1
00:00:00,820 --> 00:00:07,870
So let's have a look at another example in this example we want to promote host 10 1 1 1 2 7 10 1 2

2
00:00:07,870 --> 00:00:08,390
1.

3
00:00:08,620 --> 00:00:15,040
So this host should be permitted to the server that we want to deny everyone are sending traffic to

4
00:00:15,040 --> 00:00:15,900
that server.

5
00:00:16,180 --> 00:00:19,750
But we also want to allow traffic to go to all other servers.

6
00:00:19,780 --> 00:00:22,690
So anyone should be able to connect to all of the servers.

7
00:00:22,720 --> 00:00:27,690
So the first decision again is where are we going to bind this Access Control List and in which direction.

8
00:00:28,000 --> 00:00:28,890
So we could it.

9
00:00:28,930 --> 00:00:36,310
If sera sera in-bound or we can bind it on 0 1 outbound the issue with trying to bind the access list

10
00:00:36,310 --> 00:00:43,380
on if seriously Zerah is that we cannot specify destination addresses with a standard IP access list.

11
00:00:43,450 --> 00:00:49,240
You can only specify source addresses so you won't be able to implement the statement that says deny

12
00:00:49,240 --> 00:00:56,260
everyone else to a specific server but allow traffic to all other servers because otherwise you're going

13
00:00:56,260 --> 00:01:03,040
to say deny any and the very next statement is going to be permit any which won't work because the permit

14
00:01:03,100 --> 00:01:04,990
any will never be used.

15
00:01:04,990 --> 00:01:08,140
So what we're going to do is we're going to bind it on this interface outbound.

16
00:01:08,250 --> 00:01:15,370
If Sirus Lesch one this also follows best practices which say that you should bind stented IP access

17
00:01:15,370 --> 00:01:18,360
lists as close to the destination as possible.

18
00:01:18,370 --> 00:01:20,400
I'll explain more about that in a moment.

19
00:01:21,780 --> 00:01:26,100
So on our router we could configure this access control lists by going into global configuration mode

20
00:01:26,970 --> 00:01:28,830
and topping X-ists list.

21
00:01:29,290 --> 00:01:37,340
Let's choose number three Palmet 10 but one that 1.1.

22
00:01:37,450 --> 00:01:47,210
And then we could go into the interface if 0 1 one topic on IP access group three out.

23
00:01:47,220 --> 00:01:50,580
So once again I could do the C'mon show access lists

24
00:01:54,100 --> 00:01:57,210
which just show me that simple access that I've just created.

25
00:01:57,240 --> 00:02:03,260
The catch here was to remember a way to bind the access list and to remember that you don't need a deny

26
00:02:03,350 --> 00:02:08,280
any at the end because there's an implicit deny in an Access statement.

27
00:02:08,530 --> 00:02:10,900
I mean explain what this number 10 means in a moment.

28
00:02:12,400 --> 00:02:17,740
In this example you want to permit subnet 10 1 1 0 and then deny everyone else.

29
00:02:17,740 --> 00:02:21,210
Once again we would bind the Access Control List inbound on fust.

30
00:02:21,220 --> 00:02:22,590
Ethan it seriously.

31
00:02:22,710 --> 00:02:28,690
So as to make the access list as efficient as possible we once again don't want the Rodda having to

32
00:02:28,690 --> 00:02:34,390
process packets internally just to have them dropped on an external outbound interface.

33
00:02:34,510 --> 00:02:43,410
So we'll bind the Access Control List inbound so on Narada going into global configuration mode topic

34
00:02:43,410 --> 00:02:51,490
I'm on access list and in this case choose number 4 and we will permit in this case a specific subnet

35
00:02:51,500 --> 00:02:54,000
so tender wondered 1.0.

36
00:02:54,410 --> 00:02:59,080
And then we need to put in the wildcard mosque Jazeerah in binary means match.

37
00:02:59,090 --> 00:03:06,050
So the first octet 10 match second Optik one must match that octet one must match at the last octet

38
00:03:06,050 --> 00:03:07,880
can be equal to anything.

39
00:03:08,270 --> 00:03:09,520
There's an implicit deny.

40
00:03:09,620 --> 00:03:12,060
So we don't have to specify anything else.

41
00:03:12,080 --> 00:03:16,560
However if you wanted to log information you could do the following.

42
00:03:16,720 --> 00:03:21,370
List for denie and noticed the option.

43
00:03:21,520 --> 00:03:29,350
Any notice this option log that would allow us to log information to assist log server log locally on

44
00:03:29,350 --> 00:03:32,660
the router so that we can see which packets were denied.

