Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,280 --> 00:00:07,760 Welcome to Jeremy’s IT Lab. This is a free,\xa0\n 2 00:00:07,759 --> 00:00:13,599 videos, please subscribe to follow along with the\xa0\n 3 00:00:13,599 --> 00:00:17,519 and share the video to help spread this\xa0\n 4 00:00:18,800 --> 00:00:25,600 In this video we will cover extended ACLs, access\xa0\n 5 00:00:25,600 --> 00:00:31,280 about the purpose of ACLs, how they work, how\xa0\n 6 00:00:31,280 --> 00:00:37,359 for extended ACLs. The only difference is that\xa0\n 7 00:00:37,359 --> 00:00:42,000 than standard ACLs, which can only match\xa0\n 8 00:00:43,280 --> 00:00:48,079 As a reminder, ACLs are topic\xa0\n 9 00:00:48,079 --> 00:00:54,239 which states that you must be able to configure\xa0\n 10 00:00:54,240 --> 00:00:59,120 you’ll know everything you need to know to\xa0\n 11 00:01:00,799 --> 00:01:05,200 Here’s what we’ll cover in today’s video.\xa0\n 12 00:01:05,200 --> 00:01:10,079 configure numbered ACLs. This applies\xa0\n 13 00:01:11,040 --> 00:01:15,360 Then I’ll show you how to edit ACLs, in\xa0\n 14 00:01:15,359 --> 00:01:21,280 entries in a specific order. Finally I’ll\xa0\n 15 00:01:22,239 --> 00:01:26,560 Although the commands are a little longer\xa0\n 16 00:01:26,560 --> 00:01:30,480 the configuration method in general\xa0\n 17 00:01:31,680 --> 00:01:37,280 As always, watch until the end of the quiz for\xa0\n 18 00:01:37,280 --> 00:01:44,239 Software. Boson ExSim simulates the difficulty\xa0\n 19 00:01:44,239 --> 00:01:49,839 other practice exams. If you want to get Boson\xa0\n 20 00:01:51,760 --> 00:01:56,800 Let’s get started. In day 34 you learned that\xa0\n 21 00:01:56,799 --> 00:02:03,759 mode. For example, here’s a simple ACL denying\xa0\n 22 00:02:04,640 --> 00:02:09,840 The entries of ACL 1 are configured directly from\xa0\n 23 00:02:10,960 --> 00:02:15,280 You also learned that named ACLs are configured\xa0\n 24 00:02:16,080 --> 00:02:18,960 Here’s the same ACL, configured as a named ACL.\xa0\xa0 25 00:02:19,919 --> 00:02:25,599 The IP ACCESS-LIST STANDARD command is used\xa0\n 26 00:02:25,599 --> 00:02:30,242 and then subcommands within that mode\xa0\n 27 00:02:31,680 --> 00:02:37,520 However, in modern Cisco IOS you can also\xa0\n 28 00:02:37,520 --> 00:02:43,280 named ACLs. Here’s a numbered ACL, configured\xa0\n 29 00:02:44,159 --> 00:02:48,079 Be aware that this is just a different\xa0\n 30 00:02:48,080 --> 00:02:52,000 but if you check the ACL in the running\xa0\n 31 00:02:52,000 --> 00:02:56,000 was configured using the traditional\xa0\n 32 00:02:57,520 --> 00:03:03,200 Let me demonstrate. From global config\xa0\n 33 00:03:03,199 --> 00:03:08,799 then checked the options. Notice that both\xa0\n 34 00:03:10,000 --> 00:03:15,919 So, I configured ACL 1 using the named ACL\xa0\n 35 00:03:15,919 --> 00:03:22,399 1 and then the two separate entries. However,\xa0\n 36 00:03:22,400 --> 00:03:26,879 as if I configured it using the traditional\xa0\n 37 00:03:26,879 --> 00:03:32,799 from global config mode. If it ends up being\xa0\n 38 00:03:32,800 --> 00:03:38,080 it in named ACL config mode? Well, there are\xa0\n 39 00:03:39,439 --> 00:03:44,879 Let me show you those advantages. First, you\xa0\n 40 00:03:44,879 --> 00:03:51,759 the command NO, followed by the entry number.\xa0\n 41 00:03:51,759 --> 00:03:57,599 ACCESS-LISTS, and you can see an ACL that I have\xa0\n 42 00:03:57,599 --> 00:04:03,599 numbers 10, 20, 30, and 40. These are the default\xa0\n 43 00:04:03,599 --> 00:04:09,439 by 10, but remember that in named ACL config mode\xa0\n 44 00:04:10,879 --> 00:04:15,840 Okay, then I used the command NO 30\xa0\n 45 00:04:16,879 --> 00:04:21,360 Then I checked the ACL again, and now you\xa0\n 46 00:04:21,920 --> 00:04:27,120 This is very convenient for editing\xa0\n 47 00:04:27,120 --> 00:04:30,560 using the traditional numbered ACL\xa0\n 48 00:04:31,759 --> 00:04:38,000 Let’s see how it works. Here’s the same ACL,\xa0\n 49 00:04:38,000 --> 00:04:44,079 out in the running-config. Then I tried to delete\xa0\n 50 00:04:44,079 --> 00:04:54,879 by using NO in front of the command. NO\xa0\n 51 00:04:54,879 --> 00:05:01,360 did that delete that entry? I checked with SHOW\xa0\n 52 00:05:01,360 --> 00:05:07,199 sure I checked the running-config, but again\xa0\n 53 00:05:07,199 --> 00:05:12,959 but I didn’t just delete that entry. I deleted\xa0\n 54 00:05:12,959 --> 00:05:18,319 numbered ACLs from global config mode, you can’t\xa0\n 55 00:05:18,319 --> 00:05:24,480 the entire ACL. So, if you want to edit it you\xa0\n 56 00:05:25,360 --> 00:05:32,160 If an ACL has many entries, this is obviously not\xa0\n 57 00:05:32,160 --> 00:05:38,160 definitely should use named ACL config mode. Note\xa0\n 58 00:05:38,160 --> 00:05:44,480 ACL in global config mode, and then just use named\xa0\n 59 00:05:45,839 --> 00:05:49,679 Okay, so that’s the first advantage\xa0\n 60 00:05:49,680 --> 00:05:54,639 even if you’re configuring numbered ACLs.\xa0\n 61 00:05:54,639 --> 00:06:00,560 followed by the entry number. Here’s another\xa0\n 62 00:06:00,560 --> 00:06:06,879 other entries by specifying the sequence number.\xa0\n 63 00:06:06,879 --> 00:06:12,079 you can’t specify the sequence number. The\xa0\n 64 00:06:12,079 --> 00:06:16,800 and the sequence number is automatically set to 10\xa0\n 65 00:06:18,000 --> 00:06:22,959 However from named ACL config mode you can\xa0\n 66 00:06:22,959 --> 00:06:29,519 new entries in the middle of an ACL. Let’s\xa0\n 67 00:06:29,519 --> 00:06:34,719 after deleting entry 30. Let’s configure\xa0\n 68 00:06:35,680 --> 00:06:45,120 So, I used 30 DENY 192.168.2.0 0.0.0.255 to create\xa0\n 69 00:06:45,839 --> 00:06:51,519 Then I checked the ACL, and you can see the new\xa0\n 70 00:06:51,519 --> 00:06:57,120 and it has the sequence number of 30 that I\xa0\n 71 00:06:57,120 --> 00:07:01,120 and notice as I showed you before that it\xa0\n 72 00:07:01,120 --> 00:07:07,600 in global config mode, and the new entry was\xa0\n 73 00:07:07,600 --> 00:07:13,360 those are a couple advantages of using named ACL\xa0\n 74 00:07:15,360 --> 00:07:18,319 Let me show you one more\xa0\n 75 00:07:19,120 --> 00:07:22,399 There is a resequencing\xa0\n 76 00:07:23,439 --> 00:07:30,319 The command is IP ACCESS-LIST RESEQUENCE, followed\xa0\n 77 00:07:30,319 --> 00:07:34,879 and then the starting sequence number and the\xa0\n 78 00:07:34,879 --> 00:07:39,839 sequence numbers. Okay, that might be hard to\xa0\n 79 00:07:41,120 --> 00:07:46,879 Here’s an ACL, but notice the sequence numbers. It\xa0\n 80 00:07:46,879 --> 00:07:55,120 the entries 1, 2, 3, 4, and 5. Note that the\xa0\n 81 00:07:55,120 --> 00:08:01,759 just because of what I explained in the previous\xa0\n 82 00:08:02,879 --> 00:08:08,079 So, what’s bad about these entry numbers? Well,\xa0\n 83 00:08:08,079 --> 00:08:13,439 the other entries. For example, maybe you want to\xa0\n 84 00:08:14,240 --> 00:08:17,759 However, it’s impossible because there\xa0\n 85 00:08:18,959 --> 00:08:26,319 Let’s use the resequence command to fix this.\xa0\n 86 00:08:26,319 --> 00:08:32,639 10 10. 1 is the ACL number, what\xa0\n 87 00:08:32,639 --> 00:08:38,080 is the starting sequence number. It means, change\xa0\n 88 00:08:39,120 --> 00:08:44,560 How about the second 10 of the command?