Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network....
Cisco CCNA certification proves your professional worth. It tells prospective employers that you can handle the day-to-day work of running a mid- to large-sized Cisco network.

The two-exam CCNA process covers lots of innovative features, which better reflect the skills and knowledge you'll need on the job. Passing both exams is your first step towards higher-level Cisco certification, and trainer Jeremy Cioara has mapped these CCNA training videos to the 640-816 test. This CCNA training is not to be missed.

Here's how one user described Jeremy's training: "By the way, Jeremy Cioara has to be by far one of the BEST Cisco trainers I have ever had the privilege to learn from overall. He not only keeps your attention but his energy is contagious and he provides the information at a level where you grasp it rather easily."

The last day to take the 640-816 exam is Sept. 30, 2013. After that date, the only ICND2 exam available will be 200-101. CBT Nuggets has a training course for the 200-101 exam here.

All trademarks and copyrights are the property of their respective holders.
1. Review: Rebuilding the Small Office Network, Part 1 (33 min)
2. Review: Rebuilding the Small Office Network, Part 2 (28 min)
3. Review: Rebuilding the Small Office Network, Part 3 (23 min)
4. Switch VLANs: Understanding VLANs (16 min)
5. Switch VLANs: Understanding Trunks and VTP (39 min)
6. Switch VLANs: Configuring VLANs and VTP, Part 1 (35 min)
7. Switch VLANs: Configuring VLANs and VTP, Part 2 (39 min)
8. Switch STP: Understanding the Spanning-Tree Protocol (28 min)
9. Switch STP: Configuring Basic STP (21 min)
10. Switch STP: Enhancements to STP (29 min)
11. General Switching: Troubleshooting and Security Best Practices (29 min)
12. Subnetting: Understanding VLSM (18 min)
13. Routing Protocols: Distance Vector vs. Link State (26 min)
14. Routing Protocols: OSPF Concepts (30 min)
15. Routing Protocols: OSPF Configuration and Troubleshooting (39 min)
16. Routing Protocols: EIGRP Concepts and Configuration (32 min)
17. Access-Lists: The Rules of the ACL (27 min)
18. Access-Lists: Configuring ACLs (34 min)
19. Access-Lists: Configuring ACLs, Part 2 (48 min)
20. NAT: Understanding the Three Styles of NAT (20 min)
21. NAT: Command-line NAT Configuration (35 min)
22. WAN Connections: Concepts of VPN Technology (33 min)
23. WAN Connections: Implementing PPP Authentication (34 min)
24. WAN Connections: Understanding Frame Relay (28 min)
25. WAN Connections: Configuring Frame Relay (30 min)
26. IPv6: Understanding Basic Concepts and Addressing (34 min)
27. IPv6: Configuring, Routing, and Interoperating (23 min)
28. Certification: Some Last Words for Test Takers (13 min)
29. Advanced TCP/IP: Working with Binary (25 min)
30. Advanced TCP/IP: IP Subnetting, Part 1 (55 min)
31. Advanced TCP/IP: IP Subnetting, Part 2 (22 min)
32. Advanced TCP/IP: IP Subnetting, Part 3 (19 min)

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

00:00:00

Alright, as I promised we are going to pick up with this video right where the previous one left off. So if you haven't seen the standard access lists video, jump back and check out that one first because extended is a little more complex. We're going to pick up with the second set of scenarios, scenario three and four, using extended access lists to permit or deny IP and TCP access and also explaining many of the other things that they're able to do. So let's get going.

00:00:28

I'd like to approach the extended access lists the same way that I approached the standard in that before we jump into this scenario three and four on the whiteboard here, I'd like to talk about the syntax in general and then we'll, we'll hit these, these scenarios directly. Now, I do have to warn you before we

00:00:47

get going with the extended access lists that some people consider the extended access lists the most difficult concept in CCNA. I don't think it's that bad, but I do think that the syntax can be a little frightening the first couple times through it. The first thing that we need to do is break down the extended access list into its major pieces. The command structure

00:01:11

is just like the other one, we type in access list to start off and an identifier or a number from 100 to 199 just like we saw in the previous video. Now, that identifier tells the router you're creating an extended access list. From there you have your permit or deny just like the standard and then we see our differences. We get to choose what protocol

00:01:34

we would like to permit or deny. Examples of that might be like TCP or UDP or there's, there's some other ones we'll talk about in just a moment. We then type in our source information and then we follow that up. I'm going off my little white pad here. We

00:01:53

follow that up with our destination information. So I might say something like access list 100 permit the TCP protocol from this IP address to that IP address. Not too bad when you think about it that way but there are more options that you'll have to weed through like port numbers and stuff like that which, which we will get into as we get into scenario four right there. So what I'd like to do is, is just walk

00:02:22

through a syntax of a couple access list commands and then we'll look at the scenarios specifically. To demo this I'd like to jump on to router three. It's a good place to just try some syntax. On router three I'll get into global config mode and do access list and a question mark. There's our options

00:02:40

as we saw before. Extended access list is any number from 100 to 199. I'll pick 150 right in the middle. It comes up and says, do you want to deny, dynamic. That's, that's some of the other options and we're not going to talk about every option with these extended access lists. We'll say deny, permit or remark.