45
00:03:32,890 --> 00:03:38,740
When it comes to logging it's best practice not to log locally on the router but to push it to a server

46
00:03:38,740 --> 00:03:40,500
like a log server.

47
00:03:40,510 --> 00:03:46,390
The reason for that is that the Rodda has limited space to storing log messages whereas if you store

48
00:03:46,390 --> 00:03:52,090
that on a log server you can store huge amounts of data because of the size of hard disks these days.

49
00:03:52,120 --> 00:03:57,060
So it makes sense to back the logging information off to an external server.

50
00:03:57,430 --> 00:04:08,620
The last step in this example is to go interface 0 zero and topic come on Ickey X-ists group for an.

51
00:04:08,760 --> 00:04:10,980
Once again I can do the come on the access list

52
00:04:14,480 --> 00:04:21,080
if I just wanted to see that specific X-ists list but a number in access list for you can see the first

53
00:04:21,080 --> 00:04:26,340
line is saying permit 10 1 1 0 with wild card bets 0 0 0 2 4 5.

54
00:04:26,870 --> 00:04:34,060
And the second line is saying deny any and lock betting information show p interface.

55
00:04:34,100 --> 00:04:35,400
Seriously ceara.

56
00:04:37,440 --> 00:04:40,200
You showed me that the inbound access list is for.

57
00:04:40,440 --> 00:04:46,020
So we have bound X-ists list for inbound on flossed Ethan it's slash 0.

58
00:04:46,100 --> 00:04:48,290
Now this example the interface is shut down.

59
00:04:48,550 --> 00:04:52,780
I'm not too concerned because I'm just showing you the syntax of the access lists rather than checking

60
00:04:52,780 --> 00:04:54,280
you working example.

61
00:04:55,040 --> 00:04:59,590
Be careful with adding an explicit denie as I did in this example.

62
00:04:59,600 --> 00:05:05,270
You need to read between the lines in the questions and make sure that you are explicitly asked to deny

63
00:05:05,270 --> 00:05:12,770
traffic if not asked don't add the line deny any because they may be testing you to make sure you know

64
00:05:12,770 --> 00:05:14,390
about the implicit deny.

65
00:05:14,510 --> 00:05:17,530
At the end of every access list.

66
00:05:17,620 --> 00:05:24,790
Another example in this case we want to permit 10 1 1 1 2 telnet to the router and then you want to

67
00:05:24,790 --> 00:05:29,650
deny everyone else telling it to the router and allow traffic anywhere else.

68
00:05:29,710 --> 00:05:32,420
Now once again you need to read between the lines carefully.

69
00:05:32,440 --> 00:05:36,310
In this example we are setting up a standard Access Control list.

70
00:05:36,520 --> 00:05:43,300
So the only way to do this is to bind the standard Access Control List on the Vietti Wilens remember

71
00:05:43,340 --> 00:05:48,530
then it IPX This lists cannot determine protocol or destination addresses.

72
00:05:48,580 --> 00:05:55,060
So if the example is asking for a standard IP access list to deny will permit telnet then you know that

73
00:05:55,060 --> 00:06:03,460
you have to bind that access list on the Viti y lines see as an example I'm going to tell to Arata this

74
00:06:03,460 --> 00:06:12,360
case the address is 10 0 0 2 FoxxHole but in my username putting my password topping the come on show

75
00:06:12,360 --> 00:06:19,890
run time section line will show me what's configured on the lines of this router.

76
00:06:21,460 --> 00:06:27,220
As you can see here there are no access lists on the Viti wildlands of the Shradha So then I can do

77
00:06:27,220 --> 00:06:27,990
the following.

78
00:06:28,830 --> 00:06:29,900
Access list.

79
00:06:30,030 --> 00:06:38,630
Let's just pick a number like 10 Palmet and notice the IP address is 10 1 1 1.

80
00:06:38,910 --> 00:06:43,860
No one else is allowed to telnet to the Rodda so commit 10 1 1 1.

81
00:06:44,410 --> 00:06:52,510
And then I can go onto the line between Solangi 2 0 0 0 for Anani to use the common access Clauss rather

82
00:06:52,510 --> 00:06:59,430
than Access group noted you can specify either standard the access list or extended IP access lists

83
00:07:00,000 --> 00:07:01,520
in early Ioway says.

84
00:07:01,560 --> 00:07:06,150
You could only choose standard on the access lists but these days you can use both.

85
00:07:06,360 --> 00:07:08,230
In an extended ACL.

