That doesn't mean they're being denied from accessing the internet as a whole they're just being denied from the NAT process. They're not going to


be translated to a public IP address when they go out. You could use it for quality of service. Tweak this example a little more and have this same list, I could say this host is permitted to receive priority on the network. That's what quality of service is all about, is prioritizing some traffic and deprioritizing others. So I can say that this host gets priority, so if there's


congestion and things are being dropped, you know, the network's kind of overwhelmed - well that host is going to move to the front because they're permitted to receive prime priority they're allowed to move to the front. The one below says nine one eight

00:04:44 right here. If we apply it to quality of service, they are not denied from getting out or denied from accessing the internet like access control; they're denied from perhaps receiving priority. So you see, I could keep going down this list, you know. Demand


dial routing, policy routing, route filtering, making french toast. Okay, access lists don't make French toast but the point is that this is a partial list. This is one of those concepts you'll see repeating itself again and again and again in the CISCO world because there are many times - just think, any time that you're on a CISCO router and you need to say, these are going to be allowed or these are going to be denied to any process and you just need to identify a group of IP addresses, that is where an access list comes in.


When we talk about access lists initially, we'll talk about using them for security. And as we move into some of the other topics like NAT, that's where we'll expand some of those other uses. I just wanted to initially make sure you know, these - even though they're called access lists, access is just one of the ways that you can use them. So if you're using an access list for security, it's like


hiring a guard for your router to stand on an interface. Here's the idea. We've got this guard right here that we've assigned to stand on the fast ethernet 0/0 interface. Now as soon as we give that guard a list, he is going to screen all of the traffic either coming in or going out of that interface, depending on how we apply this access list, and say whether it's allowed or denied. So before we talk about the guards


processing, let's first talk about the rules of the access list. When you create an access list, it is literally just a list of statements like you see right here. It is read from top to bottom and it will stop at the first match. So for example, we have


this guard who has a list in the first statement in their list number one right here, says deny So let's say he's filtering traffic coming this direction, he's going to ask that packet - let's say that this is, the guard will ask and say, are you Packet says, no sir. And he says, okay, are you You can see statement number two in the list. By


says, no sir. And then we come down here, you can see my little permits or whatever. You know, this list can go on and on. We might say something like permit Wow, that's big, because that says permit everything starting with 10. You see the subnet mass right there. It's a Class A subnet mass. So everything permitted with 10 allowed. So said that third statement and says, are you 10 dot anything? And the packet says, yes sir, I am. And he says, well in that case then you are permitted.


You may proceed through into the router and access whatever resources that you have. So the list is read from top to bottom and it stops at the first match. What if this packet were coming in? Well the guard would say, are you as his first question, and when the packet says yes, it says, smash and the guard hits it with its gun right there and the packet is destroyed and dropped. Now even though the third statement


in this list says permit everything starting with 10, since the list is read in order it never gets that far. So you can see that the order is very important when you create an access list. Now let's say we did something like this. Let's say we gave the guard a list that the very first statement, I kind of reorder it right here, is permit the same statement we put down there. Well if that's


the case, then this packet comes in and the guard's first question is, are you and the packet says, well yes I am. Even though statement number two denies that packet, the guard never gets that far. Because it says, well if you match


that first statement than you are allowed to go, you may proceed through. It never hits statement number two. That's why the order is very important. Now the second rule is equally important: the invisible implicit deny at the bottom of an access list. You can see that this list says deny all.


But when you're configuring this list on a router, you don't see that there. Meaning you just start adding statements to your list. You say okay, statement one is this, statement two is that, is this, but all along there's this invisible Deny All at the very bottom of that list that just keeps getting pushed further and further down the more statements that you add to this list.


So I guess you could state it in a way that says, if you are not explicitly permitted in that access list, and you reach the bottom, you will be denied. There's no question about it. If you make your way all the way down through that list, you're going to hit the invisible deny at the bottom of the list. Now you as an administrator can change that whole logic.