00:02:59

So we'll say access list 150, let's do a deny. It comes up. Now we're given our protocol options. If you're wanting the OSI model, these are all the protocols at layer four of the OSI model. TCP, UDP, you see those at the bottom. But we also see ICMP, ESP, that's used for VPN connections. There's many different

00:03:22

options in here, but let me just focus in on what we need at the CCNA level. There, there's four different protocols, IP, TCP, UDP, and ICMP, okay? Now, TCP and UDP we already know about. Those protocols are used, you know, as a reliable connection or an unreliable connection. Things like web browsing, FTP sessions, Telnet

00:03:49

sessions, SSH, there's all, you know, email, SMTP, they all use reliable connections. Most of our applications do. Things like voice over IP, video streaming, online games, instant messengers, those all use UDP-based communication because they're all unreliable.

00:04:07

So, if, depending on what kind of applications we're using we could choose those protocols. But we also see ICMP. ICMP is the Internet Control Message Protocol. The, it's used for a lot of things, but the primary application you want to remember for it for the CCNA level is ping.

00:04:30

Anytime you ping something it is using the ICMP protocol. Technically a ping is an echo and an echo reply. Think about a submarine, underneath you're going bong, sending out a sonar and you expect to hear that back to see where things are. In the same sense, the ping command sends out a message known as an ICMP echo and the device that receives it sends back an echo reply.

00:04:54

That's technically how ping works. But ICMP is used for a lot of different things, that's, ping is I would guess the most famous of them all. Last but not least is the IP protocol. That one is used, and you can see that right here in this list, oops, right here, to encompass everything. For example, if I were to say

00:05:17

deny TCP, then I'd only be denying TCP applications for something. Like maybe I want to deny one host from accessing another completely. If I deny TCP, that would just deny TCP applications but they'd still be able to use UDP or ICMP, things like that. If I just denied one of the other ones, you'd miss them all.

00:05:39

IP is everything. As you can see in that description right there it says any Internet protocol is encompassed in that. So if I said deny IP, that means TCP, UDP, you know, all these. Everything is denied. So let's, let me first show you an example of that one. I'll say

00:05:59

deny IP and it says what, what source address would you like to deny? I'll say 192.168.10.50 just to pick on HostA. We will deny that address and it says what wildcard mask would you like? Well, since it's just a single host, a specific wildcard mask will work. Now, I hit the question mark and it says, okay, what,

00:06:21

what destination do you want to deny? So I'll say the destination will be, just for this example, 192.168.3.50 followed up with the wildcard mask 0.0.0.0, question mark, and now it's given me some options. Do you want to set DSCP? Do you want to check non-initial fragments? Do you want to log anytime this happens? You know, is there specific time ranges? All these options are part of the CCNP track. So we're not going to do that.

00:06:55

You can see at the very end is return, and most, I'll tell you, most of these options are rarely used. So I'm gonna hit enter and I've now created my first extended access list. What it does, access list 150 denies this source from accessing this destination using any protocol in the TCP/IP protocol suite.

00:07:18

Going back to that syntax I wrote up there, you know, deny, protocol, source, and destination. So I know what you're thinking. It's not too bad, right? Not too bad at all. It's not if you, if you look at it that way. But it is pretty long. And also, you know, realize that you

00:07:33

could combine things up, you know. If we were going back here, access list 150, deny this source. I could do space question mark and I'll say, instead of putting the IP address like I did up here, I can also put, you know, host 192.168.3.50 and that would do exactly the same thing.

00:07:50

There's different ways to write it, you know. This is using a wildcard mask. This is using the host keyword. But functionally that and that are the same thing. The IP protocol is, is I would say the easiest one to permit or deny because it's just saying from this IP address to that IP address.

00:08:09

Now, let's look at we'll say TCP. Access list 150 deny, let's do instead of IP. And remember this is just. I'm showing the syntax. I'm not looking for any specific mission here. We'll say I'm gonna deny the TCP protocol from, and we can see that same host 192.168.10.50 space question mark.

00:08:33

It says what wildcard bits, 0.0.0.0, so specifically that host. And now we'll start seeing a little bit of difference. With the TCP protocol it says, okay, well, TCP can have port numbers, meaning you might not want to deny the whole TCP protocol. You may just want to deny a certain port.

