Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,280 --> 00:00:07,760
Welcome to Jeremy’s IT Lab. This is a free,\xa0\n
2
00:00:07,759 --> 00:00:13,599
videos, please subscribe to follow along with the\xa0\n
3
00:00:13,599 --> 00:00:17,519
and share the video to help spread this\xa0\n
4
00:00:18,800 --> 00:00:25,600
In this video we will cover extended ACLs, access\xa0\n
5
00:00:25,600 --> 00:00:31,280
about the purpose of ACLs, how they work, how\xa0\n
6
00:00:31,280 --> 00:00:37,359
for extended ACLs. The only difference is that\xa0\n
7
00:00:37,359 --> 00:00:42,000
than standard ACLs, which can only match\xa0\n
8
00:00:43,280 --> 00:00:48,079
As a reminder, ACLs are topic\xa0\n
9
00:00:48,079 --> 00:00:54,239
which states that you must be able to configure\xa0\n
10
00:00:54,240 --> 00:00:59,120
you’ll know everything you need to know to\xa0\n
11
00:01:00,799 --> 00:01:05,200
Here’s what we’ll cover in today’s video.\xa0\n
12
00:01:05,200 --> 00:01:10,079
configure numbered ACLs. This applies\xa0\n
13
00:01:11,040 --> 00:01:15,360
Then I’ll show you how to edit ACLs, in\xa0\n
14
00:01:15,359 --> 00:01:21,280
entries in a specific order. Finally I’ll\xa0\n
15
00:01:22,239 --> 00:01:26,560
Although the commands are a little longer\xa0\n
16
00:01:26,560 --> 00:01:30,480
the configuration method in general\xa0\n
17
00:01:31,680 --> 00:01:37,280
As always, watch until the end of the quiz for\xa0\n
18
00:01:37,280 --> 00:01:44,239
Software. Boson ExSim simulates the difficulty\xa0\n
19
00:01:44,239 --> 00:01:49,839
other practice exams. If you want to get Boson\xa0\n
20
00:01:51,760 --> 00:01:56,800
Let’s get started. In day 34 you learned that\xa0\n
21
00:01:56,799 --> 00:02:03,759
mode. For example, here’s a simple ACL denying\xa0\n
22
00:02:04,640 --> 00:02:09,840
The entries of ACL 1 are configured directly from\xa0\n
23
00:02:10,960 --> 00:02:15,280
You also learned that named ACLs are configured\xa0\n
24
00:02:16,080 --> 00:02:18,960
Here’s the same ACL, configured as a named ACL.\xa0\xa0
25
00:02:19,919 --> 00:02:25,599
The IP ACCESS-LIST STANDARD command is used\xa0\n
26
00:02:25,599 --> 00:02:30,242
and then subcommands within that mode\xa0\n
27
00:02:31,680 --> 00:02:37,520
However, in modern Cisco IOS you can also\xa0\n
28
00:02:37,520 --> 00:02:43,280
named ACLs. Here’s a numbered ACL, configured\xa0\n
29
00:02:44,159 --> 00:02:48,079
Be aware that this is just a different\xa0\n
30
00:02:48,080 --> 00:02:52,000
but if you check the ACL in the running\xa0\n
31
00:02:52,000 --> 00:02:56,000
was configured using the traditional\xa0\n
32
00:02:57,520 --> 00:03:03,200
Let me demonstrate. From global config\xa0\n
33
00:03:03,199 --> 00:03:08,799
then checked the options. Notice that both\xa0\n
34
00:03:10,000 --> 00:03:15,919
So, I configured ACL 1 using the named ACL\xa0\n
35
00:03:15,919 --> 00:03:22,399
1 and then the two separate entries. However,\xa0\n
36
00:03:22,400 --> 00:03:26,879
as if I configured it using the traditional\xa0\n
37
00:03:26,879 --> 00:03:32,799
from global config mode. If it ends up being\xa0\n
38
00:03:32,800 --> 00:03:38,080
it in named ACL config mode? Well, there are\xa0\n
39
00:03:39,439 --> 00:03:44,879
Let me show you those advantages. First, you\xa0\n
40
00:03:44,879 --> 00:03:51,759
the command NO, followed by the entry number.\xa0\n
41
00:03:51,759 --> 00:03:57,599
ACCESS-LISTS, and you can see an ACL that I have\xa0\n
42
00:03:57,599 --> 00:04:03,599
numbers 10, 20, 30, and 40. These are the default\xa0\n
43
00:04:03,599 --> 00:04:09,439
by 10, but remember that in named ACL config mode\xa0\n
44
00:04:10,879 --> 00:04:15,840
Okay, then I used the command NO 30\xa0\n
45
00:04:16,879 --> 00:04:21,360
Then I checked the ACL again, and now you\xa0\n
46
00:04:21,920 --> 00:04:27,120
This is very convenient for editing\xa0\n
47
00:04:27,120 --> 00:04:30,560
using the traditional numbered ACL\xa0\n
48
00:04:31,759 --> 00:04:38,000
Let’s see how it works. Here’s the same ACL,\xa0\n