86
00:07:08,490 --> 00:07:10,740
So I'm going to choose 10.

87
00:07:10,920 --> 00:07:16,010
And notice I can fold to incoming telnet connections or outgoing telnet connections.

88
00:07:16,010 --> 00:07:17,270
So I'm going to specify in

89
00:07:20,120 --> 00:07:22,070
an I'm going to try and telnet to the Rodda again.

90
00:07:22,100 --> 00:07:25,640
So Telenet 10 0 0 2 5 4.

91
00:07:25,970 --> 00:07:33,820
And notice the telnet connection does not open because we are denying telnet to the Rodda just to prove

92
00:07:33,820 --> 00:07:43,000
that to you if I remove this access Clauss and then put it back on again notice I'm able to telnet and

93
00:07:43,000 --> 00:07:49,720
I can successfully log in it's just connect but that access list back again.

94
00:07:51,130 --> 00:07:55,010
Tron telnet and noticed that telnet is denied.

95
00:07:55,350 --> 00:08:02,820
So please don't forget about access lists that can be found on Viti wide lines to permit or deny telnet

96
00:08:02,850 --> 00:08:05,600
or S-sh access to a router.

97
00:08:05,630 --> 00:08:17,480
Once again show run pipe section a line shows me that I have the access Clause 10 down in on the Viti

98
00:08:17,480 --> 00:08:23,730
y line so I'm unable to telnet from my PC to have a look at the IP address of my PC.

99
00:08:24,980 --> 00:08:36,510
As you'll see here the IP address is 10 0 0 0 1 so on the route to my topic I'm on no access list.

100
00:08:36,740 --> 00:08:37,750
10.

101
00:08:37,820 --> 00:08:38,660
Be careful with that.

102
00:08:38,660 --> 00:08:39,260
C'mon.

103
00:08:39,320 --> 00:08:45,460
It doesn't just remove a line on the access list it deletes the entire access list stopping the command

104
00:08:45,500 --> 00:08:52,040
do show access list 10 will schemin that that access list does not exist.

105
00:08:52,070 --> 00:08:58,780
So I've just deleted the access list entirely but I could talk to them on access list 10 permit 10 0

106
00:08:58,910 --> 00:09:02,030
0 1 and then go on to my line.

107
00:09:02,030 --> 00:09:02,880
Bt why.

108
00:09:02,960 --> 00:09:04,690
Just make sure that it's found.

109
00:09:04,960 --> 00:09:16,850
So access Clauss 10 in Knopf are trying telnet noticed that telnet is successful.

110
00:09:17,080 --> 00:09:18,640
So I'm able to tell that to the Rodda

111
00:09:24,020 --> 00:09:30,550
now it is Vianney the command do show Access listin you can see that there are two matches on the sexist

112
00:09:30,550 --> 00:09:35,590
list but tell me again do show c'mon.

113
00:09:35,600 --> 00:09:38,570
Notice the matches are increasing.

114
00:09:38,580 --> 00:09:43,290
Can I still tell it to the right if I delete this access list so I'm going to have to come on the access

115
00:09:43,290 --> 00:09:43,920
list.

116
00:09:45,440 --> 00:09:48,550
10 Do the show command.

117
00:09:48,730 --> 00:09:51,090
And as you can see the access list has been removed.

118
00:09:52,540 --> 00:09:56,000
I'll disconnect my telling it's issue and let me see if I can tell it again.

119
00:09:56,380 --> 00:10:06,980
And as you can see I can go in excess to show run type section line

120
00:10:10,090 --> 00:10:14,900
shows me that the access list is still bound and this is a big gotcha.

121
00:10:14,900 --> 00:10:17,880
This also applies to access Lisburn bound on interfaces.

122
00:10:18,020 --> 00:10:22,130
You can bind a nonexistent access list on an interface.

123
00:10:22,130 --> 00:10:28,310
It's very dangerous because if someone later on credit that access list and let's say inadvertently

124
00:10:28,310 --> 00:10:33,980
configured it for something else that access list would immediately become active and traffic would

125
00:10:33,980 --> 00:10:39,280
be denied or permitted unexpectedly as per the new access list.

126
00:10:39,290 --> 00:10:46,350
So let's say we permitted Tenet one or two to one arguments like now suddenly by telling it back to

127
00:10:46,350 --> 00:10:51,020
the Rodda notice that telnet session is denied.

128
00:10:51,020 --> 00:10:56,540
Be very careful with your access lists create them then bind them.

129
00:10:56,540 --> 00:10:59,920
If you delete them remove them from the bindings.