00:08:57

Now here's the catch. If I go in here and type in deny TCP 192.168.10.50 without wildcard mask and I say, oh, oh, I only want to deny that guy from surfing the web. I could put equal to, you can see eq, match only a given port number, space question mark. And then it says, okay, well, what, what, port do you want? And it gives

00:09:19

a lot of the common ports that people will use in here, or they can say right up top you can just type in the number. So you might say, well, I want to deny that host from using port 80, which is HTTP, web access, surfing the web. Now, there's the problem.

00:09:36

When we type that in, we're denying this source and this source port number. It's time for a little review. Remember, when, whenever we have a computer that is surfing the Internet, you are going to, we'll say google.com. I'll just put g.com. When this computer

00:10:00

goes out, it's going to be going to the destination port number 80 which is how google.com knows that you're accessing the web services on there, not email or not anything like that, destination port number. But the computer, when you go and surf the website, generates a source port number at random, meaning Firefox or Internet Explorer or Safari. Whatever web browser you're

00:10:28

using will automatically be assigned a port number. We'll say, and it's going to be greater than 1024, we'll say 3192, okay. So when you transmit to google.com you'll come from a source of 3192 to a destination of 80 and that's how Google knows to send you to the web services.

00:10:48

And when it sends that web page back to you, it will send to a destination of 3192 from a source of 80, and that's how your computer knows to give it to the Internet Explorer window or Firefox window because that window has been assigned for a time that specific port number.

00:11:07

Now, rarely, if ever, will you ever know what source port number a computer is going to be generating because it's at random. So when we come back here to this syntax, this is where it's very easy to get tripped up because you type in outsource of this and we say equal to 80 but we're denying that host from using the source port of 80. Remember this host is the one surfing the web. It's never going to come

00:11:36

from a source port of 80. It's only going to be going to a destination port of 80. So how do we fix that? Well, you can see right here I typed in deny TCP from this source IP address and now it's giving me the option to type in port numbers but I'm not going to take that option. I'm not going

00:11:55

to put in a port number at this point. I'm just going to say the whole host, deny, you know, any source port number from accessing and now we can move on to the destination. If I'm talking about the Internet, I'll say any. Deny this source from accessing

00:12:10

any destination using, and now I hit the question mark, and the port numbers are still there. You see that? Equal to a port number. Not equal to a port number. Less than a port number. You know, all these are port number options, but now, since we're typing it after the destination, we're talking about the destination port number. So the correct way to type in, if I was denying that host

00:12:36

from surfing the web, I put equal to 80. Deny this protocol from this source horse, host number to this destination on the destination port number 80. Phoo, not quite as easy as the IP protocol, but that's how that, that's how you can write an extended access list.

00:13:03

So with that in mind, what I would like to do is walk through both of these scenarios one by one and implement extended access lists in the best possible way. So Scenario 3: Use an extended access list to prevent HostA from accessing the R2 WAN link. Now when I see that, my initial thought goes to well, does that mean this IP address or does it mean the WAN link? Well, I would say it means the link, meaning prevent HostA from accessing this IP address or that IP, excuse me, that IP address, okay? So I'm going to, well, let's just clear all this off. First thing I'm going to do is go over to router three

00:13:51

and I'm going to remove any access lists that's on there because I don't want any of those causing any confusion or conflicts with what we're about to do. We've got access list 25 from the last video and 150. So I'll just do no access list 25. Wham, it's gone. No access list 150, wham, it's gone. So with, with that in place we now have no access lists created on this, this router. It's empty. And I'm going

00:14:20

to hop over to router two to do this demonstration, to create this, this access list. Now, we'll talk about the placement of the extended access lists in a moment but let's first create it. It says prevent HostA from accessing the R2 WAN link. HostA is 192.168.10.50. The R2 WAN link is this subnet. So it, notice it didn't specify any protocol.

00:14:45

It didn't specify anything. So I'm assuming all access from that subnet. So I'm going to jump back up here, router two, and I'm going to go into global config mode and create an access list. We'll do access lists. Let's start at the first one of the extended range, access lists 100. I'll say I want to deny the IP protocol because in my scenario it says accessing the R2 WAN link, the whole WAN link. It doesn't matter what protocol. So I'm going to say complete access. No matter what

00:15:18

protocol they're using is going to be denied. So I'm saying deny IP from the source. We'll say from the source host 192.168.10.50. Now, you'll notice that I'm using the question mark the entire way through this access list. This is normal. Most people do use the question mark.

00:15:40

And when you're on the CCNA exam, if certification is your focus, you will be able to use the question mark yourself in, in configuring this. So you can safely get used to it. So I'm going to say deny that host 10.50. Now I'm going to hit the question mark, and it's saying from what destination? Hmm, we'll just take a look. It says the R2 WAN link. So I have, I have two options here. I can either

00:16:06

create one line and deny them, deny that host from that whole subnet, the 2.0 subnet, or I can put two lines in an access list and say deny it from that host and deny from that host and, and put it in two lines. Now, the best bet whenever you're considering

00:16:23

access lists is to do it in as few lines as possible. The reason why is because the more lines your add, the more processing the router has to do. It's kind of like having a large routing table and it will slow the router down. So let's do it efficiently.

