Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network....
Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network.

The two-exam CCNA process covers lots of innovative features, which better reflect the skills and knowledge you'll need on the job. Passing both exams is your first step towards higher-level Cisco certification, and trainer Jeremy Cioara has mapped these CCNA training videos to the 640-816 test. This CCNA training is not to be missed.

Here's how one user described Jeremy's training: "By the way, Jeremy Cioara has to be by far one of the BEST Cisco trainers I have ever had the privilege to learn from overall. He not only keeps your attention but his energy is contagious and he provides the information at a level where you grasp it rather easily."

The last day to take the 640-816 exam is Sept. 30, 2013. After that date, the only ICND2 exam available will be 200-101. CBT Nuggets has a training course for the 200-101 exam here.

All trademarks and copyrights are the property of their respective holders.
1. Review: Rebuilding the Small Office Network, Part 1 (33 min)
2. Review: Rebuilding the Small Office Network, Part 2 (28 min)
3. Review: Rebuilding the Small Office Network, Part 3 (23 min)
4. Switch VLANs: Understanding VLANs (16 min)
5. Switch VLANs: Understanding Trunks and VTP (39 min)
6. Switch VLANs: Configuring VLANs and VTP, Part 1 (35 min)
7. Switch VLANs: Configuring VLANs and VTP, Part 2 (39 min)
8. Switch STP: Understanding the Spanning-Tree Protocol (28 min)
9. Switch STP: Configuring Basic STP (21 min)
10. Switch STP: Enhancements to STP (29 min)
11. General Switching: Troubleshooting and Security Best Practices (29 min)
12. Subnetting: Understanding VLSM (18 min)
13. Routing Protocols: Distance Vector vs. Link State (26 min)
14. Routing Protocols: OSPF Concepts (30 min)
15. Routing Protocols: OSPF Configuration and Troubleshooting (39 min)
16. Routing Protocols: EIGRP Concepts and Configuration (32 min)
17. Access-Lists: The Rules of the ACL (27 min)
18. Access-Lists: Configuring ACLs (34 min)
19. Access-Lists: Configuring ACLs, Part 2 (48 min)
20. NAT: Understanding the Three Styles of NAT (20 min)
21. NAT: Command-line NAT Configuration (35 min)
22. WAN Connections: Concepts of VPN Technology (33 min)
23. WAN Connections: Implementing PPP Authentication (34 min)
24. WAN Connections: Understanding Frame Relay (28 min)
25. WAN Connections: Configuring Frame Relay (30 min)
26. IPv6: Understanding Basic Concepts and Addressing (34 min)
27. IPv6: Configuring, Routing, and Interoperating (23 min)
28. Certification: Some Last Words for Test Takers (13 min)
29. Advanced TCP/IP: Working with Binary (25 min)
30. Advanced TCP/IP: IP Subnetting, Part 1 (55 min)
31. Advanced TCP/IP: IP Subnetting, Part 2 (22 min)
32. Advanced TCP/IP: IP Subnetting, Part 3 (19 min)

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

00:00:00

Configuring access lists. I've always found the best way to learn access lists and to get familiar with the syntax is to do them again and again and again. It's kind of like subnetting. The more you practice, the better you get at it. So that's how I've structured

00:00:15

this configuring access lists video. I'd like to walk through four separate scenarios with you that take the concepts that we've learned in the previous video and apply them in practical scenarios. Now looking at these scenarios, they don't make much sense right here, but this is going to be what I'm testing on and in each one of those scenarios, as we construct a new access list for each one of those requirements.

00:00:39

So if you're ready, I'm ready. Let's get going. All right. Here is our configuration landscape. You can see the four scenarios spelled out on the bottom of the network diagram. But before we even get into those scenarios and start working through each one of them and setting up the configuration, I'd like to talk a little bit about access lists generalities. How do you

00:00:59

configure access lists in general? You can see our scenarios are saying use a standard access list or an extended access list. But before we even accomplish those objectives let's talk about just how to use access lists. What I'd like to do is take us to a router

00:01:12

and that will allow us to see this configuration and I'll just walk through some -- some samples. And then we'll do the real deal. We'll go through these scenarios one by one. So let me bring up the router connection and put it in the middle of the screen here.