130
00:10:59,930 --> 00:11:04,190
In other words remove them from the Viti white lines or from the interfaces.

131
00:11:04,430 --> 00:11:11,540
Do not allow non-existent access lists to be bound to interfaces and do not allow access lists just

132
00:11:11,540 --> 00:11:15,440
to exist in a configuration not being bound anyway.

133
00:11:17,200 --> 00:11:23,050
Just a reminder again about remarks remarks allow us to add descriptions to access control lists so

134
00:11:23,050 --> 00:11:28,610
that they are easier to understand proem with access less as they can get fairly complicated.

135
00:11:28,610 --> 00:11:34,330
If you have a 10 line or 20 line ACL the last thing you want to do is decipher what the access list

136
00:11:34,330 --> 00:11:35,640
is intended to do.

137
00:11:35,860 --> 00:11:39,750
So adding remarks can make it a lot easier to follow and understand.

138
00:11:40,030 --> 00:11:48,300
Topping the come on show access list on Misrata shows me the access lists configured at the moment.

139
00:11:48,420 --> 00:11:55,080
You can see there are access lists with various lines but they in themselves don't mean much other than

140
00:11:55,080 --> 00:11:55,750
doing that.

141
00:11:55,770 --> 00:12:03,890
Let's create an access list it's the access list 5 commit it say for instance 10 1 2 to 1.

142
00:12:04,300 --> 00:12:12,970
But now what you can do is you can say is list 5 Ramshaw and now you can put in a remark up to 100 characters

143
00:12:13,440 --> 00:12:14,140
so something like.

144
00:12:14,150 --> 00:12:14,690
Commit

145
00:12:17,760 --> 00:12:28,890
to meet the boss access to exchange server or whatever you decide now topping that C'mon show X-ists

146
00:12:28,910 --> 00:12:29,360
list

147
00:12:33,220 --> 00:12:35,650
doesn't show that remark but not as if I do.

148
00:12:35,660 --> 00:12:37,240
C'mon show run.

149
00:12:37,270 --> 00:12:42,060
Inkley access list.

150
00:12:42,080 --> 00:12:49,070
Notice the remark is displayed in the access list which makes it a lot easier to see what's going on.

151
00:12:49,100 --> 00:12:53,840
I could create another line in that access facility to access 5 remet

152
00:12:57,570 --> 00:12:59,050
and then I could create another a mock

153
00:13:08,100 --> 00:13:09,140
something like this.

154
00:13:10,030 --> 00:13:13,250
And not being the same come on again show run piping CLEET access list

155
00:13:17,420 --> 00:13:21,560
allows me to see each line in the access list and its relevant remark.

156
00:13:21,740 --> 00:13:28,960
Thus making it a lot easier to understand what's going on some guidelines regarding access lists.

157
00:13:28,970 --> 00:13:33,170
Firstly the top of access list indicates what can be faulted.

158
00:13:33,220 --> 00:13:40,950
In other words a standard access list can only on Source IP addresses or networks and extended IP access

159
00:13:40,950 --> 00:13:46,990
list control to both source and destination addresses source and destination port numbers and various

160
00:13:46,990 --> 00:13:53,070
other options relating to IP protocols so extended access lists tend to be a lot more powerful.

161
00:13:53,110 --> 00:13:56,290
The order of processing is also of great importance.

162
00:13:56,290 --> 00:13:59,710
You should place you more specific statements first.

163
00:13:59,710 --> 00:14:07,320
If your first statement was permit any and your second statement was deny host 10:01 one one that second

164
00:14:07,320 --> 00:14:12,190
deny statement would be irrelevant because of your first statement saying permit any.

165
00:14:12,460 --> 00:14:15,610
Remember access control lists a process top down.

166
00:14:15,610 --> 00:14:19,360
If there's a match on a line all subsequent lines are ignored.

167
00:14:19,360 --> 00:14:26,050
So I permit any would be matched and all traffic including traffic from host 10:01 one one would be

168
00:14:26,050 --> 00:14:31,270
permitted and the second line denying host 10 one on one would be ignored.

169
00:14:31,270 --> 00:14:37,300
Don't forget that there's an implicit deny all at the end of every Access Control list unless you explicitly

170
00:14:37,300 --> 00:14:40,540
permit something it's going to be denied.

171
00:14:40,540 --> 00:14:46,920
Only one access list can be bound her interface per direction per protocol.

172
00:14:46,930 --> 00:14:54,790
In other words an IP version 4 ACL can be bound either in or out on a per interface basis.