00:16:36

Let's do it in one line. I'm going to say deny that host from accessing the destination address 192.168.2.0 with a wildcard mask 0.0.0.255 which says specifically 192.168.2 denying from accessing anything that has specifically 192.168.2 and I don't care what comes after that. So anything

00:17:03

that starts with this you will be denied from. This last actually doesn't matter. So do a question mark and it says, you know, here's all your logging, time range. We're not going to use any of those options. We're just going to hit enter, okay. Now, I have to remind you the same rules apply for extended access lists as they do for standard access lists. If you have

00:17:29

an access list with all denies it will deny everything because at the bottom of this extended access list is an invisible implicit deny. So what I would say is after we're done doing what this scenario asks for, which is denying that host from accessing that WAN link, then we should be able to go in and permit everything else.

00:17:49

Now, you remember from our extended access list that we typed in permit any but it won't take that with an extended. We have to type in permit and then what protocol. Well, for permitting everything, it's going to be the IP protocol, and we'll put from any source to any destination.

00:18:08

That is how you do a permit everything using extended access lists. I'm going to type in show IP access list. By the way, show IP access list and show access list do the exact same thing. So sometimes I'll use one or do the other, what's ever on my mind at the time.

00:18:23

And I can see there is my deny from that host to that subnet, and then I'm permitting everything else. Good. So we've got the access list written that will do what it needs to do, but now we have to apply it. Hmm, think about it. If you were looking for efficiency and for completing the task, you want to make sure that you deny that host, where would you apply that access list? Option A, we can apply that access list as the host comes in.

00:18:58

You know, remember this is on a VLAN so it's going to be coming in right here on this default gateway. That's option A that we could, we could apply it. We could apply it in the direction inbound. As that host comes in it's going to ask are you that source? Are you accessing that destination? If so, you're denied. That's our first option.

00:19:16

Second option is we could apply it outbound right here. And as that goes out, the router two would ask are you the source? Are you trying to access that destination? If so, you are denied. So we'll call that option B. Options C, we could apply it inbound right here. So as it gets a router three it will say

00:19:40

are you that host? Are you accessing the WAN link? If so, you are denied. You are on a certification exam. D is none of the above. What, what letter do you pick? Remember, we're after efficiency and we're after accomplishing the objective. The correct answer is A. B would

00:20:05

accomplish the objective. It would work if I put it at B. But it would cause unnecessary processing, meaning as HostA comes into the FastEthernet 0/0 it will be able to check and say, are you this host, 10.50? The host will answer, yes, I am. The router will say, are you trying to access this destination, you know, the 2.0 subnet? And the host will answer, yes, I am. So before the router even has to allow it into itself, into that default gateway, it will say, well, since those two criteria are true, you are denied.

00:20:41

Now, if we applied it outbound, the second option, option B, on router two, HostA would get into the router, meaning it would come in, the router would say, are you this host and are you going to this destination? The host would say yes. So it would say, okay, great,

00:20:56

I don't have an access list here so let me look up in the routing table. Okay, it looks like you need to go out 0.0/1/0. So let's go ahead and route you over. So the packet would be moved from the Ethernet interface to the WAN interface, but before it's sent the router would say, oop, I see there is an access list outbound on that interface. Let's check you. Oh, you don't match.

00:21:16

You will be denied and dropped. The problem is that squiggly line right there. It had to process that in order to make that determination. So now we come to the next best practice rule of Cisco. Standard access lists should be applied closest to their destination because in a standard access list, remember we're talking scenario one and two there, you can't say what they're denied from.

00:21:40

So by putting it to a close you may deny them from too much. So you can think of it as standard, I'll just put stand equals destination. Extended, the best practice is to apply them as close as possible to the source because you can in an extended access list say what they are denied from. So if we can get, you know, if,

00:22:08

if we could, you know, if it were possible to apply it on the switch, by golly, do it there, you know, if, if you can, because as that host is coming into that interface, we can say, are you this host? Are you trying to go there if? If you are, you're denied. You've prevented it from even being

00:22:23

processed by the router. But applying access lists on switches is part of CCNP track. We're not going to talk about that here. But, so the closest source that we have is our router and its default gateway. So let's go back on to router two. I'll do a show IP interface brief just to verify. There is