00:01:26

Just get things cleared off. You can see we're on router 3 right now to start things off. And this will just be, you know, a nice generic place to go. To set up access lists, we're going to go into global configuration mode and use the command access list. Now if you haven't

00:01:42

gotten used to the context sensitive help -- the question mark as of yet, now's a good time. Access lists will almost need you to use that going through there because very few people remember all the pieces off the top of their head. Now you can see all these

00:01:55

lists. I type in access lists and it says okay type in a number one through 99 if you would like to create a standard access list. If you would like to create an extended, go ahead and type in number 100 through 199 and that will configure one of those. Now you can see as we go through this list, there's plenty of other ones like IPX address access list; MAC address access list. You

00:02:15

can permit or deny based on MAC address. But a lot of these protocols we just don't use any more like IPX or DECnet. So we're gonna stick to IP access lists. Now you can see right here, we've got the standard and extended, but notice right here and right here is an IP access list for standard and extended in an expanded range. So what they're saying is if

00:02:41

you run out of lists, meaning you've -- you've exceeded 99 lists; number one, I'll tell you, you've created way too many access lists if that's the case. But CISCO says we'll let you do it. Here is a 700 or so more access lists that you can create using that expanded range for each one of them. So let's start

00:02:59

off with the standard extended access list. I'm just going to say access list 1. I could type in any number from one to 99 and it would work just fine. I'm just using one because I like it. So I hit the question mark and it says okay is this going to deny or permit? Or would you like to leave a remark in this access list? So we'll say this -- this first entry is going to be a deny entry.

00:03:25

Remark by the way just leaves comments so you can see what the access list is about. So I'll type in deny; hit a question mark and it says would you like to match a host name if you're using DNS; very few people do that or IP address. Would you like to match any or a single host?

00:03:42

So this is our big option. Let's say that I would like to deny we haven't talked about our scenarios yet, but I want to deny the host 192.168.5.100 -- just -- just a nice random IP address. I'll do space question mark and now it's asking me what are your wild card bits? Ahh, wild card bits, where did we see that the before? OSPF.

00:04:08

The open shortest path first routing protocol, we had to type in the wild card mask to type in what networks we would like to advertise. And now they're back to haunt us. Wild card bits are going to designate what is significant about there? Meaning, do you want to match that exact IP address? If so, go in and put zero, zero, zero, zero. Meaning, look at and you remember the wild

00:04:30

card bits, zero means look at these -- look at 192. Look at 168. Look at 5. Look at 100. When that IP address comes through, identify it exactly and if that's it deny it. Now I can also go here and make it a little more broad. I can say 192.165.5.0 -- well, I wouldn't put 5 0, but if I did this what that says is deny everything starting with 192. Look at that first octet; 168. So everything starting with 192.168 and then I don't care; I don't care, is what those means. What -- watch what happens.

00:05:06

I'm going to hit enter and then I'm gonna type in show access list using the do command, so I can do it from global config mode. Look at what it did. It said it deny 192.168 -- ahh, zero zero. You catching that? It zoned out, it wiped out my 5.100 because it said I don't care what those are. You put 255s'. Now if I were to go back up there and do no access list 1 deny, you know, remove that and try it again and then I put, you know, 0.0 right there and then do my show access list. Now it's just saying specifically

00:05:44

that host is there. The wild card bits disappear because if you notice it says you could put a return key after the 192.168.5.100 and it would assume you're talking about that specific IP address. This wild card mask of all zeros is optional. Matter of fact, let me hit the up arrow

00:06:02

and put in a no in front of that; wipe that out. I could type in access list 1 deny and check this out I could say host 192.168.5.100. And now when I hit question mark it doesn't even give me the option for a wild card mask because I've specified just that host. So what I've showed you there was essentially

00:06:24

two ways to accomplish the same thing -- three ways to accomplish the same thing of denying a specific IP address. So that's -- that's essentially our line one of the access list. Now I'm going go in there, I'm going to say access list 1; it's the same list permit 192.168.5.0 with a wild card mask of 0.0.0.0.255. Now let's do a show access list -- if we could type. Now right here you can see first entry or what

