1 00:00:00,480 --> 00:00:07,500 Are also two methods to identify whether an ACL is a standard ACL or extended ACL access list either 2 00:00:07,510 --> 00:00:16,080 configured as numbered access lists or named access lists with numbered ACLC the number of the ACL determines 3 00:00:16,080 --> 00:00:17,900 what type of ACL it is. 4 00:00:18,120 --> 00:00:27,150 So for example ACL in the range 1 299 or what's called the expanded range 2400 to one triple nine would 5 00:00:27,150 --> 00:00:36,850 be used for standard IP ACLC So as an example one Arata in global configuration mode I can top the C'mon 6 00:00:36,910 --> 00:00:38,110 X-ists list. 7 00:00:38,940 --> 00:00:40,130 Question mark. 8 00:00:40,440 --> 00:00:50,670 And as you can see here 1 to 99 is used for IP stented access lists the expanded range is also listed 9 00:00:50,910 --> 00:00:53,700 4300 to 1 triple nine. 10 00:00:53,700 --> 00:01:00,460 Now the reason for the expanded range is that initially about 100 ACLC seen more than enough. 11 00:01:00,840 --> 00:01:06,790 But as we all know as time goes by what was deemed to be enough is not necessarily enough. 12 00:01:06,930 --> 00:01:13,380 And these days we can use both 1 to 99 or the expanded range if the requirement for more than 100 access 13 00:01:13,380 --> 00:01:19,560 list is there might be extended access lists on the range one hundred to one ninety nine as well as 14 00:01:19,560 --> 00:01:28,530 the expanded range which is 2002 2 6 9 9 depending on your Iowas you will see other types of ACLC listed 15 00:01:29,130 --> 00:01:36,510 for instance support epal talk ACL in the range 600 to six ninety nine can be used or to support IPX. 16 00:01:36,630 --> 00:01:43,200 You could for instance use a cells in the range 800 to eight nine nine or extended IPX X-ists lists 17 00:01:43,320 --> 00:01:46,210 in the range 900 to 9 nine nine. 18 00:01:46,440 --> 00:01:55,450 Notice for example ACLJ in the range 700 to 7 9 9 are useful MAC address access lists in this course 19 00:01:55,450 --> 00:02:00,380 we fortunately only concentrate on IP access lists so we will concentrate on both. 20 00:02:00,480 --> 00:02:06,910 I'd be stented access lists an IP extended access lists that be a way of please that there are other 21 00:02:06,910 --> 00:02:12,330 number ranges used for other protocols like IPX Apple talk and so forth. 22 00:02:12,340 --> 00:02:17,980 The second type is named X-ists lists which are more descriptive because they use alphanumeric characters 23 00:02:18,070 --> 00:02:19,150 as names. 24 00:02:19,300 --> 00:02:26,290 So rather than X's list 100 for instance emitting telnet traffic to switch you could call TACL hemat 25 00:02:26,340 --> 00:02:29,320 telnet and give it a name with more meaning. 26 00:02:29,440 --> 00:02:35,140 That also allows you to create many many more ACLC on a router than the list specified by the numbered 27 00:02:35,160 --> 00:02:42,430 ACL ACLC originally named ACLJ also gave you more flexibility when it came to editing individual lines 28 00:02:42,580 --> 00:02:45,530 or deleting individual lines in an ACL. 29 00:02:45,640 --> 00:02:53,550 But these days that flexibility is available for both named as well as numbered a seal's just to demonstrate 30 00:02:53,550 --> 00:02:58,380 a little bit more if I specify one as my ACL number. 31 00:02:58,400 --> 00:03:02,530 Notice it gives me three options deny commit all remark. 32 00:03:02,750 --> 00:03:04,560 Now let's start with the last one. 33 00:03:04,560 --> 00:03:08,540 The remote option allows you to add a description to your heels. 