49
00:04:38,000 --> 00:04:44,079
out in the running-config. Then I tried to delete\xa0\n
50
00:04:44,079 --> 00:04:54,879
by using NO in front of the command. NO\xa0\n
51
00:04:54,879 --> 00:05:01,360
did that delete that entry? I checked with SHOW\xa0\n
52
00:05:01,360 --> 00:05:07,199
sure I checked the running-config, but again\xa0\n
53
00:05:07,199 --> 00:05:12,959
but I didn’t just delete that entry. I deleted\xa0\n
54
00:05:12,959 --> 00:05:18,319
numbered ACLs from global config mode, you can’t\xa0\n
55
00:05:18,319 --> 00:05:24,480
the entire ACL. So, if you want to edit it you\xa0\n
56
00:05:25,360 --> 00:05:32,160
If an ACL has many entries, this is obviously not\xa0\n
57
00:05:32,160 --> 00:05:38,160
definitely should use named ACL config mode. Note\xa0\n
58
00:05:38,160 --> 00:05:44,480
ACL in global config mode, and then just use named\xa0\n
59
00:05:45,839 --> 00:05:49,679
Okay, so that’s the first advantage\xa0\n
60
00:05:49,680 --> 00:05:54,639
even if you’re configuring numbered ACLs.\xa0\n
61
00:05:54,639 --> 00:06:00,560
followed by the entry number. Here’s another\xa0\n
62
00:06:00,560 --> 00:06:06,879
other entries by specifying the sequence number.\xa0\n
63
00:06:06,879 --> 00:06:12,079
you can’t specify the sequence number. The\xa0\n
64
00:06:12,079 --> 00:06:16,800
and the sequence number is automatically set to 10\xa0\n
65
00:06:18,000 --> 00:06:22,959
However from named ACL config mode you can\xa0\n
66
00:06:22,959 --> 00:06:29,519
new entries in the middle of an ACL. Let’s\xa0\n
67
00:06:29,519 --> 00:06:34,719
after deleting entry 30. Let’s configure\xa0\n
68
00:06:35,680 --> 00:06:45,120
So, I used 30 DENY 192.168.2.0 0.0.0.255 to create\xa0\n
69
00:06:45,839 --> 00:06:51,519
Then I checked the ACL, and you can see the new\xa0\n
70
00:06:51,519 --> 00:06:57,120
and it has the sequence number of 30 that I\xa0\n
71
00:06:57,120 --> 00:07:01,120
and notice as I showed you before that it\xa0\n
72
00:07:01,120 --> 00:07:07,600
in global config mode, and the new entry was\xa0\n
73
00:07:07,600 --> 00:07:13,360
those are a couple advantages of using named ACL\xa0\n
74
00:07:15,360 --> 00:07:18,319
Let me show you one more\xa0\n
75
00:07:19,120 --> 00:07:22,399
There is a resequencing\xa0\n
76
00:07:23,439 --> 00:07:30,319
The command is IP ACCESS-LIST RESEQUENCE, followed\xa0\n
77
00:07:30,319 --> 00:07:34,879
and then the starting sequence number and the\xa0\n
78
00:07:34,879 --> 00:07:39,839
sequence numbers. Okay, that might be hard to\xa0\n
79
00:07:41,120 --> 00:07:46,879
Here’s an ACL, but notice the sequence numbers. It\xa0\n
80
00:07:46,879 --> 00:07:55,120
the entries 1, 2, 3, 4, and 5. Note that the\xa0\n
81
00:07:55,120 --> 00:08:01,759
just because of what I explained in the previous\xa0\n
82
00:08:02,879 --> 00:08:08,079
So, what’s bad about these entry numbers? Well,\xa0\n
83
00:08:08,079 --> 00:08:13,439
the other entries. For example, maybe you want to\xa0\n
84
00:08:14,240 --> 00:08:17,759
However, it’s impossible because there\xa0\n
85
00:08:18,959 --> 00:08:26,319
Let’s use the resequence command to fix this.\xa0\n
86
00:08:26,319 --> 00:08:32,639
10 10. 1 is the ACL number, what\xa0\n
87
00:08:32,639 --> 00:08:38,080
is the starting sequence number. It means, change\xa0\n
88
00:08:39,120 --> 00:08:44,560
How about the second 10 of the command?\xa0\n
89
00:08:44,559 --> 00:08:50,319
every entry after that, after the first\xa0\n
90
00:08:50,960 --> 00:08:58,400
and the ACL has been resequenced. Note that the\xa0\n
91
00:08:59,120 --> 00:09:07,279
then DENY 3.1, then DENY 2.1, then DENY 4.1, and\xa0\n
92
00:09:07,279 --> 00:09:12,399
have been changed, starting at 10 for the top\xa0\n
93
00:09:13,200 --> 00:09:18,800
That’s how ACL resequencing works. Now it’s simple\xa0\n
94
00:09:19,919 --> 00:09:25,199
Note that this command is done from global config\xa0\n
95
00:09:25,200 --> 00:09:28,320
standard and extended ACLs, so all ACLs.