You could actually, if you wanted to as you're typing your list, you could say deny this, deny that, deny this, and then add a statement that says, permit anyone. So you could put a permit I'll just put per all - permit all before it gets to this invisible deny. So the guard will be going through this list and saying,


this, and keep going and then say, oh, well then I guess you're permitted. So it never actually reaches the deny all, but do know that the deny all is still there, you're just not making it down to the bottom. It is an invisible implicit deny. Now lastly, and this is one of the most difficult things when you're first getting into access lists, is the application.


Access lists are applied to an interface inbound or outbound. Meaning you're going to create this list, and we'll say this is list number five. The access lists are actually numbered, and we'll get deeper into this as we look at the config. So this is number five with all these statements, and you're gonna say I am going to assign list number five inbound on fast ethernet 0/0. That application affects everything in the access list. When you say inbound, think about things coming


in to that interface. So that would be, let's say, if there's a switch over here connected to a rest of a network or maybe this interface is a DSL connection to the internet, or you know, it could be connected to anything. As things come in to that router,


that's where the access list will be applied. The best way I can describe to think about access lists and their applications is for you to become a router. Literally. Right now - this is, you know, this is video you're in the privacy of your own home or in a cubicle.


Just relax and hold out your arms by your side. Come on, come on, arms out, hold them out. You can just put your fingers out if you're ashamed. You hold out your arms and you say okay, my right arm, as I'm looking out at my right arm which is pointing to the wall where I'm standing right now, my right arm is my fast ethernet 0/0. My left arm, that's a serial port. Let me put my arm down for a moment. That's serial 0/0. over here on the router. I - my torso, me, am the middle and I am


the router itself. So when I think about access lists being applied, if I think of them being applied outbound, serial zero, if I were to put out right here, look out your arm, that's your left arm that's pointing to wherever it is. If I apply an access list


outbound serial 0/0, that's going catch traffic coming from me, the router, leaving that serial 0/0 to go to whatever this connects to over here. It could be the internet, could be whatever. So as traffic's going that way. So if somebody accesses me from the internet, the outbound access list does not apply. I mean again, hold out


your arm. Your arm is - your left arm - serial 0/0. If you think about packets coming in your arm from your fingetips, traveling up your wrist all the way through to your shoulder blade and into you, that came inbound serial zero. Coming in. Now we can apply an access list outbound on fast ethernet


0/0, that's your right arm. Again, hold out your right arm. Imagine - okay, both arms. Both arms are our and our right. Imagine your left arm, serial 0/0, is connected to the internet. A packet just came from the internet. It's from a website It's coming in your left arm, coming into your torso, you are the router. You're looking at the packet and you go oh, well I'm looking


at the destination IP address. I see that that needs to go on my right arm, my fast ethernet 0/0. so you send it out and all of a sudden you notice - wait a sec, there's an access list applied outbound on fast ethernet 0/0. That's where this guard walks into the wire and now looks at that packet you're trying to send out your right arm and says, are you allowed? When we look at this list.


So when you're thinking about applying access lists, become a router. Be -- you know, you are the router, your appendages are the different interfaces of the router. I still, to this day, even after working with CISCO -- I don't hold out my whole arm I hold out fingers because people look at me with less I just hold out a finger on each side and I think, okay, this is the interface, this is the other interface. If you apply the


access list wrong, if for instance you meant to apply it inbound but you accidentally applied it outbound, it can destroy your whole company. And I say that is because I mean -- okay, I'm not even going to get into that. But this is -- it can have some very serious ramifications


We'll talk about that as we get deeper into it. before we go any deeper, let's talk about the types of access lists that are out there. I always think access lists are like a category, they're like Skittles -- there's many different kinds of them. You see right here that we have standard and extended access lists, and that's going to be where we're spending most of our time in this series, is these are the main ones that we're going to be using in this series and in the real world to permit or deny different traffic types from being processed. Will come


to spend plenty of time on those on the next slide, so let's just jump down to what we're not going to talk about. There are plenty of different types of access lists. I just want to give you an overview. Dynamic access lists are access lists that expand and shrink depending on who's going through at the time.