\xa0\n 89 00:08:44,559 --> 00:08:50,319 every entry after that, after the first\xa0\n 90 00:08:50,960 --> 00:08:58,400 and the ACL has been resequenced. Note that the\xa0\n 91 00:08:59,120 --> 00:09:07,279 then DENY 3.1, then DENY 2.1, then DENY 4.1, and\xa0\n 92 00:09:07,279 --> 00:09:12,399 have been changed, starting at 10 for the top\xa0\n 93 00:09:13,200 --> 00:09:18,800 That’s how ACL resequencing works. Now it’s simple\xa0\n 94 00:09:19,919 --> 00:09:25,199 Note that this command is done from global config\xa0\n 95 00:09:25,200 --> 00:09:28,320 standard and extended ACLs, so all ACLs. 96 00:09:30,720 --> 00:09:37,120 Okay, let’s get to the main part of this\xa0\n 97 00:09:37,120 --> 00:09:42,639 mostly the same as standard ACLs. They can be\xa0\n 98 00:09:43,919 --> 00:09:47,839 If you configure an extended numbered\xa0\n 99 00:09:48,559 --> 00:09:56,079 100 to 199, and 2000 to 2699. You definitely\xa0\n 100 00:09:56,879 --> 00:10:04,159 Make sure you know the standard ACL ranges\xa0\n 101 00:10:05,600 --> 00:10:09,600 Extended ACLs are processed from top\xa0\n 102 00:10:10,399 --> 00:10:15,199 However, here’s the big difference. They\xa0\n 103 00:10:15,200 --> 00:10:19,120 so they are more precise, and\xa0\n 104 00:10:20,399 --> 00:10:24,879 You can really specify exactly what traffic\xa0\n 105 00:10:24,879 --> 00:10:30,480 to permit, specific kinds of traffic from\xa0\n 106 00:10:31,600 --> 00:10:35,680 For the purpose of this video, we will\xa0\n 107 00:10:36,399 --> 00:10:43,360 Layer 4 protocol and port number, source IP\xa0\n 108 00:10:43,360 --> 00:10:49,519 an extended numbered ACL entry from global config\xa0\n 109 00:10:50,559 --> 00:10:57,839 Make sure this number is in one of the ranges\xa0\n 110 00:10:57,840 --> 00:11:04,879 PERMIT or DENY. After that you can specify the\xa0\n 111 00:11:04,879 --> 00:11:11,279 IP address and the destination IP address.\xa0\n 112 00:11:12,000 --> 00:11:18,879 It starts with IP ACCESS-LIST EXTENDED, and then\xa0\n 113 00:11:18,879 --> 00:11:23,039 extended numbered ACLs can also be\xa0\n 114 00:11:24,000 --> 00:11:29,279 Once you’re in extended named ACL config mode,\xa0\n 115 00:11:29,279 --> 00:11:35,360 the protocol, source and destination, etc. Because\xa0\n 116 00:11:35,360 --> 00:11:41,919 and named ACL configuration, I will just focus on\xa0\n 117 00:11:41,919 --> 00:11:46,159 Just don’t forget that you can configure extended\xa0\n 118 00:11:47,360 --> 00:11:52,240 Now, as I wrote above, extended ACLs are\xa0\n 119 00:11:52,879 --> 00:11:56,879 There are lots of different variations and\xa0\n 120 00:11:56,879 --> 00:12:02,720 the access list entries. I’ll just show you some\xa0\n 121 00:12:02,720 --> 00:12:08,720 but I won’t explore every possible option that can\xa0\n 122 00:12:08,720 --> 00:12:12,560 try it out in a lab and use the question\xa0\n 123 00:12:14,559 --> 00:12:20,879 First I’ll explain how extended ACLs can match\xa0\n 124 00:12:20,879 --> 00:12:26,960 config mode, I entered DENY and used the question\xa0\n 125 00:12:28,000 --> 00:12:32,159 First up, you can use an IP protocol\xa0\n 126 00:12:32,720 --> 00:12:38,720 Think back to Day 10 of this course, about the\xa0\n 127 00:12:38,720 --> 00:12:44,879 identifies the protocol that is encapsulated\xa0\n 128 00:12:45,840 --> 00:12:49,920 So, you can identify the protocol by\xa0\n 129 00:12:50,879 --> 00:12:56,960 Or, you can use the name of the protocol, options\xa0\n 130 00:12:56,960 --> 00:13:01,680 since it’s easier to remember, but if you want to\xa0\n 131 00:13:02,799 --> 00:13:11,519 IP protocol number 1 is ICMP, 6 is TCP,\xa0\n 132 00:13:12,240 --> 00:13:17,039 I briefly mentioned some of these earlier in\xa0\n 133 00:13:17,039 --> 00:13:22,159 they might come up somewhere on the exam. But\xa0\n 134 00:13:22,159 --> 00:13:30,959 name in ACLs. Here you can see EIGRP, ICMP,\xa0\n 135 00:13:30,960 --> 00:13:37,200 to block OSPF messages on an interface, for\xa0\n 136 00:13:38,320 --> 00:13:44,240 However, for this lesson we are going to focus\xa0\n 137 00:13:44,879 --> 00:13:52,799 That is IP itself. If you use the IP option,\xa0\n 138 00:13:52,799 --> 00:13:58,799 when we don’t care about the protocol, we just\xa0\n 139 00:13:58,799 --> 00:14:04,479 if you want to put a ‘permit any’ statement at the\xa0\n 140 00:14:06,320 --> 00:14:11,920 Now let’s see how to add the source and\xa0\n 141 00:14:11,919 --> 00:14:18,799 I selected TCP as the protocol. So, any IP packets\xa0\n 142 00:14:18,799 --> 00:14:24,559 the entry. However, we still have to specify the\xa0\n 143 00:14:25,679 --> 00:14:32,399 Note that, in extended ACLs to specify a /32\xa0\n 144 00:14:32,399 --> 00:14:37,759 option or specify the wildcard mask. You can’t\xa0\n 145 00:14:38,720 --> 00:14:41,840 In standard ACLs that is\xa0\npossible, but not extended.