00:22:43

FastEthernet 0/0.1 And you know what, before I apply this access list, I want to make sure that HostA can indeed access that WAN link. Let's bring up our connection to HostA. Whoa, he's a little off there. I'm going to ping 192.168.2.1, it is replying, and 2.2. It is replying. So it is able to ping 2.1 and 2.2 and why not? Let's do this. I'll also ping

00:23:09

3.1 because I want, oops, 3.1 because I want to make sure. Sure enough we can get to 3.1 which is on the other end of the WAN connection. So what I'm going to do is go on to that router under the FastEthernet 0/0.10 which is Host A's default gateway. And the same command as before,

00:23:27

IP access group 100, the name of our access list or number, and what direction in. Now again, with extended access lists, it especially is important to hold out your arms and really determine which direction it's as that source comes in that FastEthernet 0/0.10 that is going to be processed. If it were going out,

00:23:54

if I applied it in the outbound direction, the source would be seen as if it were leaving that interface which is not true. That would probably mean it's coming from somewhere else on the network than, than that interface. So we've applied it in, right? Let's do a show

00:24:10

access list 100. It looks like it's there. No, no packet hits yet. Let's jump back over to the host. Alright, let's do a clear screen and we'll do ping 192.168.2.1. Look at that, destination net unreachable. Ping 192.168.2.2, destination net unreachable. Reply from our router, 10.1, you are being denied. Let's jump on over to our router and hit that up arrow, and look at that. We are getting matches now on that deny

00:24:42

to 192.168.2.0. Now, I've got a question for you. What do you think? Will HostA, we just verified HostA cannot access 2.1. It cannot access 2.2. Will HostA be able to ping 3.1 or this IP address on router three? Think about that. What do you think? Jeopardy music enters here. The answer to that question is yes.

00:25:12

Now, wait a sec, you might be thinking. He, he is using the WAN link to get there. That's true. He is using the WAN link to get there, but the WAN link is never in a destination field of the IP header. And this is why it's so important to understand how networks communicate before you get to this point is because HostA, when it's engineering the packet, it will have some data. It will put its, you know, protocol which

00:25:38

is TCP or UDP or ICMP, source and destination port number, source and destination IP address. If I were to ping 192.168.3.1, the source IP is 10.50 which is HostA. The destination IP is 3.1. So when it comes in to router one and it looks at the access list, it's going to say, okay, are you that source, 10.50? And it says, yes, I am. And it says, are you trying to go to 2.0, the 2.0 subnet? And the host will say no, no, I'm not. I'm trying

00:26:10

to go to 3.1. And so the router will say, okay, well, then I guess that access list does not match. I will go ahead and allow you through. So let's test it just be sure. I'm going to bring up that, that TeraTerm and you can see as of right now we've got the deny and we've got some permit traffic that has made its way through since, since I've been talking. I'll just hit it again.

00:26:32

Some, something is going through. I'm not so sure what that is but we'll, we'll test it. I'll go to my host right here. You can see 2.1 and 2.2 are denied and I'll hit the up arrow and do 3.1, 3.1. There we go. And that is still going through successfully. We are getting replies coming back.

00:26:53

And if I go back over to my show command I can see that the permits have been increasing because they are, they are being allowed through because of that reason I just mentioned. So scenario three, we can put a red check on that guy. We are good. Last but not least we'll hit scenario four and then I'll show you some of the tips and tactics and tricks of access lists.

00:27:19

Scenario four says use an extended access list to prevent HostA from accessing the CBTNuggests homepage. Now, why you would ever want to do anything like that is beyond me, but we'll, we'll go ahead and do it for this example then we'll immediately remove the access list and forever revoke any such policy. So we have to prevent HostA from the

00:27:39

CBTNuggets homepage. So immediately that triggers in my mind we're talking homepage. We're talking web access, somebody being able to access a web server that presents a homepage. So what I'm going to say in that case is that we need to deny, if we're talking in technical terms, HostA from using TCP port 80 destination port to access the CBTNuggets homepage. So now we come to a question, well, what's, what's the IP address of CBTNuggets web server? Well, let's go to our command line and we'll do a ping www.cbtnuggets.com, alright.

00:28:19

CBTNuggets is blocking ping traffic as many websites do because that, you can actually attack websites that allow ICMP, but that is the IP address that represents the homepage. So with that IP address in our knowledge, let's go ahead and I'll just copy that to my clipboard and stick a little textbox up here.