Let me give you an example of a dynamic access list use. You could have somebody that maybe has a username and password that they use to access the internet, because not everybody at your company is allowed internet access. What you can do is you can set up a dynamic


access list that says, if this username and password comes in, meaning is typed in either via Telnet or it could be, you know, typed in through a webpage -- there's different ways to set up dynamic access lists. If this username and password is typed in, allow


that PC access for a certain amount of time. So for example, somebody could be sitting at a PC and they're like oh, I need to access the internet. So they open a webpage and it says, all what your username and password, and they type that username and password in and it creates an access list, it gives that guard that's standing at the router a new access list that says, this PC or this IP address is now allowed for this certain amount of time or until they close the web browser, you can set it up many different ways. Actually, I take it back, we are going to be talking


about established access lists, so we'll -- or they're also known as reflexive -- which are -- I'll talk about that later. We're going to talk about all of that on the next slide. Time-based access lists -- we're not going to talk about in here; that's part of the CCNP track. Time-based is where


the access list is active for a specific amount of time or time range. So with that you could say for example, internet access is allowed in my company after hours. Meaning during the hours of 8 AM to 5 PM, if that's your business hours, internet access will be blocked. But as soon as you pass 5 PM, that access list is removed or revoked, if you will, and allowed all night long until the morning comes around and as soon as 8 AM comes back again it blocks. Context-based access control, also known as CBAC, and that is now


been renamed to the IOS firewall, is part of the CCSP, the security professional track. And that is where you truly turn on firewall features on your router, which enhances the capabilities of, well I guess you could say every access list in the sense that it begins inspecting all the traffic that's going through. I'm not getting too deep into that because


that is a whole feature set that's discussed in the CCSP but you can think of that as a way to turn your router, your CISCO IOS router, into capabilities similar to the CISCO firewall line. Most of you may have heard of a CISCO PIX firewall or a CISCO ASA firewall. That's the firewall products they sell. That features


is what allows your router to do most of what the PIX firewall and ASA firewall do. Now let's turn our focus to the three specific access list types we'll be discussing in the CCNA series: standard, extended, and reflexive. Standard access lists match only based on source


address, and I guess I could be more specific with that. Source IP address. So I can say that you are permitted or denied based on who you are, but not really what you're accessing or how you're accessing that device. So for example, if I have the internet right here


and this host, we'll say is not allowed access the internet. I could just create a standard access list that says, deny, and that does it. That's all you type in there. It says deny. I can apply that maybe outbound on the internet connection -- remember, hold out your arms there -- and that would deny that host from getting out onto the internet only based on source I can't really say they can't access these sites on the internet, you know, be selective with what sites, nor can I say they can't access the internet using TCP port 80, which is the web surfing protocol, but maybe use other protocols to access the internet.


It's just based on source. So this has the lowest processor utilization of any access list because whenever you apply an access list your router, the processor gets bumped up a little bit because it has to check every every single packet going through against the access list, but if you use a standard access list it only has to check the source IP address. It doesn't have to look at


anything else, so it doesn't really slow the router down too much. The effect of this access list depends on the application Meaning, when I say deny, if I came up to you and you were a network manager in a company and I said, I have created an access list that denies Your next question would be, denies him from what? What do you mean? What are you denying them from? Well with the standard access list, that's all you can say, is they're denied where I apply. That's what I mean in that third mark there. Where I apply


this access list is what determines the affect that it has. If I apply it out on serial zero, if that's what's connected to the internet, then they are denied from going out that interface and getting internet access. If I deny them out fast ethernet zero slash


that might deny them from and accessing an accounting server or that subnet that the fast ethernet 0/1 attached to. Now here's a question. If I create this access list and apply it inbound on this interface and this little diagram my major maybe that's fast ethernet 0/0, they're denied from everything. Meaning I might as well unplug


that cable -- for that host, anyway, assuming there's no other hosts on this network -- because as soon as they try to come in the router, as soon as they try to get out their default gateway, you know, come in that interface, the router's going to say, oh, I'm sorry, you can't come in here. Goodbye. Hang up, you know, probably that