\xa0\xa0 146 00:14:43,440 --> 00:14:48,480 Okay, so I decided to use ANY to match all\xa0\n 147 00:14:48,480 --> 00:14:54,000 the destination IP address. There are many more\xa0\n 148 00:14:54,000 --> 00:14:58,879 but I’ll cover that later. So, for the\xa0\n 149 00:14:59,519 --> 00:15:06,799 the destination address, ANY, or HOST to specify\xa0\n 150 00:15:06,799 --> 00:15:15,359 destination 10.0.0.0, and now I have to enter the\xa0\n 151 00:15:15,360 --> 00:15:21,519 and now this entry is complete. So, what is the\xa0\n 152 00:15:21,519 --> 00:15:29,360 that encapsulate a TCP segment, from any source\xa0\n 153 00:15:30,559 --> 00:15:35,439 This is just a single entry, of course, to\xa0\n 154 00:15:35,440 --> 00:15:40,960 more entries after this, but now I want you to\xa0\n 155 00:15:42,799 --> 00:15:47,199 Here are a few practice questions.\xa0\n 156 00:15:47,200 --> 00:15:51,360 just individual entries so you can\xa0\n 157 00:15:52,399 --> 00:15:57,360 If you can, pause the video and try to write out\xa0\n 158 00:15:59,039 --> 00:16:04,319 Okay, let’s check each one, number 1 first.\xa0\n 159 00:16:04,320 --> 00:16:12,400 permits all traffic? The answer is PERMIT IP\xa0\n 160 00:16:12,399 --> 00:16:17,279 and then we can use ANY for both the source\xa0\n 161 00:16:18,080 --> 00:16:25,759 This is like PERMIT ANY in a standard ACL.\xa0\n 162 00:16:26,960 --> 00:16:39,040 from sending UDP traffic to 192.168.1.1/32.\xa0\n 163 00:16:39,600 --> 00:16:46,399 HOST 192.168.1.1. Instead of HOST, another\xa0\n 164 00:16:46,399 --> 00:16:54,720 the end instead, 0.0.0.0. Next let’s\xa0\n 165 00:16:55,919 --> 00:17:03,839 from pinging hosts in 192.168.0.0/24. What\xa0\n 166 00:17:04,880 --> 00:17:12,640 DENY ICMP, that’s the protocol for ping. I\xa0\n 167 00:17:12,640 --> 00:17:20,480 but still make sure you’re aware that ICMP\xa0\n 168 00:17:20,480 --> 00:17:29,120 192.168.0.0 0.0.0.255. Again, instead of\xa0\n 169 00:17:30,799 --> 00:17:34,639 Okay, we’ll do some more practice later\xa0\n 170 00:17:36,799 --> 00:17:43,519 So let’s talk about matching TCP and UDP port\xa0\n 171 00:17:43,519 --> 00:17:49,680 protocol to match, you can optionally specify the\xa0\n 172 00:17:50,559 --> 00:17:55,279 This is optional, if you just specify\xa0\n 173 00:17:55,279 --> 00:18:00,000 all port numbers will be matched. So, here’s\xa0\n 174 00:18:00,000 --> 00:18:06,640 numbers. I chose ‘DENY TCP’, but of course this\xa0\n 175 00:18:08,000 --> 00:18:13,200 If you want to specify the source TCP or\xa0\n 176 00:18:13,200 --> 00:18:19,279 IP address and wildcard mask like this. EQ,\xa0\n 177 00:18:20,079 --> 00:18:26,079 For example, EQ 80 means equal to port\xa0\n 178 00:18:27,039 --> 00:18:33,680 Another option is GT, greater than. For example\xa0\n 179 00:18:33,680 --> 00:18:41,680 so 81 and up. There is also LT, less than.\xa0\n 180 00:18:41,680 --> 00:18:49,840 so 79 and below. NEQ is not equal, so for\xa0\n 181 00:18:50,720 --> 00:18:57,920 The final option is RANGE, for example RANGE\xa0\n 182 00:18:58,799 --> 00:19:03,200 After the destination IP address, the same\xa0\n 183 00:19:03,200 --> 00:19:10,400 port number. Although you should know these\xa0\n 184 00:19:10,400 --> 00:19:16,560 most common choice is EQ, to match traffic for a\xa0\n 185 00:19:16,559 --> 00:19:23,839 port numbers from Day 30 of the course. If not, I\xa0\n 186 00:19:23,839 --> 00:19:29,599 So, in this example I didn’t specify the host\xa0\n 187 00:19:29,599 --> 00:19:37,839 straight to the destination IP, HOST 