00:28:45

Let me just pick a font. There we go. Paste. Not that font. How about that one? That's a little better. So we'll do 128.242.116.211. I think I can read that. I can't read that. I'm going to make that a little larger. There we go. 128.242.116.211. Alright, good. So that's the IP address that we're going to be denying access to. So, you know, before we even do that, I just

00:29:19

want to make sure that I verify that we can access the CBTNuggets web page because, you know, denying access to something you don't verify you have access to in the first place is never any good. So we'll do cbtnuggets.com, hit enter. It says transferring. Okay, sure enough there is the CBTNuggets

00:29:35

web page. Good. So we verified that we can access it. Now, let's drop down to our router. And in this case we're also going to be on router two. Remember, denying with extended access lists should be done as close to the source as possible. So we're going to be applying

00:29:51

it on that same interface. Now, this brings me to one of the rules of access lists. The rules of access lists is one ACL per interface, oh, I'm signing off the end here, per interface, per direction. So when we're saying I want to deny them from accessing the CBTNuggets web page, we're going to have to tack on, oops, to an existing access list that we already have there, meaning we have applied access list 100, one access list per interface to the FastEthernet 0/0.10 interface. That's our per interface, per direction inbound. We've applied it inbound

00:30:40

and we're going to have to have that same policy. So what we're going to need to do is modify access list 100 to add this, this rule to it. So let's go ahead and go to router two. I'm going to do a show run, include lines that have access list 100 in it. That will filter my running output. Alright, so

00:31:02

there's my config. Good. So I'm going to copy. I'm going to do a copy, open my ultra sophisticated notepad application and paste those lines in there. I'm going to back them up. Because what I'm going to do is I'm going to delete that access list, no access lists 100, and recreate it. I'm going to show you a little more efficient way of doing this in just a moment, but for now this is what we're gonna do. I'm going

00:31:32

to go in and I see the IP address right up there. I'm going to say access list 100 deny, and then I'll come up and say, okay, what protocol? Now, whenever you're surfing the web, you're using the TCP protocol. So instead of IP, I'm going to put TCP. The source IP address will be the host, 192.168.10.50, that's our HostA, question mark, and now it's asking for port number. But remember,

00:31:59

and I'll emphasize it again, if we put the port number right after the source host, you're going to be talking about the source port number rather than the destination. When we're surfing the web or doing most things, we're going to a destination port and the source port is pretty random. So I'm going to go in and I'm just going

00:32:16

to keep going with the destination. Instead of saying any destination point, I don't want to deny the host from the whole Internet. I just want to deny him from the CBTNuggets web page. So I'll say I want to deny him from the destination host. You can see that's an option,

00:32:29

single destination host, and there's the IP address above the config, 128.242, 242.116.211. So I'm denying them from accessing that specific host which is the CBTNuggets web server. Now, if I just hit enter there, I've denied too much. They will not be able

00:32:49

to use any TCP application to access the CBTNuggets web server. And in this case it just said deny them from the homepage, not all access. So I need to specify a port number. So I'm going to hit the question mark. You see there's plenty of options. I'm going to say equal to and specify the port number 80. Now, I want to mention that when I put equal to question mark, it puts a bunch of common port numbers that are right here, well, somewhat common.

00:33:16

It's been a long, long time since I've heard of the Gopher protocol. It was one of the original ones on the Internet. That's not around anymore but, you know, it does give you, for example, www shows HTTP port 80. So I have an option here. I can either type in equal to www, that's a valid keyword, or I could use the option at the top of this which, and just put equal to and type in the port number, 80. I usually like using the port number rather than those keywords because I forget all the keywords. It's easier for me to remember

00:33:50

the numbers of the protocols than all those names. So I type in equal to 80, enter. Good. I'm going to type in show access list 100 and let's take a look at it. Look at what the router did. It swapped out my 80 for www. He said, oh, yeah, I'll show you. It, it knows what it is. It will do that

00:34:10

for and that's okay. So it says deny that host from accessing that host on equal to port 80 as the destination. Now, we need add a permit in there and we also need to make sure our scenario three objectives are accomplished. So what I'm going to do is I'm going to go back

00:34:26

to my notepad. I need to add that as my second line and that is my third. So let's copy that back to our clipboard, and in TeraTerm which is what I'm using here, we can just right-click and that will automatically paste. So I've pasted those back in there.

00:34:42

Let me get rid of my notepad. And now, if I do a show access list 100, I can see line 10 or sequence 10 or first line is denying port 80. Second line is denying the WAN link and third line is permitting everything else. So let's test it. I'm going to go back to my web browser. Oh, wait a sec,

00:35:06

not that one. Where am I? Here we go. Go back to my web browser. And you know what, I'm going to go in here and clear the cache. Oh, where is that? Do you know, you know what I mean by that, the cache. How do you, content, block pop-up windows. Oh, what am I thinking? Maybe security. Passwords. Oh, come on. Privacy? Privacy.

00:35:34

Oh, there we go. How about I do this? Always clear my private data when I close Firefox. I'll clear everything. The reason I'm doing this is because I want to make sure that when I close Firefox, web browsers cache web pages, meaning this will show up again next time without having to contact CBTNuggets.