34 00:03:08,550 --> 00:03:14,280 This is very useful because when you return to an ACL that you configured months ago rather than having 35 00:03:14,280 --> 00:03:21,600 to decipher the lines of the ACL the remark or in other words the description can let you know what 36 00:03:21,600 --> 00:03:23,980 that ACL is attempting to accomplish. 37 00:03:24,000 --> 00:03:29,250 So it's recommended that you use the remark statement to add descriptions to seals to make them more 38 00:03:29,250 --> 00:03:34,520 user friendly and understandable both for yourself and for others. 39 00:03:34,600 --> 00:03:41,750 Do I choose the option to meet noticed because this is the standard IP access list the only options 40 00:03:41,750 --> 00:03:48,530 here are permitting either a hostname or IP address permitting any which permits everyone or anything 41 00:03:49,100 --> 00:03:50,550 and the host option. 42 00:03:50,810 --> 00:03:57,800 So I could for example put in a dress like 10 wondered wondered 1 and then noticed the next option is 43 00:03:57,800 --> 00:04:05,500 to put in Wild Card bets or to hit enter or I can log this information to say is this logged server 44 00:04:05,740 --> 00:04:09,010 or another logging device on my network. 45 00:04:09,010 --> 00:04:17,830 So if I put in the Option 0 the 0.00 that is specifying that I will permit traffic from a specific host 46 00:04:18,030 --> 00:04:20,570 10 dot one dot 1.1. 47 00:04:20,660 --> 00:04:23,220 Now ICL don't use standard network mosques. 48 00:04:23,250 --> 00:04:29,910 They use Inv. mosques whereas zero in binary means they must be a match and a one in binary means it 49 00:04:29,910 --> 00:04:31,610 doesn't have to be a match. 50 00:04:32,070 --> 00:04:38,100 So just to reiterate you need to look at this in binary if you're not sure a zero in binary in the mosque 51 00:04:38,220 --> 00:04:44,610 means that there must be a match on the host or network a one in the mosque means that we ignore the 52 00:04:44,610 --> 00:04:46,530 host or network Valley. 53 00:04:46,770 --> 00:04:53,340 So as an example if I want to match a specific IP address I can tap the C'mon X-ists list one one denoting 54 00:04:53,370 --> 00:04:55,890 that this is a standard Ickey access list. 55 00:04:55,890 --> 00:05:04,920 I'm permitting traffic that matches 10 dot one dot 1.1 exactly the zeros in the mosque mean that the 56 00:05:04,920 --> 00:05:07,700 first octet must be at 10. 57 00:05:07,740 --> 00:05:15,890 The second lock tape must be a one the third octet must be a one and a fourth octet must be a 1 and 58 00:05:15,960 --> 00:05:22,760 0 in the mosque means an exact match a one in the mosque means it doesn't have to match. 59 00:05:22,770 --> 00:05:30,240 So this statement will only match for specific host with the IP address 10.0 1.1 one now rather than 60 00:05:30,240 --> 00:05:33,510 doing it that way you can configure the access list as follows. 61 00:05:33,690 --> 00:05:37,000 You can topic them on access list one permit. 62 00:05:37,170 --> 00:05:39,270 And in this case we're looking for a specific host. 63 00:05:39,330 --> 00:05:45,440 So you can use the keyword host and in specifying the host IP address either will do. 64 00:05:45,690 --> 00:05:52,230 It's like saying tomato versus to Meda depending on which you prefer will depend on which one you configure. 65 00:05:53,220 --> 00:05:58,550 The opposite of specifying an individual host would be matching anything or everything. 66 00:05:58,590 --> 00:06:04,440 So you could create an access list access list one per minute and notice in the address portion we have 67 00:06:04,500 --> 00:06:07,180 put 0 0 0 0. 68 00:06:07,440 --> 00:06:14,700 And this could essentially be made anything in the Moscow but we've put 2 4 5 2 4 5 2 4 5 2 4 5. 