1.1.1.1. Then\xa0\n 188 00:19:37,839 --> 00:19:44,319 see the options below. You can enter the specific\xa0\n 189 00:19:44,319 --> 00:19:51,679 such as WWW to match HTTP, which is port 80. Lots\xa0\n 190 00:19:51,680 --> 00:19:58,240 you can use, though, so make sure you learn the\xa0\n 191 00:19:59,440 --> 00:20:05,840 What is the effect of this ACL entry? It denies\xa0\n 192 00:20:07,200 --> 00:20:13,120 TCP port 80. Okay, in the next I’ll have\xa0\n 193 00:20:13,119 --> 00:20:18,479 but let me say one more point. After the\xa0\n 194 00:20:18,480 --> 00:20:22,960 port numbers, there are many more options\xa0\n 195 00:20:23,759 --> 00:20:29,920 These aren’t necessary to learn for the CCNA, but\xa0\n 196 00:20:30,880 --> 00:20:35,760 FIN, to match the TCP FIN flag.\xa0\n 197 00:20:36,799 --> 00:20:45,599 TTL, to match packets with a specific TTL, time to\xa0\n 198 00:20:45,599 --> 00:20:51,679 packets with a specific DSCP, differentiated\xa0\n 199 00:20:53,039 --> 00:20:58,879 Finally, note that if you specify the protocol,\xa0\n 200 00:20:58,880 --> 00:21:05,760 destination port, etc, a packet must match ALL\xa0\n 201 00:21:05,759 --> 00:21:10,879 it matches all except one of the parameters,\xa0\n 202 00:21:11,839 --> 00:21:16,319 So, extended ACLs let you be very specific\xa0\n 203 00:21:18,319 --> 00:21:23,119 Okay, here’s some more practice for writing\xa0\n 204 00:21:23,119 --> 00:21:29,599 pausing the video to try to solve these yourself,\xa0\n 205 00:21:29,599 --> 00:21:39,839 traffic from 10.0.0.0/16 to access the server at\xa0\n 206 00:21:40,400 --> 00:21:47,840 PERMIT TCP, because we need to match HTTPS,\xa0\n 207 00:21:47,839 --> 00:21:56,240 10.0.0.0/16, and we don’t need to specify a source\xa0\n 208 00:21:58,000 --> 00:22:03,599 I used a /32 wildcard mask, but you can\xa0\n 209 00:22:04,559 --> 00:22:13,919 Finally, I used EQ 443 to match only HTTPS, which\xa0\n 210 00:22:13,920 --> 00:22:19,680 number 2. Prevent all hosts from using\xa0\n 211 00:22:20,720 --> 00:22:30,079 from accessing the server at 3.3.3.3/32. And\xa0\n 212 00:22:30,079 --> 00:22:38,720 30000 HOST 3.3.3.3. So, this matches all packets\xa0\n 213 00:22:39,599 --> 00:22:50,000 with a destination of 3.3.3.3. Okay, finally\xa0\n 214 00:22:50,000 --> 00:23:00,240 TCP source port greater than 9999 to access all\xa0\n 215 00:23:01,519 --> 00:23:07,839 Here’s the answer. The protocol is\xa0\n 216 00:23:09,119 --> 00:23:18,879 the source port is anything greater than 9999, the\xa0\n 217 00:23:18,880 --> 00:23:25,440 port is anything except 23. Quite a specific\xa0\n 218 00:23:27,599 --> 00:23:32,639 Okay, let’s return to our network from Day 34\xa0\n 219 00:23:33,680 --> 00:23:41,920 Here are the requirements. Hosts in\xa0\n 220 00:23:43,200 --> 00:23:53,120 Host in 192.168.2.0/24 can’t access 10.0.2.0/24.\xa0\n 221 00:23:54,160 --> 00:24:04,480 or 2.0/24 can ping 10.0.1.0/24 or 2.0/24.\xa0\n 222 00:24:04,480 --> 00:24:10,480 requirements, and in this case they will all\xa0\n 223 00:24:10,480 --> 00:24:19,039 configure an ACL for this requirement, hosts in\xa0\n 224 00:24:20,000 --> 00:24:26,160 Here’s the ACL. After entering extended named\xa0\n 225 00:24:26,160 --> 00:24:35,120 matches TCP traffic coming from 192.168.1.0/24.\xa0\n 226 00:24:36,079 --> 00:24:43,119 SRV1, and the destination port is 443, which\xa0\n 227 00:24:44,160 --> 00:24:51,279 Then I used PERMIT IP ANY ANY to allow all other\xa0\n 228 00:24:51,279 --> 00:24:57,039 to apply it to an interface. Which interface\xa0\n 229 00:24:58,319 --> 00:25:03,039 For standard ACLs, the rule is to apply them\xa0\n 230 00:25:03,759 --> 00:25:07,839 Why is that? It’s because standard\xa0\n 231 00:25:07,839 --> 00:25:14,079 they only match the source IP address. So, if you\xa0\n 232 00:25:14,079 --> 00:25:19,439 block more traffic than intended. Because\xa0\n 233 00:25:19,440 --> 00:25:25,759 the rule is the opposite. Extended ACLs should\xa0\n 234 00:25:25,759 --> 00:25:31,119 to limit how far the packets travel in the network\xa0\n 235 00:25:31,119 --> 00:25:36,159 specific, if configured correctly there isn’t much\xa0\n 236 00:25:36,960 --> 00:25:40,799 So, you should apply them close to the\xa0\n 237 00:25:40,799 --> 00:25:47,200 processing packets that will just be dropped.