1
00:00:00,750 --> 00:00:01,480
Welcome back.

2
00:00:01,560 --> 00:00:05,580
My name is David Bumble s.c.i eleven thousand twenty three.

3
00:00:05,580 --> 00:00:07,980
And in this section we're going to look at X-ists lists.

4
00:00:08,100 --> 00:00:12,540
I'd like to show you how to implement security using Access Control lists which are one of the most

5
00:00:12,540 --> 00:00:17,100
basic building blocks for implementing security in the Cisco network.

6
00:00:17,100 --> 00:00:22,440
These days there are multiple ways to implement security but access lists are one of the most fundamental

7
00:00:22,590 --> 00:00:25,020
and a lot of the new technologies are based on them.

8
00:00:25,020 --> 00:00:30,060
So it's important that you have a good understanding of how access lists work and how to implement them.

9
00:00:31,520 --> 00:00:34,130
So we can look at the purpose of access control lists.

10
00:00:34,220 --> 00:00:37,090
I'd like to show you how they are bound to interfaces.

11
00:00:37,170 --> 00:00:40,190
They're either bound inbound or outbound.

12
00:00:40,190 --> 00:00:45,740
I'd like to show you various tops of access lists including numbered X-ists lists named X-ists lists

13
00:00:46,070 --> 00:00:50,670
as well as stand in an extended access control lists or ACLC.

14
00:00:50,960 --> 00:00:57,710
I'd like to explain what a wild card mosque does and how you can match individual hosts subnets all

15
00:00:57,710 --> 00:01:00,680
hosts by changing the wildcard mosque.

16
00:01:00,680 --> 00:01:07,620
I'd also like to explain htan based reflexive and dynamic ACLC Now before getting into a discussion

17
00:01:07,620 --> 00:01:09,700
of access control lists or ACLC.

18
00:01:09,900 --> 00:01:12,750
Let's review some of the information covered in ice in D1 course.

19
00:01:13,200 --> 00:01:17,310
You will not be able to implement ACL without a good understanding of protocols.

20
00:01:17,310 --> 00:01:23,130
Port numbers and other options are available in the TCAP Ah-Q protocol stack and other protocols.

21
00:01:23,130 --> 00:01:29,130
If you have them running on your network see as an example if we have a PC connecting to a server and

22
00:01:29,130 --> 00:01:36,630
the PC connects using HGP and that traffic is same across the network router one will see a packet with

23
00:01:36,630 --> 00:01:42,890
a source address of 10 1 1 1 with the source port number greater than 1023.

24
00:01:43,050 --> 00:01:45,870
So in this example let's say 1024.

25
00:01:45,870 --> 00:01:51,900
In this case because you are using UDP it's going to well-known port number 80 so the destination IP

26
00:01:51,900 --> 00:01:56,410
address is 10 1 to 1 and the destination port number is 80.

27
00:01:56,490 --> 00:02:01,890
Now with access lists direction is of great importance on this interface.

28
00:02:01,890 --> 00:02:08,780
The rat is receiving the packet inbound but on this interface the packet is being transmitted outbound.

29
00:02:08,790 --> 00:02:11,810
It's important that you look at this from the rowdiest point of view.

30
00:02:11,940 --> 00:02:16,190
The packet arrives inbound and is sent outbound.

31
00:02:16,200 --> 00:02:21,570
So in other words if you configure an access list outbound on the seem to face it would have no effect

32
00:02:21,570 --> 00:02:24,020
on traffic from the PC to the server.

33
00:02:24,240 --> 00:02:29,230
Because I'm out on access list only checks traffic outbound from the Buddhist point of view.

34
00:02:29,520 --> 00:02:34,950
So if you configured an inbound Access Control List on the left hand side packets would have to pass

35
00:02:34,950 --> 00:02:39,960
that exit control list before being permitted and once again if you configure it an on Access Control

36
00:02:39,960 --> 00:02:45,870
list on this interface traffic samed would have to pass the access list will be permitted by the access

37
00:02:45,870 --> 00:02:46,660
list.

38
00:02:46,680 --> 00:02:48,410
Otherwise the traffic will be dropped.