69 00:06:14,930 --> 00:06:19,730 I remember a one in binary in the mosque means ignored this failure. 70 00:06:19,800 --> 00:06:24,740 In other words it can be anything at zero in the mosque means an exact match. 71 00:06:24,780 --> 00:06:33,060 So if we look at the IP address it's 0.0 0.0 in decimal which is equal to all zeros in binary. 72 00:06:33,060 --> 00:06:36,600 This get in the binary address obviously doesn't exist. 73 00:06:36,630 --> 00:06:38,580 I've just put a cheerful readability. 74 00:06:38,940 --> 00:06:43,710 So looking at the address in binary it's eight zeros the mosque. 75 00:06:43,710 --> 00:06:50,490 In other words in the first octet the mosque is set to 255 which is equal to eight binary ones. 76 00:06:50,520 --> 00:06:54,660 So what are we saying by putting 2:55 in the first octet in the mosque. 77 00:06:54,660 --> 00:06:58,740 Is that the first octet in the address is irrelevant. 78 00:06:58,740 --> 00:07:00,650 We are just ignoring all the bits. 79 00:07:00,810 --> 00:07:04,740 We've done the same with opted to three and four. 80 00:07:04,920 --> 00:07:08,660 So this is essentially making anything or everything. 81 00:07:08,940 --> 00:07:12,920 And we are not matching any specific host or network. 82 00:07:12,930 --> 00:07:17,420 Alternately you could also use the syntax access list one that any. 83 00:07:17,610 --> 00:07:22,630 So once again tomato versus tomato you decide which you prefer. 84 00:07:22,680 --> 00:07:25,530 Both will work and both have the same result. 85 00:07:26,630 --> 00:07:32,420 If you want to match an individual subnet rather than an individual host or any traffic you could use 86 00:07:32,420 --> 00:07:35,130 a combination of zeros and ones in the mosque. 87 00:07:35,360 --> 00:07:41,780 So as an example X-ists list one has met 10 and notice in the mosque we have a zero in the first octet 88 00:07:42,230 --> 00:07:46,400 which means that we are matching on the 10 10 dot 1. 1.0. 89 00:07:46,460 --> 00:07:50,510 And in the mosque we have 0 0 0 255. 90 00:07:50,750 --> 00:07:56,780 Now in the first octet in the mosque we have got binary zeros which means that there must be an exact 91 00:07:56,780 --> 00:07:58,950 match on this address. 92 00:07:58,970 --> 00:08:02,430 In other words we are specifically matching the first octet. 93 00:08:02,510 --> 00:08:04,640 It must be equal to a 10. 94 00:08:04,670 --> 00:08:09,060 The second octet must be 1 because we've got to zero in the mosque. 95 00:08:09,230 --> 00:08:13,130 The third octet must be one because we have a zero in the mosque. 96 00:08:13,130 --> 00:08:19,220 But notice in the fourth octet this can be set to anything because we've got binary ones in the fourth 97 00:08:19,220 --> 00:08:23,540 octet 255 if you remember is eight binary ones. 98 00:08:23,540 --> 00:08:29,540 In other words we are saying we don't care what the last octet does City this statement will match any 99 00:08:29,540 --> 00:08:34,130 host or any address where the first three octets are set to 10. 100 00:08:34,150 --> 00:08:35,970 Not one dot one. 101 00:08:35,990 --> 00:08:37,890 The fourth octet can be anything. 102 00:08:39,110 --> 00:08:45,710 So just to sum up if we were using the dotted decimal notation it matches specific IP address like 10 103 00:08:45,800 --> 00:08:46,970 1 1 1. 104 00:08:47,150 --> 00:08:50,150 We would full the mosque would Ciro's. 105 00:08:50,150 --> 00:08:52,310 Once again this is an inverse mosque. 106 00:08:52,400 --> 00:08:58,460 A zero in the mosque means that we are looking for a specific value in the host portion of the address. 107 00:08:58,580 --> 00:09:02,850 A one in the mosque means we ignore what the host portion is city. 108 00:09:02,870 --> 00:09:09,050 So this matches a specific IP address to match a specific subnet let's say 10 1 1 0. 