\xa0\n 238 00:25:47,200 --> 00:25:55,440 where is the source? We should apply it inbound on\xa0\n 239 00:25:55,440 --> 00:26:00,799 tries to access SRV1 using HTTPS, the\xa0\n 240 00:26:03,279 --> 00:26:11,440 Next up, let’s fulfill that second requirement,\xa0\n 241 00:26:13,200 --> 00:26:19,039 Again, I’ll create a new ACL on R1. Of course,\xa0\n 242 00:26:19,039 --> 00:26:24,799 and try to write out the ACL yourself. But\xa0\n 243 00:26:25,599 --> 00:26:30,000 Specifying IP as the protocol basically\xa0\n 244 00:26:30,000 --> 00:26:39,680 IP header. Then I simply specified the source,\xa0\n 245 00:26:40,720 --> 00:26:44,480 Finally I added PERMIT IP ANY\xa0\n 246 00:26:45,440 --> 00:26:51,200 So, which interface should this ACL be applied\xa0\n 247 00:26:51,200 --> 00:26:59,120 close to the source as possible. In this case,\xa0\n 248 00:26:59,119 --> 00:27:05,839 ACL inbound on R1’s G0/2 interface. Okay, now\xa0\n 249 00:27:07,119 --> 00:27:16,639 Finally, the third requirement. None of the hosts\xa0\n 250 00:27:16,640 --> 00:27:24,240 or 2.0/24. So, what protocol does ping use? We\xa0\n 251 00:27:24,240 --> 00:27:29,759 to specify each source and destination. Pause the\xa0\n 252 00:27:29,759 --> 00:27:38,160 solution. So, I created three deny entries that\xa0\n 253 00:27:38,720 --> 00:27:47,440 but only one for 192.168.2.0/24. Why is that? It’s\xa0\n 254 00:27:47,440 --> 00:27:55,519 traffic from 192.168.2.0/24 to 10.0.2.0/24,\xa0\n 255 00:27:56,480 --> 00:28:00,000 If you included it, it’s not a problem of\xa0\n 256 00:28:00,000 --> 00:28:06,640 it’s not necessary. At the end of the ACL, I once\xa0\n 257 00:28:07,519 --> 00:28:13,119 Which interface should this ACL be applied to,\xa0\n 258 00:28:13,119 --> 00:28:21,599 in both 192.168.1.0/24 and 2.0/24 from reaching\xa0\n 259 00:28:21,599 --> 00:28:30,159 option is here, outbound on G0/0. This way the\xa0\n 260 00:28:32,640 --> 00:28:34,880 So, here are the three ACLs I just configured.\xa0\xa0 261 00:28:35,759 --> 00:28:40,319 As I have said before, ACL configuration\xa0\n 262 00:28:40,319 --> 00:28:45,119 only solution that works. Actually, this is\xa0\n 263 00:28:45,839 --> 00:28:50,720 If you want a challenge, try to make a more\xa0\n 264 00:28:50,720 --> 00:28:57,839 less entries, and fulfills the requirements. If\xa0\n 265 00:28:58,799 --> 00:29:02,159 Finally, here’s how to check which\xa0\n 266 00:29:02,799 --> 00:29:09,279 The command is SHOW IP INTERFACE, then the\xa0\n 267 00:29:09,279 --> 00:29:14,799 BRIEF, but the regular version of the command\xa0\n 268 00:29:14,799 --> 00:29:20,319 is just part of the output, it’s quite long so I\xa0\n 269 00:29:20,960 --> 00:29:25,039 Here you can see which ACL is applied\xa0\n 270 00:29:25,039 --> 00:29:29,440 or if there is no applied ACL it\xa0\n 271 00:29:29,440 --> 00:29:33,360 you can also check in the running config,\xa0\n 272 00:29:33,359 --> 00:29:39,839 both for the exam and for ‘real-world’ purposes.\xa0\n 273 00:29:42,240 --> 00:29:45,839 Before moving on to the quiz, let’s\xa0\n 274 00:29:46,799 --> 00:29:51,759 First I showed you another way to configure\xa0\n 275 00:29:51,759 --> 00:29:57,920 numbered ACLs in named ACL config mode. What is\xa0\n 276 00:29:58,799 --> 00:30:04,720 Named ACL config mode lets you delete individual\xa0\n 277 00:30:04,720 --> 00:30:10,799 new entries to insert them in the middle of an\xa0\n 278 00:30:10,799 --> 00:30:17,519 ACLs. Extended ACLs are much more powerful than\xa0\n 279 00:30:17,519 --> 00:30:23,200 protocol, source and destination IP addresses,\xa0\n 