00:07:03

the router is calling sequence ten and we'll talk about those numbers in just a moment. First entry says deny 192.168.5.100; second line says permit everybody else that starts with 192.168.5. So that's how we create a standard access list is we just identify the source IP addresses we want to permit or deny. Now remember,

00:07:25

think back to the rules we talked about in the previous videos. At the bottom of this access list is an implicit, invisible deny. Meaning, if you are not something that starts with 192.158.5.0, you will be denied. You'll be prevented from accessing whatever this access list is preventing you from accessing.

00:07:49

Speaking of that, let's apply this. Creating access lists you could do all day long. But they won't actually go into effect until you apply them. So you've seen the access list command. Here's how you apply. Go back to that network diagram and we're on router 3. We need to identify what direction we want to apply from.

00:08:09

Let's say that we want to protect router 3 from receiving messages from that host that we denied 192.168.5.100, right? So I -- I can apply inbound on serial 0/0. Remember, hold out your arms just like I talked about in the previous video, identify your direction as things are coming in that serial interface; that's where I want to deny that specific host. So that's where we need

00:08:36

to apply it, serial 0/0. So let's jump into interface serial 0/0 and here's the apply command -- IP access - group. I don't know; I know you're thinking I thought it would be access list. I don't know why they chose access group but they did. Access group applies

00:08:57

it and it says what access lists number would you like to apply? And you think well I configured access list 1 so let's apply that. I'll put access group 1; question mark, inbound or outbound. Well, we identified on that network diagram we would like to filter it as it comes into our router. So

00:09:17

I'll put in; question mark. And it says go ahead and press return. So now I have applied that on router 3. It is allowing -- let me do a show I -- or hang on -- let me put do -- do show access list. It is allowing anything with 192.168.5.0 to come in or that -- that five subnet to come in. And this host,

00:09:38

that specific host will be denied. Also, the implicit deny catches everything that does not start with 192.168.5.0. You see a message come up across the screen -- look at this, neighbor 192.168.2.1 is down; the hold time or the dead timer expired. You want to know what just happened? We just severed connectivity to router 3. The neighbor, 192.168.2.1 is speaking of router 2. It just says I lost my connectivity to router 2. The reason why is because router 2 was coming in and -- and EIGRP was sending hello packets sourced with the IP address 192.168.2.1. Well, according to our access list, the implicit deny is killing anything with 192.168.2 because it doesn't start with 192.168.5. You see how dangerous access lists can be. I'm gonna hit the upper arrow and undo that; I'm gonna do no

00:10:31

IP access group 1 in and we should see our neighbor relationship restored with EIGRP. Yup, now we're up. We're back online because we're not coming from that. So that's -- that I just wanted to give you before we get into this scenarios. The general syntax of

00:10:47

working with access lists. Now with that in place, let's look at scenario one. Use a standard access list to block HostA from accessing HostB. And I have these hosts in place. We're going to be able to test this. HostA accesses HostB by going through router 2 through router 3, out and then ping right here. Now, I don't have his IP address. Let me wipe that off. HostB is.50. 192.168.3.50. So I'd like to start things off by going to HostA and doing a ping to HostB to make sure that we can access it right now.

00:11:25

HostA is right here; the -- the role of HostA will be a remote connection to my laptop. So, let me just do an IP config on this guy. And you can see that I have the local area connection; that's my LAN interface -- 192.168.10.50 -- jump back to the network diagram -- 192.168.10.50. So this is HostA right here. Now you can see the wireless

00:11:50

connection. This is how I'm connecting to it via remote desktop. it just because these laptops are in another room. You can ignore this whole thing right here. Pretend it just does not exist because this is the interface that's actually being used. You can see this one doesn't even have a default gateway. So right -- so I'm on HostA

00:12:08

and I'm going to do, I'll even do one better than a ping. Let's do a trace route to HostC; correct? HostB -- HostB is 192.168.3.50. 192.168.3.50. I'm gonna do a trace route dash (-) D; otherwise, it takes forever. All right. So we can see that HostA went to 192.168.10.1. then 2.2 ; then 3.50. Let's verify that against the diagrams. Started off with 10.1. So HostA it's in a VLAN, so it came over here, to its subinterface right there -- 10.1. The router took it and routed it back out over here to 2.2, there's 2.2. And then it finally hit the host -- 3.50 over there. So it is taking the correct direction to end up reaching hostB.