109 00:09:09,350 --> 00:09:15,810 We could configure the access list is 10 1 1 0 with the first three octets equal to zero. 110 00:09:15,890 --> 00:09:18,510 And the last octet equal to 255. 111 00:09:18,800 --> 00:09:25,240 Or if we wanted to match anything we could say the host portion to actually any number and the mosque 112 00:09:25,300 --> 00:09:37,870 255 255 255 255 so as an example on a Rodda I could top the on access list to met and then specify anything 113 00:09:37,870 --> 00:09:41,940 I wanted to. 114 00:09:42,050 --> 00:09:50,860 But if the mosque is set to all one's flattop up the can mine show IP access list. 115 00:09:51,030 --> 00:09:54,810 Notice the rotters changed that to say permit any. 116 00:09:54,930 --> 00:10:02,280 We taught this on the router but the router has changed it to permit any I can do the C'mon show run 117 00:10:02,610 --> 00:10:08,030 include access list to see all my ex's live statements configured on the router and you can see once 118 00:10:08,030 --> 00:10:15,360 again the router has changed the format of the access lists there's a more complicated example. 119 00:10:15,700 --> 00:10:24,220 If we had an access list it's Exorcist 1 10 1 1 0 and the mosque is 0 0 0 15. 120 00:10:24,400 --> 00:10:29,070 What we saying is ignore the last four births of the last octet. 121 00:10:29,500 --> 00:10:33,390 So notice the address is 10 1 1 0. 122 00:10:33,400 --> 00:10:36,870 And the mosque is 0 0 0 15. 123 00:10:36,880 --> 00:10:39,690 Now the first three octets are fairly easy to work out. 124 00:10:40,060 --> 00:10:47,560 What we are saying is that the first octet must be 10 the second octet must be one the third octet must 125 00:10:47,560 --> 00:10:48,430 be one. 126 00:10:48,670 --> 00:10:50,480 But it gets a little bit more complicated. 127 00:10:50,590 --> 00:10:58,340 Looking at the last octet in decimal it's a lot easier if you convert it to binary for binary zeros 128 00:10:58,580 --> 00:11:04,580 followed by four binary ones zero in binary equals eight binary zeros. 129 00:11:04,580 --> 00:11:11,780 Once again the gap in the model in these octets is just for readability so that it's easier to see what's 130 00:11:11,780 --> 00:11:12,550 going on. 131 00:11:13,840 --> 00:11:19,660 So what we are saying is that the last four bits and address can be set to anything similar with these 132 00:11:19,660 --> 00:11:27,610 last four binary Burts could be set to either 0 0 or 1 but the first four binary bits must be equal 133 00:11:27,610 --> 00:11:32,990 to zero because the address portion has a 0 in it. 134 00:11:33,100 --> 00:11:36,160 And the first four bits of the mosque are set to zero. 135 00:11:36,160 --> 00:11:40,600 It means that the first four bits of an address must be equal to this value. 136 00:11:40,600 --> 00:11:43,190 In other words zero. 137 00:11:43,200 --> 00:11:44,940 So let's show you some examples. 138 00:11:44,970 --> 00:11:50,280 If I had an address of 10 one wondered wondered one would it be matched by this statement. 139 00:11:50,280 --> 00:11:55,140 Permit 10 1 1 0 0 0 0 15. 140 00:11:55,200 --> 00:11:57,120 And the answer would be yes. 141 00:11:57,120 --> 00:12:02,730 I've only converted the last octet into binary as the first three octets are easy to work out what are 142 00:12:02,730 --> 00:12:09,570 you saying is that the first three octets must be equal to 10 1 1 1 which it is for this address but 143 00:12:09,570 --> 00:12:12,590 the last octet converted to binary will look as follows. 144 00:12:12,630 --> 00:12:16,780 We would have 7 binary zeros followed by binary 1. 