96
00:09:30,720 --> 00:09:37,120
Okay, let’s get to the main part of this\xa0\n
97
00:09:37,120 --> 00:09:42,639
mostly the same as standard ACLs. They can be\xa0\n
98
00:09:43,919 --> 00:09:47,839
If you configure an extended numbered\xa0\n
99
00:09:48,559 --> 00:09:56,079
100 to 199, and 2000 to 2699. You definitely\xa0\n
100
00:09:56,879 --> 00:10:04,159
Make sure you know the standard ACL ranges\xa0\n
101
00:10:05,600 --> 00:10:09,600
Extended ACLs are processed from top\xa0\n
102
00:10:10,399 --> 00:10:15,199
However, here’s the big difference. They\xa0\n
103
00:10:15,200 --> 00:10:19,120
so they are more precise, and\xa0\n
104
00:10:20,399 --> 00:10:24,879
You can really specify exactly what traffic\xa0\n
105
00:10:24,879 --> 00:10:30,480
to permit, specific kinds of traffic from\xa0\n
106
00:10:31,600 --> 00:10:35,680
For the purpose of this video, we will\xa0\n
107
00:10:36,399 --> 00:10:43,360
Layer 4 protocol and port number, source IP\xa0\n
108
00:10:43,360 --> 00:10:49,519
an extended numbered ACL entry from global config\xa0\n
109
00:10:50,559 --> 00:10:57,839
Make sure this number is in one of the ranges\xa0\n
110
00:10:57,840 --> 00:11:04,879
PERMIT or DENY. After that you can specify the\xa0\n
111
00:11:04,879 --> 00:11:11,279
IP address and the destination IP address.\xa0\n
112
00:11:12,000 --> 00:11:18,879
It starts with IP ACCESS-LIST EXTENDED, and then\xa0\n
113
00:11:18,879 --> 00:11:23,039
extended numbered ACLs can also be\xa0\n
114
00:11:24,000 --> 00:11:29,279
Once you’re in extended named ACL config mode,\xa0\n
115
00:11:29,279 --> 00:11:35,360
the protocol, source and destination, etc. Because\xa0\n
116
00:11:35,360 --> 00:11:41,919
and named ACL configuration, I will just focus on\xa0\n
117
00:11:41,919 --> 00:11:46,159
Just don’t forget that you can configure extended\xa0\n
118
00:11:47,360 --> 00:11:52,240
Now, as I wrote above, extended ACLs are\xa0\n
119
00:11:52,879 --> 00:11:56,879
There are lots of different variations and\xa0\n
120
00:11:56,879 --> 00:12:02,720
the access list entries. I’ll just show you some\xa0\n
121
00:12:02,720 --> 00:12:08,720
but I won’t explore every possible option that can\xa0\n
122
00:12:08,720 --> 00:12:12,560
try it out in a lab and use the question\xa0\n
123
00:12:14,559 --> 00:12:20,879
First I’ll explain how extended ACLs can match\xa0\n
124
00:12:20,879 --> 00:12:26,960
config mode, I entered DENY and used the question\xa0\n
125
00:12:28,000 --> 00:12:32,159
First up, you can use an IP protocol\xa0\n
126
00:12:32,720 --> 00:12:38,720
Think back to Day 10 of this course, about the\xa0\n
127
00:12:38,720 --> 00:12:44,879
identifies the protocol that is encapsulated\xa0\n
128
00:12:45,840 --> 00:12:49,920
So, you can identify the protocol by\xa0\n
129
00:12:50,879 --> 00:12:56,960
Or, you can use the name of the protocol, options\xa0\n
130
00:12:56,960 --> 00:13:01,680
since it’s easier to remember, but if you want to\xa0\n
131
00:13:02,799 --> 00:13:11,519
IP protocol number 1 is ICMP, 6 is TCP,\xa0\n
132
00:13:12,240 --> 00:13:17,039
I briefly mentioned some of these earlier in\xa0\n
133
00:13:17,039 --> 00:13:22,159
they might come up somewhere on the exam. But\xa0\n
134
00:13:22,159 --> 00:13:30,959
name in ACLs. Here you can see EIGRP, ICMP,\xa0\n
135
00:13:30,960 --> 00:13:37,200
to block OSPF messages on an interface, for\xa0\n
136
00:13:38,320 --> 00:13:44,240
However, for this lesson we are going to focus\xa0\n
137
00:13:44,879 --> 00:13:52,799
That is IP itself. If you use the IP option,\xa0\n
138
00:13:52,799 --> 00:13:58,799
when we don’t care about the protocol, we just\xa0\n
139
00:13:58,799 --> 00:14:04,479
if you want to put a ‘permit any’ statement at the\xa0\n
140
00:14:06,320 --> 00:14:11,920
Now let’s see how to add the source and\xa0\n
141
00:14:11,919 --> 00:14:18,799
I selected TCP as the protocol. So, any IP packets\xa0\n
142
00:14:18,799 --> 00:14:24,559