00:13:01

Good. Now I also have a remote desktop connection to HostB, which is over here -- let me just bring it into the window. This is HostB. Again, I have an IP config already up; there's 3.50. And I'm gonna do a ping to -- well, let's do a trace back. Trace route 192.168.10.50. That's our original host -- ahhh, trace route dash D Otherwise, Windows tries to look up those IP addresses and figure out their name. There we go. That's -- that's what we thought

00:13:36

3.1 ; that's the Ethernet interface. 2.1; that's WAN link. So 3.1, 2.1 and then it's getting to HostA. So we have verified both HostA can access HostB. Now, use a standard access list to block HostA from reaching HostB. So I think the -- the first thing I want to do before we even get there is just pen this out on paper. It's always good to write down

00:14:03

your access lists on paper before you put them into the command line interface and that goes for most configurations. So I want to create an access list that blocks HostA from accessing HostB. I'm gonna use the command just like we had before access list -- access dash list 1 or -- we'll use 10 for this example. It's just a number and I'm going to say deny -- now remember a standard access list can permit or deny based on source. Only the source IP address. So I'm gonna put deny host, remember

00:14:39

that shortcut I just showed you a moment ago -- deny host and then I'll put the IP address: 192.168.10.50, which is deny that host; right? So that's what our access list should say; we should be denying it. Now with a standard access list, you cannot say denied from what because that's destination; that's what you need an extended for. So all we can say is

00:15:04

that host is denied. Now couple things on that. If you have an access list that is only denying something and you apply it, you have denied everything. Think through it. Do you know why? Because at the bottom of every access list, is the invisible, implicit deny. So an access list that

00:15:29

only has deny statements in it, will effectively deny everything if you permit. I mean, if we were to apply this we'll say you know, right here outbound or something in that -- that case it would check-in and say, "Okay, are you this host because if you are your denied." And then it would go to the next line, which is

00:15:43

invisible, it's a deny everything and it says, "Oh, and by the way if you're not that host your also denied". So that's a -- a great warning to you because I've done this many times where you'll be on a router, you're -- you're quickly going through the config and you're like, oh, I just need to deny this one thing and apply. Wham!

00:16:02

The router connection goes down. So we need to follow this up; I'll say access list 10; permit, and there's a couple ways we can do this. Let me bring us back to our -- our router here -- just to show the syntax. Access-list 10, permit and I'll do a question mark. Now, you can either -- you can either

00:16:24

do it one of two ways. Permit any -- says any IP address. So going back to this, we have 10 deny host here and then we could put permit any. Let's try and squeeze it in over here -- permit any. And that would allow everything else -- so the implicit deny would never be reached. We can also put

00:16:43

access list 10 and permit the IP address 0.0.0.0 and follow it up with a wild card mask, which one do you think? To permit anything. That's it -- 255.255.255.255 -- you're saying permit this IP address and then I don't care I don't care I don't care I don't care. Watch what happens if we do that.

00:17:05

I'm gonna type show access list; I created access list 10, but look, the router recognized that and goes, "Oh, you typed that in, but you really meant any". Now I -- I don't want you to think ones better than the other. One's definitely shorter, but they -- they're both equal; you can type it in either way; that'll work fine. So I'm gonna do no access list

00:17:25

1 and a no access list 10 because there's still one more thing we have to figure out. This is the access list we need to create. Now my question to you -- where do we put it? And in what direction do we apply it? If you want to please pause the video and think through that. Identify where we're coming from

00:17:46

and identify where we're going to. Okay, pause now. Okay, you're back right? You've -- you've paused it; right? No, you -- you didn't pause it. Pause it. Okay, now you're back. HostA, right here is going to be accessing HostB. There's three, four -- four different