173
00:14:54,790 --> 00:15:01,120
You cannot have to Activision for access lists inbound on the same interface that you can have one in

174
00:15:01,120 --> 00:15:02,570
and one out.

175
00:15:02,590 --> 00:15:08,890
As I've already demonstrated if you try bind two IP access lists inbound on the same interface the second

176
00:15:08,890 --> 00:15:10,810
one will just replace the first one.

177
00:15:12,320 --> 00:15:14,530
So where should you place your access lists.

178
00:15:14,570 --> 00:15:21,140
Now the best practice from Cisco is to place stented ACL is as close to the destination as possible

179
00:15:21,380 --> 00:15:24,820
and the reason for this is that you cannot match specific protocols.

180
00:15:24,950 --> 00:15:31,430
Now in the real world most ACL implementations will be using extended IP access lists because of the

181
00:15:31,430 --> 00:15:37,460
fact that you can filter based on both source and destination IP address as well as source and destination

182
00:15:37,460 --> 00:15:38,730
ports and so forth.

183
00:15:39,110 --> 00:15:44,850
Whereas with IP stented access control lists you can only fall to based on the source address.

184
00:15:44,900 --> 00:15:52,910
So in this example if you didn't want 10 1 on 1 to connect to this server 10 1 to 1 you could bind a

185
00:15:52,910 --> 00:16:00,890
standard IP access list either inbound and or one or outbound and or one or inbound and or two or outbound

186
00:16:00,890 --> 00:16:02,600
an arty.

187
00:16:02,720 --> 00:16:11,030
If you decided to bind an access list denying this host inbound and or one you would not only deny 10

188
00:16:11,030 --> 00:16:18,200
1 1 1 access to the server but you would also deny the host access to all other parts of the network

189
00:16:18,680 --> 00:16:25,580
because she cannot specify a destination but only a source if you bound an access list in Bonan or one

190
00:16:25,670 --> 00:16:28,090
denying host 10 1 1 1.

191
00:16:28,130 --> 00:16:34,400
You would deny that host access to all parts of the network so this wouldn't be a good place to bind

192
00:16:34,550 --> 00:16:35,690
that access list.

193
00:16:36,620 --> 00:16:44,000
If you bomb the access list outbound and or one saying denie host 10 one on one the host would be allowed

194
00:16:44,000 --> 00:16:45,810
access to this host.

195
00:16:45,870 --> 00:16:51,050
Once again 10:01 one one would be denied access to this network.

196
00:16:51,050 --> 00:16:57,350
This network as well as this network because once again you can only to deny on the source address with

197
00:16:57,350 --> 00:17:02,840
a standard IP access list not on the destination will port numbers.

198
00:17:02,840 --> 00:17:08,750
If you decided to bind the access list inbound and or to the host 10:01 one one would have access to

199
00:17:08,750 --> 00:17:14,870
this network as well as this network but it wouldn't have access to this network or this network so

200
00:17:14,870 --> 00:17:16,250
that wouldn't work either.

201
00:17:17,090 --> 00:17:23,600
And lastly if you decided to bind the access list outbound on r t that would be the optimum place to

202
00:17:23,600 --> 00:17:30,830
post the X-ists list because you would be denying host 10 1 1 1 access to the server that you wouldn't

203
00:17:30,830 --> 00:17:36,110
be denying that host access to any other part of the network and that you would accomplish what you

204
00:17:36,110 --> 00:17:37,600
set out to do.

205
00:17:38,090 --> 00:17:44,300
However with the extended IP access lists the recommendation is to place the access list as close to

206
00:17:44,300 --> 00:17:45,920
the source as possible.

207
00:17:45,920 --> 00:17:51,450
The reason for this is that you can match specific protocols and specific destination addresses.

208
00:17:51,500 --> 00:17:59,840
So if you burn an access list inbound and or one you could say deny this host 10 1 1 1 access to this

209
00:17:59,840 --> 00:18:01,960
host 10 1 to 1.

210
00:18:02,330 --> 00:18:09,050
But permit this host access to any other part of the network and thus you would accomplish what you

211
00:18:09,050 --> 00:18:10,250
set out to do.

212
00:18:10,400 --> 00:18:15,590
And this example would be a lot more efficient than the previous example because you would be denying

213
00:18:15,620 --> 00:18:22,150
traffic at this point rather than routing it all the way across the network to or to just to be dropped.

214
00:18:22,370 --> 00:18:28,640
So you extended IP access lists are a lot more flexible and a lot more efficient and thus tend to be

215
00:18:28,640 --> 00:18:30,530
used more in the real world.