1
00:00:00,410 --> 00:00:04,020
Now let's implement some examples of extended IP access lists.

2
00:00:04,200 --> 00:00:11,060
In this example we are saying permit HDP traffic from 10 1 1 1 to 10 1 to 1.

3
00:00:11,070 --> 00:00:18,490
In other words this host should be permitted to talk to the server but only using a sheepy.

4
00:00:18,740 --> 00:00:27,340
We need to deny all other traffic from subnet 10 1 1 0 Sless 24 going to the server.

5
00:00:27,350 --> 00:00:33,270
In other words anyone asked them the subnet should be denied access to the specific server.

6
00:00:33,440 --> 00:00:38,560
We want to permit all other traffic from the subnet anywhere else.

7
00:00:38,570 --> 00:00:42,890
In other words this host for example should be able to connect to this router to be able to connect

8
00:00:42,890 --> 00:00:46,580
to the router should be able to send traffic to this MacBook.

9
00:00:46,580 --> 00:00:52,550
Now once again it's very important to look at the direction of the traffic so the traffic flow is from

10
00:00:52,550 --> 00:00:59,900
left to right now as per base practices and extended IP access list should be placed as close to the

11
00:00:59,900 --> 00:01:01,360
source as possible.

12
00:01:01,610 --> 00:01:04,650
And thus we going to apply the access list inbound on.

13
00:01:04,660 --> 00:01:06,270
Ethan It's 0 0.

14
00:01:06,350 --> 00:01:11,720
The advantage of doing this as well is that the Ratta does not need to process packets unnecessarily

15
00:01:12,040 --> 00:01:14,720
which is just going to be dropped elsewhere in the network.

16
00:01:14,840 --> 00:01:18,700
So we will apply the access list as close to the source as we can.

17
00:01:18,890 --> 00:01:22,410
And the closest interface is F-Series flesh Zira.

18
00:01:22,550 --> 00:01:31,950
So the first statement should permit HD traffic from 10 1 1 1 to 10 1 to 1 on the Rodda going into global

19
00:01:31,950 --> 00:01:33,300
configuration mode.

20
00:01:33,330 --> 00:01:38,880
I can talk to him on this list and notice once again is a range of numbers.

21
00:01:39,120 --> 00:01:44,910
We are going to choose one in this range 100 to 199 because we are creating an extended IP access list.

22
00:01:44,910 --> 00:01:54,330
So let's pick 100 that were going to say permit and notice here we can permit multiple protocols.

23
00:01:54,360 --> 00:02:00,200
Now this is where it becomes important knowing what lower level protocols Hialeah protocols like HTP

24
00:02:00,210 --> 00:02:01,320
use.

25
00:02:01,320 --> 00:02:10,430
So in this example we are looking to permit HGP HGP relies on TCAP at least for the same model.

26
00:02:10,560 --> 00:02:16,330
So we are going to specify TZP and Boadicea we can specify a source.

27
00:02:16,490 --> 00:02:19,150
So I'm going to do it this way.

28
00:02:20,750 --> 00:02:24,290
And notice I can put in my wildcard Beths.

29
00:02:24,450 --> 00:02:25,720
So that was the source.

30
00:02:25,740 --> 00:02:28,400
And now we need to specify a destination.

31
00:02:28,710 --> 00:02:33,940
In this case the destination is 10 1 to 1 so doing it another way.

32
00:02:33,940 --> 00:02:42,700
I'm going to specify a host 10 1 2 to 1 and that is if I press question mark at the end it gives me

33
00:02:42,700 --> 00:02:51,010
many options here including equal which allows me to match on a specific port number for greater than

34
00:02:51,160 --> 00:02:55,040
which allows me to look at port numbers greater than a certain number.

35
00:02:55,450 --> 00:03:00,810
All less then which allows me to look at port numbers less than a specific number.

36
00:03:01,030 --> 00:03:05,140
All range which allows me to look at port numbers in a specific range.

37
00:03:05,380 --> 00:03:07,370
But in this case we're looking for HTP.

38
00:03:07,420 --> 00:03:09,650
So I'm going to topic them on equal.

39
00:03:09,970 --> 00:03:17,680
Chris question mark and notice I can enter a specific port number if I know the number or I can use

40
00:03:17,680 --> 00:03:21,640
the word and notice the many words here.

41
00:03:21,860 --> 00:03:26,790
But notice as an example HGP use of the word GWW.

42
00:03:26,990 --> 00:03:31,570
So I could either put in 80 or I could put in w WW.

43
00:03:31,910 --> 00:03:38,600
Once again notice the dollar sign is just telling me that there's more to the left.