the entry. However, we still have to specify the\xa0\n
143
00:14:25,679 --> 00:14:32,399
Note that, in extended ACLs to specify a /32\xa0\n
144
00:14:32,399 --> 00:14:37,759
option or specify the wildcard mask. You can’t\xa0\n
145
00:14:38,720 --> 00:14:41,840
In standard ACLs that is\xa0\npossible, but not extended.\xa0\xa0
146
00:14:43,440 --> 00:14:48,480
Okay, so I decided to use ANY to match all\xa0\n
147
00:14:48,480 --> 00:14:54,000
the destination IP address. There are many more\xa0\n
148
00:14:54,000 --> 00:14:58,879
but I’ll cover that later. So, for the\xa0\n
149
00:14:59,519 --> 00:15:06,799
the destination address, ANY, or HOST to specify\xa0\n
150
00:15:06,799 --> 00:15:15,359
destination 10.0.0.0, and now I have to enter the\xa0\n
151
00:15:15,360 --> 00:15:21,519
and now this entry is complete. So, what is the\xa0\n
152
00:15:21,519 --> 00:15:29,360
that encapsulate a TCP segment, from any source\xa0\n
153
00:15:30,559 --> 00:15:35,439
This is just a single entry, of course, to\xa0\n
154
00:15:35,440 --> 00:15:40,960
more entries after this, but now I want you to\xa0\n
155
00:15:42,799 --> 00:15:47,199
Here are a few practice questions.\xa0\n
156
00:15:47,200 --> 00:15:51,360
just individual entries so you can\xa0\n
157
00:15:52,399 --> 00:15:57,360
If you can, pause the video and try to write out\xa0\n
158
00:15:59,039 --> 00:16:04,319
Okay, let’s check each one, number 1 first.\xa0\n
159
00:16:04,320 --> 00:16:12,400
permits all traffic? The answer is PERMIT IP\xa0\n
160
00:16:12,399 --> 00:16:17,279
and then we can use ANY for both the source\xa0\n
161
00:16:18,080 --> 00:16:25,759
This is like PERMIT ANY in a standard ACL.\xa0\n
162
00:16:26,960 --> 00:16:39,040
from sending UDP traffic to 192.168.1.1/32.\xa0\n
163
00:16:39,600 --> 00:16:46,399
HOST 192.168.1.1. Instead of HOST, another\xa0\n
164
00:16:46,399 --> 00:16:54,720
the end instead, 0.0.0.0. Next let’s\xa0\n
165
00:16:55,919 --> 00:17:03,839
from pinging hosts in 192.168.0.0/24. What\xa0\n
166
00:17:04,880 --> 00:17:12,640
DENY ICMP, that’s the protocol for ping. I\xa0\n
167
00:17:12,640 --> 00:17:20,480
but still make sure you’re aware that ICMP\xa0\n
168
00:17:20,480 --> 00:17:29,120
192.168.0.0 0.0.0.255. Again, instead of\xa0\n
169
00:17:30,799 --> 00:17:34,639
Okay, we’ll do some more practice later\xa0\n
170
00:17:36,799 --> 00:17:43,519
So let’s talk about matching TCP and UDP port\xa0\n
171
00:17:43,519 --> 00:17:49,680
protocol to match, you can optionally specify the\xa0\n
172
00:17:50,559 --> 00:17:55,279
This is optional, if you just specify\xa0\n
173
00:17:55,279 --> 00:18:00,000
all port numbers will be matched. So, here’s\xa0\n
174
00:18:00,000 --> 00:18:06,640
numbers. I chose ‘DENY TCP’, but of course this\xa0\n
175
00:18:08,000 --> 00:18:13,200
If you want to specify the source TCP or\xa0\n
176
00:18:13,200 --> 00:18:19,279
IP address and wildcard mask like this. EQ,\xa0\n
177
00:18:20,079 --> 00:18:26,079
For example, EQ 80 means equal to port\xa0\n
178
00:18:27,039 --> 00:18:33,680
Another option is GT, greater than. For example\xa0\n
179
00:18:33,680 --> 00:18:41,680
so 81 and up. There is also LT, less than.\xa0\n
180
00:18:41,680 --> 00:18:49,840
so 79 and below. NEQ is not equal, so for\xa0\n
181
00:18:50,720 --> 00:18:57,920
The final option is RANGE, for example RANGE\xa0\n
182
00:18:58,799 --> 00:19:03,200
After the destination IP address, the same\xa0\n
183
00:19:03,200 --> 00:19:10,400
port number. Although you should know these\xa0\n
184
00:19:10,400 --> 00:19:16,560
most common choice is EQ, to match traffic for a\xa0\n
185
00:19:16,559 --> 00:19:23,839
port numbers from Day 30 of the course. If not, I\xa0\n
186
00:19:23,839 --> 00:19:29,599
So, in this example I didn’t specify the host\xa0\n
187
00:19:29,599 --> 00:19:37,839
straight to the destination IP, HOST 1.1.1.1. Then\xa0\n
188
00:19:37,839 --> 00:19:44,319
see the options below. You can enter the specific\xa0\n