00:35:53

I don't want it to do that. I want to make sure that it, it tries to contact CBTNuggets and it says, you know, I'm going to clear it all and I'll wipe it out. Good, wham, it's gone. Now, when I open my Firefox, there we go, we've got the Firefox start page and that's going to Google.

00:36:08

So I know my Google access is working okay. Let's, let's try another website first. I'll do dub, dub, dub dot. See, when you want to think of a website you never can. How about ciscoblog.com. And what's happening right now is we're kind of hung here. There we go, Cisco Blog. Cisco Blog has now come up and we've, we've

00:36:36

got access there. And before I even go to CBTNuggets, I'm going to hit the up arrow in here and see. Take a look. You see we haven't had any matches here or here but we've had 131 matches on the permit because this host has been surfing the web. It took 131 packets to generate the Cisco Blog and Google homepage. So now let's do the ultimate test,

00:36:55

www.cbtnuggets.com. Look at, I don't know if, can you see it at the bottom? It says connecting to cbtnuggets.com. I'm waiting. I'm waiting. I'm waiting. And while we're waiting, let's go ahead and come back here, hit the up arrow and do that show access list. Look at this.

00:37:21

Look at that action. Nine matches have showed up on that statement. Let's go back. We're waiting and the connection has timed out, taking too long to respond. Frankly it's never going to be responding because it is being denied by this access list. It is no longer permitted.

00:37:36

Excellent. Now that we've done that scenario four, we can remove that access list and never attempt such a silly, silly objective again. But that is, that is using the access list to block web access. Good. So at this point, you should have a little better idea of how to work with standard and extended access lists, just seeing those scenarios and putting them in place, seeing the general syntax of them. Practice makes perfect

00:38:05

on those things. I would, I would say practice with yourself writing down, you know, this is something I need access to and here's how I access it. I always recommend, when somebody, whenever anybody how I access it. I always recommend, when somebody, whenever anybody

00:38:16

should I set up a lab at home to practice this stuff? I say by all means do it. Cisco gear has become so cheap nowadays. And when I say Cisco gear, I mean stuff you can get off of eBay for practice in your own home lab. You can get a Cisco router for under

00:38:32

30 bucks nowadays that can route your home Internet connection. And that will give you the opportunity to go in there and try this out, come up with objectives of what you want to deny and practice using access lists because that's the only way that you'll be able to master those. Now, let me show you some cool

00:38:47

tips and tricks of how to work with access lists. First things first, numbered access lists like we've been using all along have been enhanced in recent times by named access lists. Now, named access lists have been around for a long time but they've only recently begun to become very popular, and I'll show you a couple of features of them. Notice we've been typing in as we've been typing our access list

00:39:14

commands access lists dah, dah, dah, dah, dah, and we type in our number. But Cisco has a nice little thing that you can do. You can type in IP access list, same, same command but look at, look at the difference. And now it comes up and says, would you like to create an extended, a standard access list, use resequencing features and, and some other things? But right here we can create our IP extended or our standard access list, same thing as the numbered but now we can specify. Let's say I want to create a extended access

00:39:48

list since that's what we're talking about. Extended and I can type in word, meaning name. The great thing about typing in a name is you can be very descriptive in that name of what the access list does instead of just thinking, oh, yeah, access list 100, I think that's the one that denies HostA, right? Well, we can type in as the name deny HostA, nice and descriptive.

00:40:11

Now, when I hit enter, you notice it takes me into NACL mode. That stands for named access control list. So I'm in NACL mode and now I can start adding in my permit and deny statements. I can say permit, you know, host 192.168.10.50. Same syntax as the number. It's just you don't have type in access list 100 in front of everything. So permit that host

00:40:32

to access the host. I'm just giving some examples. Oh, you know what, I forgot the protocol. Permit the IP protocol or TCP or whatever you'd like to do. Permit the, I'll just put TCP as second, you know, and permit TCP to that host, and so on. We keep adding numbers. And now when I do a show IP access list,

00:40:56

you can see that I have access list 100 and then I have access list deny HostA. It's much more easy to remember that. Now, I will tell you functionally these are the same. They do and they, they can accomplish the same exact things. It's just this one gives a nice name along with it. Now, only from the named

00:41:16

access list mode can you edit access lists, and this is the big feature I want to show you. All along we've seen this 10, 20, 30 next to things, 10, 20, 30. That is known as a sequence number. Only recently has Cisco been adding that feature to their access lists, and what that allows you to do is to modify access lists after you create them.

00:41:40

Before those sequence numbers came around, the only way to modify an access list was to do what I showed you before, copy it to notepad, delete the whole thing, and then kind of modify it in notepad and paste it all back in. It's kind of a pain. So what we can do

00:41:54

with these sequence numbers is I can make modifications. You notice, let me hit the question mark, from named access list mode, it shows I can type in permit, deny, or even type in a sequence number. So maybe I wanted to squeeze something in like, you know, as you add it just keeps adding to the bottom of this access list.