44
00:03:38,600 --> 00:03:44,930
So if I put in the command control a They'll take me to the beginning of the line or control he takes

45
00:03:44,930 --> 00:03:50,090
me to the end of the line that dollars just telling me that there's more ticks than what can fit on

46
00:03:50,090 --> 00:03:51,650
the specific output.

47
00:03:51,680 --> 00:03:54,970
So just hidden some of the text to make it easier to read.

48
00:03:55,310 --> 00:04:00,890
So I can hit enter so that completes the first part of the access list.

49
00:04:00,890 --> 00:04:05,980
Now we have to deny all of the traffic from that specific subnet to the server.

50
00:04:06,890 --> 00:04:15,700
So I could come on this list 100 and in this case specified deny.

51
00:04:15,760 --> 00:04:19,930
Now we have to specify protocol so we can just deny everything.

52
00:04:19,930 --> 00:04:30,140
In other words deny all IP the source is tendered 1. 1.0 put in the wildcard mos.

53
00:04:30,290 --> 00:04:36,930
The destination is aspecific host which is 10.0 1.2 to 12:58 it enter.

54
00:04:37,340 --> 00:04:40,420
So that line denies all other traffic.

55
00:04:40,430 --> 00:04:52,120
So in other words all IP traffic is denied from subnet 10 1 1 0 10 1 1 0 with the relevant mosque going

56
00:04:52,120 --> 00:04:57,620
to host 10 1 to 1 which is what we've got configured here.

57
00:04:57,670 --> 00:05:03,430
So we have successfully created the second part of the access list the third parties saying permit all

58
00:05:03,460 --> 00:05:17,940
other traffic from subnet anywhere else so I could literally just say access list 100 Myrt IP and we're

59
00:05:17,940 --> 00:05:24,920
going to specify that specific subnet Tendo squandered 1.0 with a mosque.

60
00:05:25,030 --> 00:05:26,780
And in this case I can say any way.

61
00:05:27,070 --> 00:05:36,300
So any the last step is to bind the access list on the interface so IP access group 100 in.

62
00:05:36,450 --> 00:05:45,520
Now just to show you what we've configured show access list shows me in this case that I've got an extended

63
00:05:45,520 --> 00:05:47,110
IP access list.

64
00:05:47,110 --> 00:05:53,600
The first line is the meeting TCAP from that host 10 1 1 1 to host 10 1 to 1.

65
00:05:53,710 --> 00:06:00,850
I noticed that rodders automatically changed the port number into the name description w WW.

66
00:06:01,420 --> 00:06:08,140
The second line is denying traffic from that subnet to the host 10 1 to 1 and the third line is permitting

67
00:06:08,530 --> 00:06:10,540
traffic from that subnet anyway.

68
00:06:11,450 --> 00:06:21,520
Show IP interface 0 0 shows me an example that that access list is bound inbound on Fosset.

69
00:06:21,520 --> 00:06:24,100
Ethan It's Aeros flesh sirra.

70
00:06:24,260 --> 00:06:29,790
So we have accomplished what we set out to do based on those criteria.

71
00:06:29,880 --> 00:06:39,960
In this example we want to permit both HGP and TFT traffic from the subnet 10 1 1 0 slice 24 to the

72
00:06:39,960 --> 00:06:40,840
server.

73
00:06:41,130 --> 00:06:49,490
In other words devices on the subnet should be able to open HTP sessions and DFT sessions to the server.

74
00:06:49,740 --> 00:06:54,420
We then want to deny all of the traffic from the subnet to the server.

75
00:06:54,420 --> 00:07:01,360
In other words we only want to allow HTP and TFT traffic to the server and no other traffic.

76
00:07:01,500 --> 00:07:06,490
But we also want to permit all other traffic from the subnet anywhere else.

77
00:07:06,600 --> 00:07:13,200
In other words these devices and the subnet should be able to access this server to HTP and TFT be they

78
00:07:13,200 --> 00:07:16,610
should not be able to use any other protocols to access the server.

79
00:07:16,740 --> 00:07:21,930
But they should be able to connect for instance to this MacBook using any protocol.

80
00:07:21,950 --> 00:07:26,570
So the first thing we need to look at is the direction and once again the traffic is flowing from the

81
00:07:26,570 --> 00:07:29,290
left hand side to the right hand side.

82
00:07:29,480 --> 00:07:34,720
Once again as per our base practices we will apply the access list inbound on FASA.

83
00:07:34,730 --> 00:07:40,910
Ethan It's 0 0 on our one because this is the interface closest to the source of traffic.