39
00:02:49,460 --> 00:02:55,130
When the service since traffic in reply the source address will now be ten one to one with a source

40
00:02:55,130 --> 00:03:03,240
port of 80 and the destination IP address will be 10 1 1 1 and the destination port number will be 1024.

41
00:03:03,260 --> 00:03:09,500
In this case an outbound access list on this interface would come into effect all traffic from the server

42
00:03:09,500 --> 00:03:13,630
to the PC because the traffic is going out from the router point of view.

43
00:03:13,880 --> 00:03:19,220
So an excellent configured outbound and this interface would have fixed this traffic and this traffic

44
00:03:19,220 --> 00:03:25,490
would have to pass the criteria set in the access list before being permitted by the same token an inbound

45
00:03:25,520 --> 00:03:30,410
access list on this interface would affect the traffic and the traffic would have to pass the criteria

46
00:03:30,410 --> 00:03:31,980
set in that Access Control List.

47
00:03:33,110 --> 00:03:34,640
Yes another example.

48
00:03:34,790 --> 00:03:39,320
This MacBook is telnetting to switch one via the router.

49
00:03:39,560 --> 00:03:43,960
So for argument's sake let's assume the MacBook chooses port 50000.

50
00:03:44,030 --> 00:03:49,460
The source address all frames from the MacBook to the switch would be 10 one on one with the source

51
00:03:49,460 --> 00:03:51,100
port of 50000.

52
00:03:51,140 --> 00:03:56,260
The destination would be 10 1 to 1 with the destination port number 23.

53
00:03:56,540 --> 00:04:02,750
So once again from his point of view it's receiving frames on this interface with a sort of tame one

54
00:04:02,750 --> 00:04:08,720
on one source for fifty thousand and it's transmitting those packets out of this interface with the

55
00:04:08,720 --> 00:04:09,790
same details.

56
00:04:10,530 --> 00:04:17,640
Packets sent in reply from the switch of a source address of 10 1 to 1 source port of 23 and a destination

57
00:04:17,670 --> 00:04:22,080
IP address of 10 1 1 1 the destination port of 50000.

58
00:04:22,080 --> 00:04:28,170
Once again it's important that you understand your protocols and port numbers because without that understanding

59
00:04:28,590 --> 00:04:35,130
you'll not be able to configure ACLC always look at the direction of the traffic to determine whether

60
00:04:35,130 --> 00:04:40,990
an excess should be banned inbound or outbound on specific interfaces.

61
00:04:41,050 --> 00:04:45,470
You are some examples of some well-known TZP protocols with the relevant port numbers.

62
00:04:45,710 --> 00:04:55,760
If DP uses port 21 for control and 24 data telnet uses port 23 sickish shell uses port 22.

63
00:04:56,210 --> 00:04:56,930
It's empty.

64
00:04:56,930 --> 00:05:00,710
Use port 25 HVD Pease's port 80.

65
00:05:00,930 --> 00:05:03,020
POP 3 uses port 1 1 0.

66
00:05:03,160 --> 00:05:05,910
SS Elissa's port 443.

67
00:05:06,050 --> 00:05:12,190
So those are examples of some well-known TZP port numbers that you should remember for the real world.

68
00:05:12,230 --> 00:05:19,520
Just google my on port numbers to see a list of the Internet assign numbers of 30 port numbers.

69
00:05:19,520 --> 00:05:24,540
The I on is in charge of port numbers and determines the allocation.

70
00:05:24,650 --> 00:05:27,520
As an example just type on the port numbers

71
00:05:30,280 --> 00:05:35,730
and your very first hit will be a list of court numbers and they explain quite nicely.

72
00:05:36,630 --> 00:05:44,890
About the well-known port numbers registered port numbers and dynamic and private port numbers.

73
00:05:45,130 --> 00:05:52,060
So as an example if you just do a search or telnet you'll see which port number telnet uses.

74
00:05:52,170 --> 00:05:57,180
He has a nice list if you're not sure which port numbers are used by specific protocols.

75
00:05:58,130 --> 00:06:02,080
Here's an example of protocols that use UDP and they rely on port numbers.

76
00:06:02,110 --> 00:06:12,570
So as an example DHP uses port number 67 and 68 TFT Pease's port 69 and as an MP uses port 161.