00:18:02

places that we could apply this. We could apply it as HostA comes in to its default gateway. This is a valid place to apply that access list. I could apply it on fast Ethernet 0/0.10 inbound. Now if I did that, I mean I know we've got VLANs here; it's a, you know, a little not as clear as what it would be if we didn't have VLANs but by applying this in it would be as if HostA were connected to its router. And we said, "Okay, as you come in your default

00:18:36

gateway's IP address, you will be denied". If we do that, well, will we accomplish our objective? Yes, HostA will not be able to access HostB. However, HostA will also lose access to everything else we've denied too much. So we can't apply it in right there. We could apply it out right

00:19:01

here. And that as HostA when, you know, came in that interface, it would start routing them. But as it saw, "Oh, I'm gonna send you out this link", it would be denied. Problem with that: you've denied too much. Now I know in this picture right here, it looks like, oh, well that -- that would accomplish our objectives and it would. But what if router 3 had another connection to, you know, some other router down here in some other network that we didn't want to deny HostA from reaching? Well, that would deny too much.

00:19:27

So -- let me just keep that imaginary network there for now. So other potentials, we could apply it inbound right here but same problem. As soon as he tried to come in router 3 he wouldn't be able to get out to this mystery network over here. The best place to put this is as he goes out, again, hold your arms out -- you are a router; as the HostA goes out, the router 3 Ethernet 0/0 interface is gonna say you are denied. Now the argument could be well, what if there's

00:20:01

other hosts on that network? Well, unfortunately using standard access lists, that's the best that we can do. Because we can't say what he's denied from, so the best practice and here's -- here's the rule that CISCO recommends -- the best practice with standard access lists is to place them as close as possible to the destination.

00:20:24

Whatever destination you're trying access, put it as close as you can to there, because if you put it too close to the host; too close to the source is what I should say, he may deny them from too much. Since we can't say what they're denied from, they have

00:20:39

to get all the way across the network to the -- near the destination just to find out they're dropped. It's kind of a bummer. HostA is all excited, you know? I'm going. I'm going. It's crossing the WAN link; I'm getting to the the router and wham! It dies as soon as it tries to exit that interface.

00:20:52

But that's all we can do with the standard access list. So let's make it happen. Again, let's try it one more time just to make sure we're working. I'm gonna ping 192.168.3.50. And we are working; this is from HostA. So with that in place, let's go to router 3 and put this in action. I'm on -- hey, I'm there right now. I'll do access list.

00:21:14

Oh, let's use 25. I like using nice random numbers. Remember, we're specifying a standard access list. I'm going to deny the host 192.168. -- he was 10.50. I don't know why I keep forgetting that --10.50. So we follow that up with access list 25 permit any -- to permit everybody else because an access list of all denies denies everything. Get into interface and what interface was

00:21:45

that? Let's do a do show IP interface brief; my all time favorite command. Oh, look at all those loop backs. This is the 192.168.3.1 Ethernet 0/0 -- interface Ethernet 0/0 and here's the command. IP access group 25; that's the access list number we want to apply and the direction will be out.

00:22:13

I want to make sure I emphasize that one more time. As somebody is going out this interface, be the router -- be router 3, hold your arm out, your right arm is Ethernet 0/0. As somebody tries to leave your right arm, if they are the source, 10.50, they will be denied. Now let's watch it happen. Let's go into that host; hit the

00:22:38

upper arrow and do that ping again. Look at that; we were successful up here and now it is coming back destination net is unreachable. Reply from 192.168.2.2; who is that? That's router 3. Sweet! So it's working. Now -- now watch this. I'm going to go back to router 3, and I'm gonna do my favorite verification command for access lists; show access list. It's simple. It works and it even

00:23:06

shows how many matches you've had on each -- each one of those. It has denied 10.50 eight times; eight times when it was trying to access that host. Now you can see eight, let's just hit the -- hit the upper arrow and do that ping again. While it well -- whoa, holy cow!