189
00:19:44,319 --> 00:19:51,679
such as WWW to match HTTP, which is port 80. Lots\xa0\n
190
00:19:51,680 --> 00:19:58,240
you can use, though, so make sure you learn the\xa0\n
191
00:19:59,440 --> 00:20:05,840
What is the effect of this ACL entry? It denies\xa0\n
192
00:20:07,200 --> 00:20:13,120
TCP port 80. Okay, in the next I’ll have\xa0\n
193
00:20:13,119 --> 00:20:18,479
but let me say one more point. After the\xa0\n
194
00:20:18,480 --> 00:20:22,960
port numbers, there are many more options\xa0\n
195
00:20:23,759 --> 00:20:29,920
These aren’t necessary to learn for the CCNA, but\xa0\n
196
00:20:30,880 --> 00:20:35,760
FIN, to match the TCP FIN flag.\xa0\n
197
00:20:36,799 --> 00:20:45,599
TTL, to match packets with a specific TTL, time to\xa0\n
198
00:20:45,599 --> 00:20:51,679
packets with a specific DSCP, differentiated\xa0\n
199
00:20:53,039 --> 00:20:58,879
Finally, note that if you specify the protocol,\xa0\n
200
00:20:58,880 --> 00:21:05,760
destination port, etc, a packet must match ALL\xa0\n
201
00:21:05,759 --> 00:21:10,879
it matches all except one of the parameters,\xa0\n
202
00:21:11,839 --> 00:21:16,319
So, extended ACLs let you be very specific\xa0\n
203
00:21:18,319 --> 00:21:23,119
Okay, here’s some more practice for writing\xa0\n
204
00:21:23,119 --> 00:21:29,599
pausing the video to try to solve these yourself,\xa0\n
205
00:21:29,599 --> 00:21:39,839
traffic from 10.0.0.0/16 to access the server at\xa0\n
206
00:21:40,400 --> 00:21:47,840
PERMIT TCP, because we need to match HTTPS,\xa0\n
207
00:21:47,839 --> 00:21:56,240
10.0.0.0/16, and we don’t need to specify a source\xa0\n
208
00:21:58,000 --> 00:22:03,599
I used a /32 wildcard mask, but you can\xa0\n
209
00:22:04,559 --> 00:22:13,919
Finally, I used EQ 443 to match only HTTPS, which\xa0\n
210
00:22:13,920 --> 00:22:19,680
number 2. Prevent all hosts from using\xa0\n
211
00:22:20,720 --> 00:22:30,079
from accessing the server at 3.3.3.3/32. And\xa0\n
212
00:22:30,079 --> 00:22:38,720
30000 HOST 3.3.3.3. So, this matches all packets\xa0\n
213
00:22:39,599 --> 00:22:50,000
with a destination of 3.3.3.3. Okay, finally\xa0\n
214
00:22:50,000 --> 00:23:00,240
TCP source port greater than 9999 to access all\xa0\n
215
00:23:01,519 --> 00:23:07,839
Here’s the answer. The protocol is\xa0\n
216
00:23:09,119 --> 00:23:18,879
the source port is anything greater than 9999, the\xa0\n
217
00:23:18,880 --> 00:23:25,440
port is anything except 23. Quite a specific\xa0\n
218
00:23:27,599 --> 00:23:32,639
Okay, let’s return to our network from Day 34\xa0\n
219
00:23:33,680 --> 00:23:41,920
Here are the requirements. Hosts in\xa0\n
220
00:23:43,200 --> 00:23:53,120
Host in 192.168.2.0/24 can’t access 10.0.2.0/24.\xa0\n
221
00:23:54,160 --> 00:24:04,480
or 2.0/24 can ping 10.0.1.0/24 or 2.0/24.\xa0\n
222
00:24:04,480 --> 00:24:10,480
requirements, and in this case they will all\xa0\n
223
00:24:10,480 --> 00:24:19,039
configure an ACL for this requirement, hosts in\xa0\n
224
00:24:20,000 --> 00:24:26,160
Here’s the ACL. After entering extended named\xa0\n
225
00:24:26,160 --> 00:24:35,120
matches TCP traffic coming from 192.168.1.0/24.\xa0\n
226
00:24:36,079 --> 00:24:43,119
SRV1, and the destination port is 443, which\xa0\n
227
00:24:44,160 --> 00:24:51,279
Then I used PERMIT IP ANY ANY to allow all other\xa0\n
228
00:24:51,279 --> 00:24:57,039
to apply it to an interface. Which interface\xa0\n
229
00:24:58,319 --> 00:25:03,039
For standard ACLs, the rule is to apply them\xa0\n
230
00:25:03,759 --> 00:25:07,839
Why is that? It’s because standard\xa0\n
231
00:25:07,839 --> 00:25:14,079
they only match the source IP address. So, if you\xa0\n
232
00:25:14,079 --> 00:25:19,439
block more traffic than intended. Because\xa0\n
233
00:25:19,440 --> 00:25:25,759
the rule is the opposite. Extended ACLs should\xa0\n
234
00:25:25,759 --> 00:25:31,119