77
00:06:12,860 --> 00:06:19,440
Once again on that same list on the Ayana you could do a search for specific protocols and there's an

78
00:06:19,440 --> 00:06:23,490
example of TFT DNS is a special case.

79
00:06:23,640 --> 00:06:28,600
It is just part number 53 that uses both TCAP and UDP.

80
00:06:28,710 --> 00:06:30,980
So both for study purposes and the real world.

81
00:06:31,020 --> 00:06:36,370
Remember that protocols like telnet use port 23 and tell users TZP.

82
00:06:36,630 --> 00:06:43,190
Whereas for example DFT uses port 69 using UDP.

83
00:06:43,200 --> 00:06:48,240
Now why would you use ACLC up to this point in the course we've been enabling access between different

84
00:06:48,240 --> 00:06:54,210
parts of the network no shutting interfaces grading into Bil'in routing setting up routing protocols

85
00:06:54,210 --> 00:06:58,710
like your job you know SPF will enable access throughout the network.

86
00:06:58,710 --> 00:07:04,010
However you might not want everyone to be able to access every part of the network.

87
00:07:04,020 --> 00:07:06,670
This is especially true when you connect to the Internet.

88
00:07:06,930 --> 00:07:11,370
You don't necessarily want everyone on the Internet to be able to access your corporate servers or corporate

89
00:07:11,370 --> 00:07:12,100
network.

90
00:07:12,240 --> 00:07:17,640
So access lists are one of the first lines of defense to stop or deny traffic from one part of the network

91
00:07:17,640 --> 00:07:22,270
to another so they can be used to permit or deny traffic moving through a router.

92
00:07:22,520 --> 00:07:28,810
So as an example we might allow this MacBook to gain access to the Internet that we might deny traffic

93
00:07:28,810 --> 00:07:31,810
from the internet into our corporate environment.

94
00:07:31,930 --> 00:07:37,780
So we would permit or deny traffic on a per interface basis and thus deny traffic moving through the

95
00:07:37,780 --> 00:07:39,040
router.

96
00:07:39,180 --> 00:07:44,240
You could put a password on a Viti wireline on a router to force a level of security.

97
00:07:44,260 --> 00:07:49,350
However you might say that only administrative subnets Wayne since this machine on an administrative

98
00:07:49,350 --> 00:07:55,470
subnet is allowed to access the Viti while lines whereas this machine is not allowed to access the BT

99
00:07:55,470 --> 00:07:56,510
wire lines.

100
00:07:56,610 --> 00:08:02,900
In this case the access list will not even permit telnet or S-sh traffic to the Viti Why lines on the

101
00:08:02,910 --> 00:08:03,750
router.

102
00:08:04,110 --> 00:08:10,590
So rather than just having one line of defense a password you implement two lines of defense only permitting

103
00:08:10,590 --> 00:08:16,860
certain subnets to the Etowah lines as well as putting a password on the BT y lines whenever it comes

104
00:08:16,860 --> 00:08:17,490
to security.

105
00:08:17,490 --> 00:08:23,080
You've got to think of the risk dependent on the risk you will implement more security.

106
00:08:23,160 --> 00:08:28,170
In this case you might deem the risk of users accessing network equipment to be high.

107
00:08:28,440 --> 00:08:36,490
So you only allow certain subnets to connect to the BT y lines or the router or switch.

108
00:08:36,530 --> 00:08:41,380
So once again with our ACL is all packets could be transmitted to all parts of the network.

109
00:08:41,600 --> 00:08:43,610
And that might not be desirable.

110
00:08:43,670 --> 00:08:48,670
So you might want to deny certain parts of the network from gaining access to other parts of the network.

111
00:08:48,680 --> 00:08:54,020
The whole idea here is that you're starting to implement security locking down parts of the network

112
00:08:54,350 --> 00:09:00,380
so that they cannot be accessed by all individuals inside and outside of your organization.

113
00:09:01,270 --> 00:09:07,520
ACLC How have I not just used for permitting or denying traffic they can also be used for classification

114
00:09:08,210 --> 00:09:13,060
when setting up an basic VPN or virtual private network between two sites.

115
00:09:13,250 --> 00:09:17,090
You need to tell the router which traffic needs to be encrypted.