145 00:12:16,970 --> 00:12:17,820 15. 146 00:12:17,820 --> 00:12:22,580 In binary once again is four binary zeros followed by all binary ones. 147 00:12:22,710 --> 00:12:30,120 So what we saying is notice the first four bits in the address must because of the zeros in the mosque 148 00:12:30,510 --> 00:12:35,150 being equal to 0 0 0 0 which for 1 is true. 149 00:12:35,280 --> 00:12:38,470 The first four bits are set to zeros. 150 00:12:38,700 --> 00:12:43,830 It doesn't matter what the last 4 bits of city because we have binary ones in the mosque. 151 00:12:43,830 --> 00:12:46,720 So there is a match on 10 1 1 1. 152 00:12:46,950 --> 00:12:51,540 But does this access statement match 10 1 1 1:29. 153 00:12:51,750 --> 00:12:53,110 And the answer is No. 154 00:12:53,340 --> 00:13:00,180 Because in the first four bits of the address it must be equal to 4 binary zeros. 155 00:13:00,300 --> 00:13:08,580 And if you convert 1:29 into binary it consists of 1 Henri 1 followed by six binary zeros followed by 156 00:13:08,580 --> 00:13:09,780 binary 1. 157 00:13:09,780 --> 00:13:14,970 In other words the first four binary bits do not equal four zeros. 158 00:13:15,030 --> 00:13:17,730 So this is not a match. 159 00:13:17,940 --> 00:13:21,500 In this example we have some hosts on subnet 10 1 1 0. 160 00:13:21,770 --> 00:13:28,020 So as an example this PC and this MacBook we also have servers server one with IP address 10 1 to 1 161 00:13:28,530 --> 00:13:31,360 and server 2 with IP address 10 1 3 1. 162 00:13:31,440 --> 00:13:38,440 In this example we want to permit host 10 1 1 1 access to the servers but deny everyone else. 163 00:13:38,460 --> 00:13:43,470 Please note these examples are just to help teach you the syntax of access lists and how they can be 164 00:13:43,470 --> 00:13:45,480 used in various scenarios. 165 00:13:45,480 --> 00:13:50,930 These examples are not based practice so please don't try and understand the why of these examples. 166 00:13:51,010 --> 00:13:57,630 They just yet try and help you understand X-ists lists can be applied obviously in the real world and 167 00:13:57,630 --> 00:14:03,540 in exam situations you might be presented with various scenarios and in those cases you will need to 168 00:14:03,540 --> 00:14:08,770 know how X-ists lists work to be able to meet the requirements of the cinerea. 169 00:14:08,820 --> 00:14:14,740 The first decision you need to make is on which interface are you going to apply the access list. 170 00:14:14,850 --> 00:14:18,570 In this example we are going to use a standard IP X-ists list. 171 00:14:18,600 --> 00:14:24,150 We are not going to use extended access lists so it makes sense to apply the access list inbound in 172 00:14:24,150 --> 00:14:28,100 this interface that will accomplish what we set out to do. 173 00:14:28,440 --> 00:14:36,180 You could also apply the access list both if 0 1 and 0 2 but it would be more efficient to apply inbound 174 00:14:36,330 --> 00:14:37,940 rather than outbound. 175 00:14:37,970 --> 00:14:43,160 It also means that you only have to apply the access list on one interface rather than on two interfaces 176 00:14:44,150 --> 00:14:47,080 so an Narada could configure the access list. 177 00:14:47,180 --> 00:14:53,030 But before doing that I'm going to type the command show access lists just to see which access lists 178 00:14:53,030 --> 00:14:59,070 have already been configured so that I don't advertently edit an access list that already exists in 179 00:14:59,070 --> 00:15:03,640 this example you can see that there are no access lists so I can go into global config mode. 180 00:15:03,840 --> 00:15:09,800 The topic on access list and then specify a number and let's say in this example we have to use a standard 181 00:15:09,830 --> 00:15:14,600 IP access list so I'm going to just choose a number let's say one and then I'm going to say permit 182 00:15:17,430 --> 00:15:18,930 host 10. 