00:23:26

That was insane -- while that ping was going through, I was trying to be fast it didn't work. Look at that -- sixteen matches. So what does that tell me? It tells me that Windows Vista is sending two ping packets every single time it tries to ping. It shows four of them, but it must be sending two ping packets each time because each time I do this ping, you can see the counters increase, by eight. Interesting, I learned something new about Windows Vista.

00:23:55

So with that, that's -- that's how we have accomplished scenario one. Block HostA from accessing HostB. Holy cow, look at that time I get so into this, I'm just, let's -- let's make this video an hour. No, let's not. Here's what I'm gonna do. I'm gonna do scenario one and two in this

00:24:14

video and then we'll do scenario three and four. I'll make a part two to the access list configuration because I'm not gonna do it. Not going to make it through that extended access list and and meet my 30 to 40 minute time buffer. All right. So scenario two: use a standard access list to prevent HostA

00:24:38

from Telnetting or SSHing to router 1. Essentially managing it remotely. What I am showing you as I do this is an extremely common use of standard access lists. By default CISCO routers allow anybody to Telnet or SSH into them as long as they have the right username and password. Now, couple that

00:24:59

with the problem. CISCO routers will let you try passwords all day long. Meaning, they're not going to lock you out after you miss the password three times or five times and then you have to, you know, call an admin or something like that. They'll just let you keep trying

00:25:12

keep trying, until someday, somebody's going to figure it out and break on in. So what a lot of people will do is only allow certain hosts to Telnet to the router. Let's -- let's see, we're on router 1 right? Router 1 as of right now, let's just verify. HostA -- let me clear the screen -- HostA can ping router 1 192.168.1.1; that's router 1. And I'm gonna Telnet: 192.168.1.1. Hass -- oh, no, we can't; he can't. There he is. So please don't log in

00:25:51

oh, he guessed it; he's in. So he is able to access router 1. So our goal is to deny or prevent HostA from Telnetting or SSHing to router 1, but not affecting any other access. Meaning, if we were to -- to apply a standard access list just like we did on router 3, saying deny 192.168.10.50 inbound on router 1, well, HostA sure -- he wouldn't be able to Telnet into router 1, but it wouldn't be able access the internet anyway either. He wouldn't -- wouldn't be able to do many things.

00:26:27

As soon as he got to router 1, he'd be blocked. So you can apply a standard access list not only to an interface, but you can apply it to your VTY ports. Let's go to router 1 and I'll show you how. Pull up my connection here. Still on router 3, let's hop on over to router Pull up my connection here. Still on router 3, let's hop on over to router 1. Let's get all this out of our mind because we're done with router 3. All right. We're sitting on router 1. I'm gonna do well, let's -- let's just go right into it. Let's create the access

00:26:58

list. On router 1 I'm going to type in access list and we're using still a standard access lists so something from 1 to 99. Access list, 70. Now as a side note, made me think of it when I hit the question mark. I don't know if you remember but when I hit the question mark on router 3, do you remember it had those IPX access lists in there, too? We don't see those on router 1 and it's a simple reason that router 1 has an IOS version, a software version, that doesn't support the IPX protocol or the DECnet protocol. You might -- might have saw me highlight

00:27:33

that one I when I was on router 3. That's because those are old. Router 1 is new. It has a new IOS version and they discontinued support for those protocols. People don't use them anymore. So I'm just gonna use access list 70. So standard access list; question mark permit or deny. Now before I go any further,

00:27:52

let me first mention, there's usually a little better strategy with picking access lists numbers than what I am showing you right now. Right now I'm just kind of randomly going in man like oh, let's throw a dart at the dart board; 70 sounds great. Usually people will go in order and they'll say okay one, access

00:28:09

list one, okay. When they're done with that one they'll start and create another one two, and so on. Every access list could have hundreds or even thousands of lines in it. So there is practically no real limit on how long an access list can be. But do you remember that once you apply an access list, all those lines will take effect. So let me show you using a remark.