116
00:09:17,210 --> 00:09:23,000
You might not want all traffic encrypted from your local LAN because you might want traffic from your

117
00:09:23,000 --> 00:09:31,400
local LAN to an Internet server to be sent unencrypted but traffic from your local LAN to the land on

118
00:09:31,400 --> 00:09:37,880
the other side of the VPN tunnel needs to be encrypted so you create an access list determining what

119
00:09:37,880 --> 00:09:39,330
traffic is interesting.

120
00:09:39,380 --> 00:09:41,340
In other words needs to be encrypted.

121
00:09:41,630 --> 00:09:48,660
What traffic is not interesting in other words does not need to be encrypted ACL can also be used in

122
00:09:48,660 --> 00:09:55,470
redistribution where you are taking routes from one routing protocol and redistributing them or pumping

123
00:09:55,470 --> 00:09:58,250
them in to another routing protocol.

124
00:09:58,260 --> 00:10:04,680
So you might not want OSPF to learn about all your GOP routes and therefore you can use Access Control

125
00:10:04,680 --> 00:10:11,890
lists to limit or only permit certain routes to be redistributed access lists are also used with net

126
00:10:11,950 --> 00:10:17,770
or network address translation the access list will determine which packets need to be translated and

127
00:10:17,770 --> 00:10:20,080
which packets do not need to be translated.

128
00:10:20,350 --> 00:10:24,670
So you would create an excess list permitting only certain subnets which would allow for those packets

129
00:10:24,670 --> 00:10:31,180
to be translated packets denied by the access list are not denied access or dropped but they are not

130
00:10:31,210 --> 00:10:39,070
translated using network address translation or net when using ACLC to permit or deny packets moving

131
00:10:39,070 --> 00:10:40,050
through a router.

132
00:10:40,270 --> 00:10:42,020
There are two main steps.

133
00:10:42,490 --> 00:10:49,240
So firstly in global configuration mode you create the access list using the common access list and

134
00:10:49,240 --> 00:10:51,320
then filling in various options.

135
00:10:51,370 --> 00:10:58,120
So the access command is used to create the access list and then secondly you apply the access list

136
00:10:58,150 --> 00:11:02,110
either inbound and outbound on an interface by using the Access Group.

137
00:11:02,120 --> 00:11:02,890
C'mon.

138
00:11:03,220 --> 00:11:06,980
So access this command creates the excess list Access Group.

139
00:11:06,990 --> 00:11:09,350
C'mon binds the access list.

140
00:11:09,490 --> 00:11:13,330
And when you bind it either specify inbound or outbound.

141
00:11:13,330 --> 00:11:17,240
In other words determining the direction that the access list is bound.

142
00:11:17,380 --> 00:11:22,370
It's important to note that an ACL does not take effect until it's applied somewhere.

143
00:11:22,390 --> 00:11:27,700
So if you have access lists in the running configuration of a router and they haven't been applied there

144
00:11:27,700 --> 00:11:29,160
have no effect.

145
00:11:29,170 --> 00:11:35,530
There are two steps you create the access list and then you apply it some way for instance inbound on

146
00:11:35,530 --> 00:11:35,870
Fosset.

147
00:11:35,880 --> 00:11:38,830
Isn't it seriously Zera.

148
00:11:38,890 --> 00:11:46,180
So once again Imraan ACLC are applied inbound on an interface the ICL will be processed before the traffic

149
00:11:46,180 --> 00:11:47,490
will be routed.

150
00:11:47,500 --> 00:11:54,610
In other words if the ICL denies the traffic and the traffic is discarded the router will not have to

151
00:11:54,610 --> 00:12:00,450
process the packets by looking in its writing table and determining the outbound interface.

152
00:12:00,490 --> 00:12:06,120
The package will be discarded or dropped before the rotting engine needs to process them.

153
00:12:06,250 --> 00:12:11,650
If they are permitted they will be processed for writing and the router will determine the outgoing

154
00:12:11,650 --> 00:12:12,950
interface.

155
00:12:13,150 --> 00:12:18,250
If discarded there is no additional overhead on the router because the router does not need to do a

156
00:12:18,250 --> 00:12:24,160
writing table lookup to determine the a graceful outgoing interface if the traffic is permitted the

157
00:12:24,160 --> 00:12:31,380
writing process will then do the writing table lookup to determine the outgoing interface without that

158
00:12:31,410 --> 00:12:32,270
ACLC.