280 00:30:24,240 --> 00:30:28,480 This makes them more complex to configure, but\xa0\n 281 00:30:28,480 --> 00:30:34,400 with them. Remember to watch until the end of\xa0\n 282 00:30:34,400 --> 00:30:41,360 by Boson Software, the best practice exams for the\xa0\n 283 00:30:43,359 --> 00:30:47,279 Which ACL, when applied outbound on R1’s G0/0,\xa0\xa0 284 00:30:47,279 --> 00:30:54,160 permits only PC1 to access the TFTP server\xa0\n 285 00:30:54,160 --> 00:30:59,200 100, 101, 102, and 103. Pause the\xa0\n 286 00:31:03,279 --> 00:31:10,879 Okay, the answer is 103. Entry 10 permits\xa0\n 287 00:31:10,880 --> 00:31:15,520 TFTP, on SRV1. Note that,\xa0\n 288 00:31:15,519 --> 00:31:20,879 I actually entered the port number of 69,\xa0\n 289 00:31:22,000 --> 00:31:29,759 Then, entry 20 denies all other hosts from sending\xa0\n 290 00:31:29,759 --> 00:31:36,480 permits all other traffic. ACL 102 is similar, but\xa0\n 291 00:31:36,480 --> 00:31:42,400 SRV1, it specifies the source port, which\xa0\n 292 00:31:44,319 --> 00:31:52,000 What effect will the following command have on\xa0\n 293 00:31:52,000 --> 00:32:02,079 10.0.2.0 0.0.0.255. And here is ACL1. A,\xa0\n 294 00:32:02,880 --> 00:32:09,840 B, ACL 1 will be deleted. C, the command\xa0\n 295 00:32:09,839 --> 00:32:15,599 traffic to 10.0.2.0/24 will be permitted.\xa0\n 296 00:32:19,279 --> 00:32:25,119 The answer is B, ACL 1 will be deleted.\xa0\n 297 00:32:25,119 --> 00:32:30,639 mode does not allow you to delete individual\xa0\n 298 00:32:30,640 --> 00:32:36,880 the NO command, the entire ACL will be deleted.\xa0\n 299 00:32:36,880 --> 00:32:41,440 you’ll need to use named ACL config\xa0\n 300 00:32:43,599 --> 00:32:46,879 Which command was used to resequence ACL 199?\xa0\xa0 301 00:32:47,680 --> 00:32:54,000 Here’s ACL 199 before being resequenced.\xa0\n 302 00:32:54,000 --> 00:32:59,279 which one was used to resequence ACL 199?\xa0\n 303 00:33:02,079 --> 00:33:11,039 The answer is C, IP ACCESS-LIST RESEQUENCE\xa0\n 304 00:33:11,039 --> 00:33:16,559 you must specify the name, the new sequence number\xa0\n 305 00:33:16,559 --> 00:33:21,039 to increase the sequence number of the\xa0\n 306 00:33:21,039 --> 00:33:26,000 the router to use 5 for the first entry, and\xa0\n 307 00:33:26,720 --> 00:33:38,000 so from 1, 2, 3, 4, and 5 it became 5, 15,\xa0\n 308 00:33:38,000 --> 00:33:43,440 Which of the following ACLs would prevent\xa0\n 309 00:33:44,480 --> 00:33:51,839 Below are ACLs 110 to 113. Pause the\xa0\n 310 00:33:52,960 --> 00:33:59,519 The answer is ACL 112. Its first entry\xa0\n 311 00:34:00,319 --> 00:34:05,839 PERMIT IP ANY ANY is added to allow other\xa0\n 312 00:34:06,480 --> 00:34:11,440 so R1 won’t forward OSPF packets\xa0\n 313 00:34:11,440 --> 00:34:20,639 protocol number 88 from ACLs 111 and 113 is EIGRP,\xa0\n 314 00:34:23,679 --> 00:34:28,960 ACL 150 isn’t having the intended\xa0\n 315 00:34:28,960 --> 00:34:38,079 HTTP and HTTPS traffic from 192.168.1.0/24\xa0\n 316 00:34:38,719 --> 00:34:45,359 Select two. Okay, so you can see ACL 150 and the\xa0\n 317 00:34:46,559 --> 00:34:53,039 A, swap the source and destination IPs.\xa0\n 318 00:34:53,039 --> 00:34:59,039 to the beginning of the ACL. C, apply\xa0\n 319 00:35:00,079 --> 00:35:07,920 D, apply the ACL inbound on G0/0, not G0/1.\xa0\n 320 00:35:08,960 --> 00:35:15,840 Or F, the port numbers should be 88 and 404. Pause\xa0\n 321 00:35:19,119 --> 00:35:24,799 The answers are C and E. The ACL should be\xa0\n 322 00:35:24,800 --> 00:35:33,920 traffic entering the G0/1 interface from the\xa0\n 323 00:35:33,920 --> 00:35:41,680 HTTP and HTTPS both use TCP as their Layer\xa0\n 324 00:35:42,719 --> 00:35:48,079 Okay, that’s all for the quiz. Now let’s do\xa0\n 325 00:35:51,519 --> 00:35:56,320 Okay, here's today's Boson ExSim practice\xa0\n 326 00:35:56,320 --> 00:36:02,400 to the Internet. We have Router1, and three\xa0\n 327 00:36:02,400 --> 