to limit how far the packets travel in the network\xa0\n
235
00:25:31,119 --> 00:25:36,159
specific, if configured correctly there isn’t much\xa0\n
236
00:25:36,960 --> 00:25:40,799
So, you should apply them close to the\xa0\n
237
00:25:40,799 --> 00:25:47,200
processing packets that will just be dropped.\xa0\n
238
00:25:47,200 --> 00:25:55,440
where is the source? We should apply it inbound on\xa0\n
239
00:25:55,440 --> 00:26:00,799
tries to access SRV1 using HTTPS, the\xa0\n
240
00:26:03,279 --> 00:26:11,440
Next up, let’s fulfill that second requirement,\xa0\n
241
00:26:13,200 --> 00:26:19,039
Again, I’ll create a new ACL on R1. Of course,\xa0\n
242
00:26:19,039 --> 00:26:24,799
and try to write out the ACL yourself. But\xa0\n
243
00:26:25,599 --> 00:26:30,000
Specifying IP as the protocol basically\xa0\n
244
00:26:30,000 --> 00:26:39,680
IP header. Then I simply specified the source,\xa0\n
245
00:26:40,720 --> 00:26:44,480
Finally I added PERMIT IP ANY\xa0\n
246
00:26:45,440 --> 00:26:51,200
So, which interface should this ACL be applied\xa0\n
247
00:26:51,200 --> 00:26:59,120
close to the source as possible. In this case,\xa0\n
248
00:26:59,119 --> 00:27:05,839
ACL inbound on R1’s G0/2 interface. Okay, now\xa0\n
249
00:27:07,119 --> 00:27:16,639
Finally, the third requirement. None of the hosts\xa0\n
250
00:27:16,640 --> 00:27:24,240
or 2.0/24. So, what protocol does ping use? We\xa0\n
251
00:27:24,240 --> 00:27:29,759
to specify each source and destination. Pause the\xa0\n
252
00:27:29,759 --> 00:27:38,160
solution. So, I created three deny entries that\xa0\n
253
00:27:38,720 --> 00:27:47,440
but only one for 192.168.2.0/24. Why is that? It’s\xa0\n
254
00:27:47,440 --> 00:27:55,519
traffic from 192.168.2.0/24 to 10.0.2.0/24,\xa0\n
255
00:27:56,480 --> 00:28:00,000
If you included it, it’s not a problem of\xa0\n
256
00:28:00,000 --> 00:28:06,640
it’s not necessary. At the end of the ACL, I once\xa0\n
257
00:28:07,519 --> 00:28:13,119
Which interface should this ACL be applied to,\xa0\n
258
00:28:13,119 --> 00:28:21,599
in both 192.168.1.0/24 and 2.0/24 from reaching\xa0\n
259
00:28:21,599 --> 00:28:30,159
option is here, outbound on G0/0. This way the\xa0\n
260
00:28:32,640 --> 00:28:34,880
So, here are the three ACLs I just configured.\xa0\xa0
261
00:28:35,759 --> 00:28:40,319
As I have said before, ACL configuration\xa0\n
262
00:28:40,319 --> 00:28:45,119
only solution that works. Actually, this is\xa0\n
263
00:28:45,839 --> 00:28:50,720
If you want a challenge, try to make a more\xa0\n
264
00:28:50,720 --> 00:28:57,839
less entries, and fulfills the requirements. If\xa0\n
265
00:28:58,799 --> 00:29:02,159
Finally, here’s how to check which\xa0\n
266
00:29:02,799 --> 00:29:09,279
The command is SHOW IP INTERFACE, then the\xa0\n
267
00:29:09,279 --> 00:29:14,799
BRIEF, but the regular version of the command\xa0\n
268
00:29:14,799 --> 00:29:20,319
is just part of the output, it’s quite long so I\xa0\n
269
00:29:20,960 --> 00:29:25,039
Here you can see which ACL is applied\xa0\n
270
00:29:25,039 --> 00:29:29,440
or if there is no applied ACL it\xa0\n
271
00:29:29,440 --> 00:29:33,360
you can also check in the running config,\xa0\n
272
00:29:33,359 --> 00:29:39,839
both for the exam and for ‘real-world’ purposes.\xa0\n
273
00:29:42,240 --> 00:29:45,839
Before moving on to the quiz, let’s\xa0\n
274
00:29:46,799 --> 00:29:51,759
First I showed you another way to configure\xa0\n
275
00:29:51,759 --> 00:29:57,920
numbered ACLs in named ACL config mode. What is\xa0\n
276
00:29:58,799 --> 00:30:04,720
Named ACL config mode lets you delete individual\xa0\n
277
00:30:04,720 --> 00:30:10,799
new entries to insert them in the middle of an\xa0\n
278
00:30:10,799 --> 00:30:17,519
ACLs. Extended ACLs are much more powerful than\xa0\n
279
00:30:17,519 --> 00:30:23,200
protocol, source and destination IP addresses,\xa0\n
280
00:30:24,240 --> 00:30:28,480
This makes them more complex to configure, but\xa0\n