159
00:12:32,530 --> 00:12:38,920
Rotting is performed first and then the packet is directed to an outbound interface and then based on

160
00:12:38,920 --> 00:12:41,210
the ACL the packets will be permitted.

161
00:12:41,350 --> 00:12:48,490
In other words transmitted or denied it is therefore more efficient to bind an access list inbound on

162
00:12:48,490 --> 00:12:53,820
an interface because packets that are dropped or denied will not need to be processed.

163
00:12:53,850 --> 00:12:56,040
While the writing process on the router.

164
00:12:56,350 --> 00:13:03,220
If an ACL is applied outbound the Rada still has to process all the packets which may then be denied

165
00:13:03,280 --> 00:13:05,700
or dropped on the outbound interface.

166
00:13:05,800 --> 00:13:11,540
So where possible bind ACLC inbound on interfaces rather than outbound.

167
00:13:11,740 --> 00:13:18,860
Or more efficient processing an access list is a sequential list of statements where packets are evaluated

168
00:13:19,250 --> 00:13:21,560
from the first statement to the last.

169
00:13:21,560 --> 00:13:24,510
In other words there is top down processing.

170
00:13:24,710 --> 00:13:30,680
If a packet is matched by an individual statement in the access list that packet will either be permitted

171
00:13:30,890 --> 00:13:36,730
or denied depending on whether the permit or deny keyword is used in that specific statement.

172
00:13:37,550 --> 00:13:41,890
All remaining lines of the access list are ignored for that specific packet.

173
00:13:42,140 --> 00:13:48,350
So in other words as soon as there's a match on a line all remaining lines are ignored if the traffic

174
00:13:48,350 --> 00:13:55,320
does not match that specific line or statement then the next line in the ACL is checked.

175
00:13:55,430 --> 00:14:00,920
So Nexxus list is a sequential list of statements and the Rada will check from the first line to the

176
00:14:00,920 --> 00:14:03,030
last until it gets a match.

177
00:14:03,350 --> 00:14:04,710
As soon as there's a match.

178
00:14:04,910 --> 00:14:06,720
All subsequent lines are ignored.

179
00:14:06,980 --> 00:14:12,260
If there is no match for any statement in the ACL the packet is dropped because of what's called the

180
00:14:12,260 --> 00:14:16,030
implicit denie at the end at the end of every access list.

181
00:14:16,050 --> 00:14:22,610
There's an implicit denial which means if you're not explicitly permitted by an access list you're implicitly

182
00:14:22,610 --> 00:14:30,470
denied all traffic not permitted some somewhere in that access list with the use of a permit statement

183
00:14:30,620 --> 00:14:32,150
will be dropped.

184
00:14:32,150 --> 00:14:37,300
That means therefore that you must have at least one permit statement some way in practice list.

185
00:14:37,370 --> 00:14:39,730
Otherwise you might as well unplug the cable.

186
00:14:39,740 --> 00:14:44,180
Now there are two main tops of access lists that we concentrate on in this course.

187
00:14:44,180 --> 00:14:51,500
The first is a standard ACL and the second is an extended ACL standard ACLJ only check on Source IP

188
00:14:51,500 --> 00:14:52,450
addresses.

189
00:14:52,580 --> 00:14:59,360
They do not check on individual port numbers or individual protocols that either permit or deny the

190
00:14:59,360 --> 00:15:04,640
entire protocol suite based on the source IP address or source network.

191
00:15:04,640 --> 00:15:11,180
Nothing else in the source IP address or source network can be specified extended ACLC check on both

192
00:15:11,180 --> 00:15:17,890
the source and destination address and allows you to permit or deny specific protocols and applications.

193
00:15:17,900 --> 00:15:25,460
In other words you could permit or deny based on IP TZP UDP ICMP and many other protocols and you can

194
00:15:25,460 --> 00:15:31,700
also permit or deny based on source port numbers and destination port numbers extended access lists

195
00:15:31,700 --> 00:15:35,540
are they for a lot more granular and tend to be used in the real world.

196
00:15:35,780 --> 00:15:40,540
But for completeness we need to cover both standard and extended access lists in this course.