00:36:08,880 and a web server. Here's the question. You have\xa0\n 328 00:36:09,599 --> 00:36:14,799 You need to limit access from the Internet\xa0\n 329 00:36:14,800 --> 00:36:20,560 and Music Server2. These two servers should\xa0\n 330 00:36:21,840 --> 00:36:27,600 The web server is not subject to this policy\xa0\n 331 00:36:27,599 --> 00:36:31,920 on the 10.10.10.0/24 subnet should not\xa0\n 332 00:36:32,800 --> 00:36:39,680 You have already issued the access-list 101\xa0\n 333 00:36:39,679 --> 00:36:47,279 applied the access list outbound on the F0/0\xa0\n 334 00:36:48,800 --> 00:36:56,160 permit TCP any host 10.10.10.20, satisfies this\xa0\n 335 00:36:56,159 --> 00:37:00,879 subject to this policy and should not be\xa0\n 336 00:37:00,880 --> 00:37:07,360 fulfilled. So, what requirement do we have\xa0\n 337 00:37:07,360 --> 00:37:12,079 limit access from the Internet to the music\xa0\n 338 00:37:12,079 --> 00:37:18,799 allow only FTP connections from the Internet.\xa0\n 339 00:37:18,800 --> 00:37:25,280 C, and D. So, pause the video, look at these four\xa0\n 340 00:37:29,840 --> 00:37:37,200 Okay, let's check. So, I think the correct answer\xa0\n 341 00:37:37,199 --> 00:37:44,079 FTP connections to Music Server1 and Music\xa0\n 342 00:37:44,079 --> 00:37:52,799 address, so anything from the Internet, so connect\xa0\n 343 00:37:52,800 --> 00:37:59,680 Music Server1 and Music Server2. But it\xa0\n 344 00:38:00,480 --> 00:38:08,559 'equals FTP', so that allows FTP connections\xa0\n 345 00:38:08,559 --> 00:38:14,719 after that on this access list there would be a\xa0\n 346 00:38:14,719 --> 00:38:20,559 So I think that satisfies the requirements. We are\xa0\n 347 00:38:21,199 --> 00:38:27,039 and we are allowing only FTP connections to Music\xa0\n 348 00:38:27,039 --> 00:38:33,279 deny blocks all other traffic. Okay, so let's\xa0\n 349 00:38:34,719 --> 00:38:38,879 And that is correct. So,\xa0\n 350 00:38:39,760 --> 00:38:43,600 You can pause the video here if you want to\xa0\n 351 00:38:44,559 --> 00:38:47,840 As I have said before, this is one of\xa0\n 352 00:38:54,400 --> 00:38:58,480 Okay, so that's the explanation. There\xa0\n 353 00:38:58,480 --> 00:39:02,559 Cisco's official cert guide and some\xa0\n 354 00:39:06,559 --> 00:39:10,960 Okay, that's Boson ExSim for the\xa0\n 355 00:39:10,960 --> 00:39:16,400 follow the link in the video description. These\xa0\n 356 00:39:16,400 --> 00:39:18,880 Once again, follow that link\xa0\nin the video description. 357 00:39:21,519 --> 00:39:23,920 There are supplementary materials for this video.\xa0\xa0 358 00:39:24,559 --> 00:39:28,000 There is a flashcard deck to\xa0\n 359 00:39:28,000 --> 00:39:31,920 There will also be a packet tracer practice\xa0\n 360 00:39:32,639 --> 00:39:38,159 That will be in the next video. Sign up for my\xa0\n 361 00:39:38,159 --> 00:39:41,839 and I’ll send you all of the flashcards\xa0\n 362 00:39:43,840 --> 00:39:47,920 Before finishing today’s video I want\xa0\n 363 00:39:48,559 --> 00:39:55,519 To join, please click the ‘Join’ button under the\xa0\n 364 00:39:55,519 --> 00:40:00,800 TheGunguy, Njabulo, Benjamin, Tshepiso,\xa0\n 365 00:40:00,800 --> 00:40:07,120 Apogee, Marko, Flodo , Daming, Joshua,\xa0\n 366 00:40:07,119 --> 00:40:13,599 Marek, Velvijaykum, C Mohd, Mark, Yousif, Sidi,\xa0\n 367 00:40:14,639 --> 00:40:18,480 Sorry if I pronounced your name incorrectly,\xa0\n 368 00:40:19,280 --> 00:40:25,840 This is the list of JCNP-level members at the time\xa0\n 369 00:40:25,840 --> 00:40:30,559 you signed up recently and your name isn’t on\xa0\n 370 00:40:33,039 --> 00:40:36,079 Thank you for watching. Please\xa0\n 371 00:40:36,079 --> 00:40:40,799 like the video, leave a comment, and share the\xa0\n 372 00:40:41,920 --> 00:40:47,519 If you want to leave a tip, check the links in the\xa0\n 373 00:40:47,519 --> 00:40:54,079 and accept BAT, or Basic Attention Token, tips\xa0\n 31899