281
00:30:28,480 --> 00:30:34,400
with them. Remember to watch until the end of\xa0\n
282
00:30:34,400 --> 00:30:41,360
by Boson Software, the best practice exams for the\xa0\n
283
00:30:43,359 --> 00:30:47,279
Which ACL, when applied outbound on R1’s G0/0,\xa0\xa0
284
00:30:47,279 --> 00:30:54,160
permits only PC1 to access the TFTP server\xa0\n
285
00:30:54,160 --> 00:30:59,200
100, 101, 102, and 103. Pause the\xa0\n
286
00:31:03,279 --> 00:31:10,879
Okay, the answer is 103. Entry 10 permits\xa0\n
287
00:31:10,880 --> 00:31:15,520
TFTP, on SRV1. Note that,\xa0\n
288
00:31:15,519 --> 00:31:20,879
I actually entered the port number of 69,\xa0\n
289
00:31:22,000 --> 00:31:29,759
Then, entry 20 denies all other hosts from sending\xa0\n
290
00:31:29,759 --> 00:31:36,480
permits all other traffic. ACL 102 is similar, but\xa0\n
291
00:31:36,480 --> 00:31:42,400
SRV1, it specifies the source port, which\xa0\n
292
00:31:44,319 --> 00:31:52,000
What effect will the following command have on\xa0\n
293
00:31:52,000 --> 00:32:02,079
10.0.2.0 0.0.0.255. And here is ACL1. A,\xa0\n
294
00:32:02,880 --> 00:32:09,840
B, ACL 1 will be deleted. C, the command\xa0\n
295
00:32:09,839 --> 00:32:15,599
traffic to 10.0.2.0/24 will be permitted.\xa0\n
296
00:32:19,279 --> 00:32:25,119
The answer is B, ACL 1 will be deleted.\xa0\n
297
00:32:25,119 --> 00:32:30,639
mode does not allow you to delete individual\xa0\n
298
00:32:30,640 --> 00:32:36,880
the NO command, the entire ACL will be deleted.\xa0\n
299
00:32:36,880 --> 00:32:41,440
you’ll need to use named ACL config\xa0\n
300
00:32:43,599 --> 00:32:46,879
Which command was used to resequence ACL 199?\xa0\xa0
301
00:32:47,680 --> 00:32:54,000
Here’s ACL 199 before being resequenced.\xa0\n
302
00:32:54,000 --> 00:32:59,279
which one was used to resequence ACL 199?\xa0\n
303
00:33:02,079 --> 00:33:11,039
The answer is C, IP ACCESS-LIST RESEQUENCE\xa0\n
304
00:33:11,039 --> 00:33:16,559
you must specify the name, the new sequence number\xa0\n
305
00:33:16,559 --> 00:33:21,039
to increase the sequence number of the\xa0\n
306
00:33:21,039 --> 00:33:26,000
the router to use 5 for the first entry, and\xa0\n
307
00:33:26,720 --> 00:33:38,000
so from 1, 2, 3, 4, and 5 it became 5, 15,\xa0\n
308
00:33:38,000 --> 00:33:43,440
Which of the following ACLs would prevent\xa0\n
309
00:33:44,480 --> 00:33:51,839
Below are ACLs 110 to 113. Pause the\xa0\n
310
00:33:52,960 --> 00:33:59,519
The answer is ACL 112. Its first entry\xa0\n
311
00:34:00,319 --> 00:34:05,839
PERMIT IP ANY ANY is added to allow other\xa0\n
312
00:34:06,480 --> 00:34:11,440
so R1 won’t forward OSPF packets\xa0\n
313
00:34:11,440 --> 00:34:20,639
protocol number 88 from ACLs 111 and 113 is EIGRP,\xa0\n
314
00:34:23,679 --> 00:34:28,960
ACL 150 isn’t having the intended\xa0\n
315
00:34:28,960 --> 00:34:38,079
HTTP and HTTPS traffic from 192.168.1.0/24\xa0\n
316
00:34:38,719 --> 00:34:45,359
Select two. Okay, so you can see ACL 150 and the\xa0\n
317
00:34:46,559 --> 00:34:53,039
A, swap the source and destination IPs.\xa0\n
318
00:34:53,039 --> 00:34:59,039
to the beginning of the ACL. C, apply\xa0\n
319
00:35:00,079 --> 00:35:07,920
D, apply the ACL inbound on G0/0, not G0/1.\xa0\n
320
00:35:08,960 --> 00:35:15,840
Or F, the port numbers should be 88 and 404. Pause\xa0\n
321
00:35:19,119 --> 00:35:24,799
The answers are C and E. The ACL should be\xa0\n
322
00:35:24,800 --> 00:35:33,920
traffic entering the G0/1 interface from the\xa0\n
323
00:35:33,920 --> 00:35:41,680
HTTP and HTTPS both use TCP as their Layer\xa0\n
324
00:35:42,719 --> 00:35:48,079
Okay, that’s all for the quiz. Now let’s do\xa0\n
325
00:35:51,519 --> 00:35:56,320
Okay, here's today's Boson ExSim practice\xa0\n
326
00:35:56,320 --> 00:36:02,400
to the Internet. We have Router1, and three\xa0\n
327
00:36:02,400 --> 00:36:08,880
and a web server. Here's the question. You have\xa0\n