84
00:07:42,010 --> 00:07:50,360
So to do that on our road to go into global config configurator gang top access list choose a number.

85
00:07:50,360 --> 00:07:54,240
In this case a choose 101 because it's an extended IP access list.

86
00:07:54,240 --> 00:08:02,480
I mean it's the next one available choose commed and this case which is our protocol we are going to

87
00:08:02,480 --> 00:08:08,270
be permitting both HTP and TFT P from the subnet to the server.

88
00:08:08,300 --> 00:08:20,430
Remember HTP uses TZP Atlay for that TFT P uses UDP Atlay for sufficiently TCAP the source network has

89
00:08:20,430 --> 00:08:28,500
10 1 1 0 the wildcard mosque 000 2:55.

90
00:08:28,610 --> 00:08:29,940
So that's our source.

91
00:08:30,040 --> 00:08:32,560
And now we have to specify the destination.

92
00:08:32,560 --> 00:08:34,290
The destination is awesome.

93
00:08:34,600 --> 00:08:38,500
10.0 1.2 to one.

94
00:08:38,640 --> 00:08:43,660
And now we can choose either equal or greater than less than or range and so forth.

95
00:08:43,740 --> 00:08:46,500
In this case we're going to say equal to port 80.

96
00:08:46,500 --> 00:08:56,010
In other words HTP the next line would be 40 50 p that before we do that let's put a remark in just

97
00:08:56,010 --> 00:08:58,060
to make it easier to understand.

98
00:08:58,440 --> 00:09:08,150
So I'd say Remarque SMRT London site to New York server for example

99
00:09:10,950 --> 00:09:13,780
and they will say is this 101.

100
00:09:13,880 --> 00:09:15,850
Met.

101
00:09:16,020 --> 00:09:20,610
In this case you have to specify UDP because TFT uses UDP.

102
00:09:20,760 --> 00:09:21,570
The source

103
00:09:24,860 --> 00:09:28,120
subnet going to the destination.

104
00:09:28,400 --> 00:09:32,270
In this case I'll just change it around just to show you that both options will work.

105
00:09:33,380 --> 00:09:41,360
I can specify the server with a mosque and this case I'm set equal and notice now please the protocols

106
00:09:41,360 --> 00:09:50,030
are different because we are using UDP as an example you won't see HGP in this list but you will see

107
00:09:50,700 --> 00:09:58,210
TFT the rod is clever enough to know which highly of protocols use UDP or TZP.

108
00:09:58,430 --> 00:10:01,460
And in this example we specified UDP.

109
00:10:01,460 --> 00:10:03,170
So I'm just going to say 69.

110
00:10:03,560 --> 00:10:06,890
It's also a remark to make this more descriptors Exorcist 101

111
00:10:10,010 --> 00:10:19,880
remark met TFT from London site to New York City for example.

112
00:10:20,130 --> 00:10:26,240
That remark is obviously just for us as humans to know what's going on and has no effect on the router.

113
00:10:27,240 --> 00:10:33,840
So we have permitted sheepy and TFT traffic from that subnet to the server and now we are told to deny

114
00:10:33,870 --> 00:10:37,500
all other traffic from the subnet to the server.

115
00:10:38,010 --> 00:10:48,040
So access list 101 deny and because this is an IP based access let's begin to deny IP 10.0 wondered

116
00:10:48,060 --> 00:10:58,960
1.0 0.0 added 0 to 255 and we're told to only deny traffic from that submit to the server.

117
00:10:59,050 --> 00:11:03,120
So the destination will be host tendered one or two to one.

118
00:11:03,190 --> 00:11:05,570
So we've met the second criteria.

119
00:11:05,740 --> 00:11:11,270
The last step is to permit all other traffic from the subnet anywhere else.

120
00:11:12,250 --> 00:11:25,240
So we would say access list 101 commit 10 dot dot 1.0 with a mosque anywhere the last step is to bind

121
00:11:25,240 --> 00:11:27,180
it on to the interface interface.

122
00:11:27,190 --> 00:11:35,300
Seriously Sarah as per our best practices begin to bind it in-bound and this interface so IP X-ists

123
00:11:35,300 --> 00:11:40,380
group 101 in and that's.

124
00:11:41,450 --> 00:11:50,540
In this example we want to ProMED HGP and TFT be traffic from any way to the server 10 1 to 1 but we're

125
00:11:50,540 --> 00:11:53,900
going to deny all other traffic to the server.

126
00:11:53,900 --> 00:11:56,010
So now things are a little bit different.

127
00:11:56,060 --> 00:12:00,610
We are only allowing UDP and TFT from anywhere to the server.