183 00:15:18,940 --> 00:15:21,990 Or one that wanted one and hit enter. 184 00:15:22,170 --> 00:15:26,770 Also Noria states that we need to permit this host access to the servers. 185 00:15:26,880 --> 00:15:31,010 Now stented the access list does not allow you to specify destinations. 186 00:15:31,020 --> 00:15:33,190 You can only specify the source. 187 00:15:33,210 --> 00:15:38,210 Now it's worth remembering the implicit deny any at the end of every IP access list. 188 00:15:38,340 --> 00:15:46,140 Our criteria in this example is just to permit that specific host 10 1 1 1 and deny everyone else. 189 00:15:46,260 --> 00:15:50,920 So this single line access list will accomplish what we set out to do. 190 00:15:51,090 --> 00:15:57,660 The next step is to bind the access list on an interface so an interface if serious error atop the common 191 00:15:57,720 --> 00:16:08,280 IP access group and notice it prompts me to put in the number or word of the access list so one and 192 00:16:08,280 --> 00:16:13,680 then it prompts me to specify the direction and I'm going to say inbound that just by doing that I've 193 00:16:13,680 --> 00:16:16,160 accomplished what I set out to do. 194 00:16:17,460 --> 00:16:22,430 We are permitting this host 10 1 1 1 and denying every one else. 195 00:16:22,500 --> 00:16:27,210 You obviously need to be careful with access lists because if another interface were configured on this 196 00:16:27,210 --> 00:16:34,380 router no traffic except for this host would be allowed to send traffic through interface if seriously 197 00:16:34,430 --> 00:16:35,210 zero. 198 00:16:35,520 --> 00:16:39,020 But in this scenario we have met the requirements. 199 00:16:39,030 --> 00:16:47,980 One last thing to show you is find top the C'mon show the interface and the relevant interface the Rato 200 00:16:47,990 --> 00:16:54,680 will show me which X-ists list is bound outbound and which X-ists list is bound inbound on the specific 201 00:16:54,680 --> 00:16:55,590 interface. 202 00:16:55,790 --> 00:17:02,530 And as you can see here access list one is bound inbound and no access list is bound outbound. 203 00:17:03,690 --> 00:17:11,410 So as an example I could create another access list let's say access list to permit any and then go 204 00:17:11,410 --> 00:17:15,300 into that interface and taught IP access group. 205 00:17:16,630 --> 00:17:17,470 Two out 206 00:17:20,220 --> 00:17:27,810 do the same show command again show the interface if is flesh zero and you'll be able to see that access 207 00:17:27,810 --> 00:17:34,330 list is bound outbound an access list one is bound inbound. 208 00:17:34,350 --> 00:17:40,600 If I made the following mistake and bound access list to inbound rather than outbound 209 00:17:43,530 --> 00:17:45,150 the following would take place. 210 00:17:47,420 --> 00:17:52,940 The router does not warn me about anything but notice the inbound access list has been replaced with 211 00:17:52,970 --> 00:17:54,160 access list too. 212 00:17:54,460 --> 00:17:59,830 So the previous access this one was removed off the interface and replaced with access list too. 213 00:17:59,930 --> 00:18:05,180 There is no need to firstly remove the old access list before applying the new access list. 214 00:18:05,390 --> 00:18:09,080 The old one is implicitly removed and the new one is applied. 215 00:18:09,080 --> 00:18:14,340 Also notice that you can apply the same access list in and out at the same time.