00:28:31

I'm gonna type in access list 70; remark; question mark. It says comment up to two a hundred characters. I usually put my remarks in all capitals. This will deny HostA -- oops, A -- from Telnetting to R1. So I just put a nice little comment in there. Now I'll follow

00:28:52

that up with -- oops, turn off my caps lock -- access list 70; deny and we'll do HostA. And I'll do it a little different this time. I'll do 192.168.10.50; that's HostA. Follow that up with that wild card mask of 0.0.0.0 which says specifically that Host. Good. So I'm gonna hit enter, I've put in the

00:29:15

deny. Now remember we have to add -- add at least one permit statement. So I'll say access list 70; permit everybody else, permit any. So it's the identical access list to what was on router 3. I'm gonna type in show access list 70 and you can see there it is -- access list 70. Oh, this IOS version doesn't show the remarks. Let me do a show

00:29:42

run include lines that have access list 70. They -- they will show up in the running config. You can see that that's where we see our remarks. And some of the other IOS versions will actually put the remarks in the show access list command. So okay -- so we've

00:29:58

got the access list. Now the question is where do we apply it? I already told you we can't apply it to the interfaces of router 1 or else we -- we would block HostA from reaching the internet. And we'd block too much. So what we can do and this is a very

00:30:16

unique feature for standard access lists; we can go under our VTY ports. Remember, VTY, line vty 0 (space) 4. That's our Telnet ports. It may have been a little while since we've done that. So I'm under the Telnet ports and I want to apply an access list to the Telnet ports to prevent who can come in them. So I'm gonna type in and

00:30:40

again, we go back to the question why did -- why did CISCO use IP access group to apply an access list to an interface? And you'll have the same question because the commands are different. They use the command access - class to apply an access list to VTY ports. They don't use access

00:30:59

group; it's access class. It's functionally the same as the access group command, it's just for whatever reason you know that developers at CISCO were up a little late one night and they're like hey, why not? Let's make it access class. So I'm gonna type in access -- and also

00:31:15

notice there's no IP on the front of that one. Just access class unlike, IP access group. So I'm gonna type in access class. I want to filter this using access list 70. And I want to filter incoming connections -- as people are coming in or Telnetting into this router on these VTY lines, I want to filter them based on that access list.

00:31:41

99.999999 percent of the time, you will always apply access class in the inbound direction. If you apply them outbound, weird things can happen; that's where you will suddenly randomly not be able to Telnet certain places from your router for some strange reason. So we're

00:31:57

filtering it in. All right, cool. I'm gonna type in show access list 70. Check it out, we see it right there; looks good. Let's now go back to our client. He's still on the router so he's got an existing session I'm gonna kill. Hit the up arrow; Telnet 192.168.1.1. Denied.

00:32:23

Try it again. Denied. Totally denied and I'm coming back here to my -- oops, my session with router 1, do the show command and you can see the deny has now been matched six times for Telnet access. That tells me another interesting fact, every single time I tried to Telnet with Windows Vista, it sends three packets -- three attempts to try and open that session before it finally says connect failed. Now okay, that's good -- that's good, we denied

00:32:53

HostA, but what about the other hosts? Could HostB access that router because we didn't want to deny HostB, right? Well let's try it out. I'm gonna bring up HostB, right here. This is HostB 3.50. And let's Telnet from HostB to 192.168.1.1. And look at that.

00:33:12

HostB can still get in. And while we're Telnetted in on HostB, let's try this. I'm gonna do a show access list because we should see -- oops, oh, don't look -- don't look at that. You did not see that; that's for the next video. Show access list 70. Look at this: access list 70 is our Telnet access, still got the six denies for the 10.50, but look now the permit is getting matches as well, showing that HostB over here is being permitted to enter that. Good. So we now have completed

00:33:50

scenario one and scenario two; prevented that and blocked telnet access for HostA. I'm going to freeze frame that network diagram with the first two scenarios completed as we transition into the next video which is going to pick up right where we left off. We've now

00:34:09

completed standard access lists. Again, standard access lists are the fantastic because they're very easy on your processor but very limited in what's possible of denying only on the source address. So most people will use them for functions like VTY access, where you can be you -- where you apply it is very specific and you don't accidentally prevent somebody from reaching too much. In the next video, we'll pick up with the extended

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
16 hrs 32 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003