128
00:12:00,970 --> 00:12:09,830
So traffic from this host as well as these hosts needs to have access to the server but only HTP and

129
00:12:09,840 --> 00:12:12,090
TFG traffic.

130
00:12:12,180 --> 00:12:18,330
If we were asked to only apply a single access list we would need to apply it outbound then if Sarah

131
00:12:18,330 --> 00:12:19,490
is left.

132
00:12:19,890 --> 00:12:25,500
However we were given the option to apply multiple access control lists we would for instance apply

133
00:12:25,500 --> 00:12:34,020
it on 0 1 on our t as well as serious 0 0 or 1 which would have the effect that traffic that is going

134
00:12:34,020 --> 00:12:39,960
to be dropped will be dropped sooner and quicker rather than traversing the when link and then being

135
00:12:39,960 --> 00:12:42,520
dropped as when using this setup.

136
00:12:42,610 --> 00:12:48,870
It's easy to read between the lines and determine what you are being asked to do and what restrictions

137
00:12:48,870 --> 00:12:51,720
have been placed on your solutions.

138
00:12:51,750 --> 00:12:57,180
So on the route of before we go any further let's see what access lists have been configured so I can

139
00:12:57,180 --> 00:13:03,810
do the C'mon show run quite include access list which will just show me the access list part of the

140
00:13:03,810 --> 00:13:06,100
configuration on this router.

141
00:13:07,140 --> 00:13:13,680
As you can see here we created X-ists last three ACL for ACL five

142
00:13:17,300 --> 00:13:21,890
extended ACL 100 and extended ACL 101.

143
00:13:22,270 --> 00:13:27,440
Notice it's easier to see what's going on when the remarks or descriptions have been added to the access

144
00:13:27,440 --> 00:13:30,790
list to going into level configuration mode.

145
00:13:30,890 --> 00:13:37,600
I can top the C'mon access list one or two per murd TZP.

146
00:13:37,760 --> 00:13:43,120
Any host 10 to 1 or 2 to 1 or Ra of the

147
00:13:45,670 --> 00:13:47,770
equal 80.

148
00:13:47,830 --> 00:13:50,790
Once again be very careful what I've just done there.

149
00:13:51,100 --> 00:13:56,030
That statement no access list one or two would have removed the entire access list.

150
00:13:56,110 --> 00:14:02,490
I'll show you in a moment how you can edit individual lines on an access list and an access list 100

151
00:14:02,500 --> 00:14:05,830
to permit UDP.

152
00:14:06,100 --> 00:14:16,000
Any host 10 or 1 or 2 to 1 equal 69 that will accomplish what we set out to do with this first statement

153
00:14:16,450 --> 00:14:28,150
and then we need to deny all other traffic on that server to access list 1 to deny IP any and don't

154
00:14:28,150 --> 00:14:33,420
forget you have to put the source and destination I can now that's a mistake.

155
00:14:33,420 --> 00:14:40,230
Now if I do the can Monge do show access list on a two.

156
00:14:40,620 --> 00:14:49,500
You'll notice these line numbers 10 20 30 later versions of the Iowas the right to automatically puts

157
00:14:49,630 --> 00:14:56,410
line numbers on each line created which is great because it allows us to edit individual lines if I

158
00:14:56,520 --> 00:15:04,160
tap the command no X's list wanted to deny IP any any to try and remove this last line.

159
00:15:04,210 --> 00:15:06,410
It will remove the entire access list.

160
00:15:06,690 --> 00:15:13,980
So rather than doing that I can do the common IP access list extended because this is an extended IP

161
00:15:13,980 --> 00:15:16,590
access list and then I put the number in.

162
00:15:17,130 --> 00:15:27,730
And then I can type No.13 to remove like 30 stopping the command do show access list one or two will

163
00:15:27,760 --> 00:15:37,610
show you that that last line has been removed and I could add the line back by saying 30 deny any hosts

164
00:15:37,680 --> 00:15:40,790
10 1 to 2 to 1.

165
00:15:41,000 --> 00:15:48,930
Or rather the night IP any host 10 1 to 1 and not doing a show came on.

166
00:15:50,760 --> 00:15:57,040
Shows me that that line has been added correctly so that makes life a lot easier.

167
00:15:57,040 --> 00:16:02,590
Rather than having to delete the access list and then recreate it from scratch or editing a notepad

168
00:16:03,160 --> 00:16:08,710
you could edit it directly on the rod at the last step once again would be to bind it on the interface

169
00:16:09,080 --> 00:16:11,470
if seriously zero outbound.