328
00:36:09,599 --> 00:36:14,799
You need to limit access from the Internet\xa0\n
329
00:36:14,800 --> 00:36:20,560
and Music Server2. These two servers should\xa0\n
330
00:36:21,840 --> 00:36:27,600
The web server is not subject to this policy\xa0\n
331
00:36:27,599 --> 00:36:31,920
on the 10.10.10.0/24 subnet should not\xa0\n
332
00:36:32,800 --> 00:36:39,680
You have already issued the access-list 101\xa0\n
333
00:36:39,679 --> 00:36:47,279
applied the access list outbound on the F0/0\xa0\n
334
00:36:48,800 --> 00:36:56,160
permit TCP any host 10.10.10.20, satisfies this\xa0\n
335
00:36:56,159 --> 00:37:00,879
subject to this policy and should not be\xa0\n
336
00:37:00,880 --> 00:37:07,360
fulfilled. So, what requirement do we have\xa0\n
337
00:37:07,360 --> 00:37:12,079
limit access from the Internet to the music\xa0\n
338
00:37:12,079 --> 00:37:18,799
allow only FTP connections from the Internet.\xa0\n
339
00:37:18,800 --> 00:37:25,280
C, and D. So, pause the video, look at these four\xa0\n
340
00:37:29,840 --> 00:37:37,200
Okay, let's check. So, I think the correct answer\xa0\n
341
00:37:37,199 --> 00:37:44,079
FTP connections to Music Server1 and Music\xa0\n
342
00:37:44,079 --> 00:37:52,799
address, so anything from the Internet, so connect\xa0\n
343
00:37:52,800 --> 00:37:59,680
Music Server1 and Music Server2. But it\xa0\n
344
00:38:00,480 --> 00:38:08,559
'equals FTP', so that allows FTP connections\xa0\n
345
00:38:08,559 --> 00:38:14,719
after that on this access list there would be a\xa0\n
346
00:38:14,719 --> 00:38:20,559
So I think that satisfies the requirements. We are\xa0\n
347
00:38:21,199 --> 00:38:27,039
and we are allowing only FTP connections to Music\xa0\n
348
00:38:27,039 --> 00:38:33,279
deny blocks all other traffic. Okay, so let's\xa0\n
349
00:38:34,719 --> 00:38:38,879
And that is correct. So,\xa0\n
350
00:38:39,760 --> 00:38:43,600
You can pause the video here if you want to\xa0\n
351
00:38:44,559 --> 00:38:47,840
As I have said before, this is one of\xa0\n
352
00:38:54,400 --> 00:38:58,480
Okay, so that's the explanation. There\xa0\n
353
00:38:58,480 --> 00:39:02,559
Cisco's official cert guide and some\xa0\n
354
00:39:06,559 --> 00:39:10,960
Okay, that's Boson ExSim for the\xa0\n
355
00:39:10,960 --> 00:39:16,400
follow the link in the video description. These\xa0\n
356
00:39:16,400 --> 00:39:18,880
Once again, follow that link\xa0\nin the video description.
357
00:39:21,519 --> 00:39:23,920
There are supplementary materials for this video.\xa0\xa0
358
00:39:24,559 --> 00:39:28,000
There is a flashcard deck to\xa0\n
359
00:39:28,000 --> 00:39:31,920
There will also be a packet tracer practice\xa0\n
360
00:39:32,639 --> 00:39:38,159
That will be in the next video. Sign up for my\xa0\n
361
00:39:38,159 --> 00:39:41,839
and I’ll send you all of the flashcards\xa0\n
362
00:39:43,840 --> 00:39:47,920
Before finishing today’s video I want\xa0\n
363
00:39:48,559 --> 00:39:55,519
To join, please click the ‘Join’ button under the\xa0\n
364
00:39:55,519 --> 00:40:00,800
TheGunguy, Njabulo, Benjamin, Tshepiso,\xa0\n
365
00:40:00,800 --> 00:40:07,120
Apogee, Marko, Flodo , Daming, Joshua,\xa0\n
366
00:40:07,119 --> 00:40:13,599
Marek, Velvijaykum, C Mohd, Mark, Yousif, Sidi,\xa0\n
367
00:40:14,639 --> 00:40:18,480
Sorry if I pronounced your name incorrectly,\xa0\n
368
00:40:19,280 --> 00:40:25,840
This is the list of JCNP-level members at the time\xa0\n
369
00:40:25,840 --> 00:40:30,559
you signed up recently and your name isn’t on\xa0\n
370
00:40:33,039 --> 00:40:36,079
Thank you for watching. Please\xa0\n
371
00:40:36,079 --> 00:40:40,799
like the video, leave a comment, and share the\xa0\n
372
00:40:41,920 --> 00:40:47,519
If you want to leave a tip, check the links in the\xa0\n
373
00:40:47,519 --> 00:40:54,079
and accept BAT, or Basic Attention Token, tips\xa0\n
31899
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.