America Online sound, goodbye, you know. And they are disconnected from the whole network. That's why where you apply these things can have some severe effects. Now down here, extended access lists match based on source and destination address, along with protocol, along with source and destination port number. Now I want to hit that little third mark I put under


the extended access lists. These do take some time to learn. I've had many people that I've talked to that just whole extended access list, it's scary. It's one of the -- because the syntax can be so long. I can essentially say with an extended access list, you are denied from accessing this host using TCP port 80 during these times of day, during -- you know, there's -- I don't want to get into all the access lists we're not talking about, but there's so much you can put in here. You can be very granular.


So let's up our little host again. We've got that connected to the internet. If I was -- or the heart -- if I was using an extended access list, I could say 1.100 is denied from accessing we'll say,'s IP address, using TCP -- that's the


protocol that I'm talking about. I'm not talking about protocol as in TCP/IP, I'm talking about protocols like TCP and UDP and so on. TCP destination port 80, which is web surfing. So at that point when they go out, the access list says, are you going to Google? Because if so, let me check if you're using TCP. Oh, you are? And you're


using destination port 80? Then you're denied. But I could then say, but you're allowed to use anything else. So we're biased against Google or something and want use Yahoo's search engine, so we can be very specific with that. It does have higher processor utilization


and the syntax is pretty complex. We'll see that in a moment. Reflexive access lists allow traffic -- return traffic -- for requests that originated from the inside of your network. May explain that in English. We've got an internet connection here, right.


The internet is a scary place. We don't want you know, uninvited traffic to just be able to come in from the internet. So initially your thought might be, well I don't know I want to deny everything, you know, deny all from the internet, and it sounds like a good idea. You know, any traffic that originates


from the internet will be denied from getting into my router. But if you put a deny all on your internet connection, well you just killed it. The internet connection will no longer operate. If somebody surfs the web, they will go out this direction -- will say out serial 0/0 -- and access the internet and that'll work just fine, but the problem is when the internet or whatever website they access, we'll say, tries to


return traffic to them. I mean, when -- it's strange to think about it that way, but when you access the internet sure you're going out, but the majority of the stuff is returned to you. I go to to request the webpage, and Google sends it back


to me. If I apply a deny all access list, the requests will get there just fine. It's the response that will be blocked. So that's why we need these reflexive access lists. A lot of people call them, officially, TCP established access lists. What it will do is when my host goes out, the router puts


on a little pair of glasses and says, ah-ha. I just saw that host leave so the source address left to go access or whatever's IP address is. So I will create a reflexive or a return path for only to respond, and only for them to respond to that specific requests. Meaning if Google just says, well I just want to try and slip


some traffic in there for some other host right now, it's not going to happen because the little eyeglasses on the router saw the request that went out. It said, I will accept a response to this request but nothing else, nothing else is denied. Everything


else is denied. And as soon as that host closes its session with Google, the TCP session ends. Remember the TCP3 way handshake? That's what builds the session. Well, as soon as you close your web browser, it kills the TCP session and now the deny all rules again. will not be able to come in unless there's a specific


invite for it to come back. It's a pretty powerful access list. It's only one line, it's amazing. But it has a big effect. Therein lies the rules of the access lists, or what access lists are all about. I hope I was able to convey that access lists are not just for access. They're going to be used for all kinds


of things on our routers. Access is just one of the easiest ways to explain what access lists are all about. We looked at, as we went through, using access lists for security where the permit and deny statements are literally what is allowed in or out of an interface, depending on how you apply it.


So access lists can be used for security if they're applied to an interface. The types of access lists are like Skittles. We saw standard, we saw extended, reflexive, dynamic, time-based access lists, there's all kinds of them. But primarily in what you do day-to-day on CISCO routers, you will be using standard and extended. So in the next video we're going to get into

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
16 hrs 32 videos


Basic Plan Features

Speed Control
Included in this course
Play videos at a faster or slower pace.

Included in this course
Pick up where you left off watching a video.

Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

Files/materials that supplement the video training

Premium Plan Features

Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003