00:42:13

But I wanted to squeeze something in between these two. So I could type in before I did my permit command sequence number 15, permit, and then same thing. We'll say TCP from the host 192.168.10.50 to host 4.2.2.4. And now, when I go back and do my show command, you notice, look at that. Nice.

00:42:36

I know, if you haven't seen access lists before, it's kind of like, oh, that's kind of cool. But I'm telling you, nice. That is such an improvement from what it used to be. And, and literally, you'd have to delete the whole thing and recreate it if you wanted to do something like that.

00:42:50

So not only can we squeeze in but we can remove. I can say, oh, well, you know what, now that line 15 is in there, I don't want line 20. I can just type in no 20, no sequence number 20, and now when I go back you can see sequence 20 has disappeared. Nice. You know, it's, it's great. So we can modify these. And even, nowadays, we can

00:43:13

even modify our numbered access lists but the way we do it is by, let me stop using the up arrow, I type in IP access list extended, but instead of typing in a name I can just say 100. And now I can make changes and I could say no, or most, no 20 on my access list 100. And when I do the show access list now, you can see line 20 has been removed. Pretty cool.

00:43:39

So that is our way of modifying access lists using the named feature. Now, last but not least, what I would like to do is show you a reflexive access list. To review, what we talked about in the concepts video was maybe you wanted to create an access list that denied all Internet traffic into your organization. It's a good policy because you don't

00:44:04

want uninvited Internet traffic to come on in. Well, if you create an access list that says deny IP any any from the Internet, you're going to deny everything including stuff that your clients were trying to get. So when you try and surf the Internet, when the response comes back, it will be denied.

00:44:24

To fix that you can use a reflexive access list and let me show you how it works. I'm going to go on my router two, and let's, let's use a named access list since we've learned them. I'll type in IP, or actually this will be on router one. Let me jump over there.

00:44:39

On router one I'll type in IP access list and we'll say it's extended. It must be an extended access list. And I'll say the name of that access list will be filter Internet. You see how these new names can be real nice? IP access list extended filter Internet. And under

00:44:56

there I can say permit TCP traffic from any source to any destination, and I want to show you the keyword, established. That's it. That's a reflexive access list. Now when I come back I can go under my, let's see, what the Internet connection? Ethernet 0/1. I can go under Ethernet 0/1 on router one and type in IP access group filter Internet inbound.

00:45:28

So what that does is under, let me jump back to the slide and diagram this out. Under Ethernet 0/1, as things are coming in, remember that direction, hold out your arms, in that interface from the Internet, it will go against that access list. Now, that access list says permit the TCP protocol from any source to any destination if it has been established. What established means is that there's been some requests

00:46:01

from the inside that has established a TCP session with a host out here on the Internet. Once the host from the inside has established that, this host may come back in on that same response or for that same session and reply. That is known as established. If somebody else out here, we'll say this, this

00:46:22

host, tries to come into the network but there was no established, then it's going to come on this line and, you know, the first line says permit anything that's been established. It will say, oop, sorry, you don't match because you're not established. And then the last line of that

00:46:35

access list says deny IP any any. Remember the invisible implicit deny? So it will be automatically denied since it's not in already established connection. So that is using what's known as a reflexive access list to heavily filter your Internet connection.

00:46:54

Whoo, I would say that is one of the most action-packed, dense videos I have ever recorded for CBTNuggets. There's more information in that video that I think I've packed into anything else. What I would recommend is extended access lists, while going through that and setting them up, it, you know, it seems only logical. It makes sense.

00:47:13

It takes a while for it to soak in. So what I would say is it'd be good for you to try a few of these, you know, put up some objectives for yourself and to write out what you think would be a good access list to test that. I've been asked before, should I set up a home lab for the CCNA if I'm studying for that? And say if you can, by all means do it. You can get

00:47:33

a Cisco router that's pretty good off of eBay for less than 30 bucks nowadays. They've dropped in price for some of the older ones and that's all you need to practice this, and that's I would say a great way to get some experience with extended access lists. Alright, so what we did was kind of wrapped up everything.

00:47:50

We went through all of the standard and set up some standard access lists and the extended, and we expanded on that looking at the named access list, editing access list, and reflexive access list. The last thing I'll mention before we get into the next videos which are going to be on NAT, I did set up Internet access through router one for this video, which means I set up NAT on router one so that the host could access the Internet so we could do some cool demonstrations on blocking access. I am going to turn that off before we get into

00:48:24

the next videos which is all about how to turn that back on because it, it seems kind of silly to get into NAT when you're thinking, but I thought you already had Internet access? We won't by the time we get into the NAT videos. So I hope this has been informative for you and I'd like to thank you for viewing.

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
16 hrs 32 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003