Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:04,349 --> 00:00:07,869
This is a free, complete course for the CCNA.
2
00:00:07,870 --> 00:00:12,030
If you like these videos, please subscribe\n
3
00:00:12,029 --> 00:00:16,519
Also, please like and leave a comment, and\n
4
00:00:19,969 --> 00:00:24,649
In this video we will cover standard ACLs,\naccess control lists.
5
00:00:24,649 --> 00:00:30,879
I’ll be splitting up ACLs into two days,\n
6
00:00:34,039 --> 00:00:38,829
ACLs are in the exam topics under section\n
7
00:00:38,829 --> 00:00:45,780
Specifically, topic 5.6, which says you must\n
8
00:00:47,149 --> 00:00:55,649
It doesn’t specify IPv4 or IPv6, but for\n
9
00:00:55,649 --> 00:01:01,259
Perhaps later I’ll make an extra video introducing\n
10
00:01:03,899 --> 00:01:07,540
Here’s what we’ll cover in today’s video.
11
00:01:09,780 --> 00:01:12,060
I’ll introduce their basic purpose.
12
00:01:12,060 --> 00:01:17,859
I’ll talk about ACL logic, how they are\n
13
00:01:17,859 --> 00:01:21,980
I’ll introduce the basic types of ACLs on\nCisco routers.
14
00:01:21,980 --> 00:01:28,228
After that I’ll show you how to configure\n
15
00:01:31,569 --> 00:01:36,379
As always, watch until the end of the quiz\n
16
00:01:36,379 --> 00:01:42,408
CCNA, the best practice exams for the CCNA,\n
17
00:01:48,780 --> 00:01:54,210
ACLs, Access Control Lists, actually have\nmultiple uses.
18
00:01:54,209 --> 00:01:59,609
The name ‘access control’ tells us that\n
19
00:01:59,609 --> 00:02:05,590
For example, Host A should be allowed to access\n
20
00:02:05,590 --> 00:02:14,400
to access Server A. In Day 34, this video,\n
21
00:02:15,400 --> 00:02:21,230
So, like I just said, controlling which devices\n
22
00:02:21,229 --> 00:02:27,789
However, although that is the main purpose\n
23
00:02:27,789 --> 00:02:31,500
Later in the course you’ll see some other\nuses of ACLs.
24
00:02:31,500 --> 00:02:35,400
But for now, we’ll focus on ACLs from a\n
25
00:02:35,400 --> 00:02:38,250
access to different parts of the network.
26
00:02:38,250 --> 00:02:44,919
So, when using ACLs in this way, ACLs function\n
27
00:02:44,919 --> 00:02:49,128
to permit or discard specific traffic.
28
00:02:49,128 --> 00:02:54,009
As you know, if a router receives a packet\n
29
00:02:54,009 --> 00:02:58,798
it will by default forward the packet according\n
30
00:02:58,799 --> 00:03:02,188
However ACLs let us control that.
31
00:03:02,188 --> 00:03:07,489
Even if the router has a route to the destination,\n
32
00:03:10,318 --> 00:03:16,069
ACLs can filter traffic based on the source\n
33
00:03:19,509 --> 00:03:24,939
For the CCNA, we’ll just focus on those\n
34
00:03:24,939 --> 00:03:27,509
can get more advanced with ACLs also.
35
00:03:27,509 --> 00:03:32,500
Okay, I think showing you will make things\n
36
00:03:32,500 --> 00:03:38,848
So, we have two routers, R1 and R2, with a\n
37
00:03:38,848 --> 00:03:46,098
The 192.168.1.0/24 network is connected to\n
38
00:03:48,889 --> 00:03:53,699
Notice that, instead of including a switch\n
39
00:03:53,699 --> 00:03:57,908
to the switch, I represent the network segment\nlike this.
40
00:03:57,908 --> 00:04:00,400
This is common in network diagrams.
41
00:04:00,400 --> 00:04:07,670
In reality, all of the PCs in the 192.168.1.0/24\n
42
00:04:07,669 --> 00:04:11,979
switch is connected to R1, but we don’t\n
43
00:04:14,300 --> 00:04:22,310
The 192.168.2.0/24 network, with PC3 and PC4,\n
44
00:04:22,310 --> 00:04:31,649
The 10.0.1.0/24 network, with SRV1, is connected\n
45
00:04:33,410 --> 00:04:37,759
I’ll use this network to demonstrate how\nACLs work.
46
00:04:37,759 --> 00:04:43,919
So, without looking at the actual configurations\n
47
00:04:45,589 --> 00:04:51,638
We shouldn’t just configure ACLs randomly,\n
48
00:04:51,639 --> 00:04:58,918
For example, let’s say the network policy\n
49
00:04:58,918 --> 00:05:02,370
able to access the 10.0.1.0/24 network.
50
00:05:02,370 --> 00:05:07,030
They should be able to access files on SRV1,\nfor example.
51
00:05:07,029 --> 00:05:15,559
However, hosts in the 192.168.2.0/24 network\n
52
00:05:15,560 --> 00:05:23,089
PC3 and PC4, for example, should not be able\n
53
00:05:23,089 --> 00:05:26,750
How can we use ACLs to achieve this?
54
00:05:26,750 --> 00:05:32,180
First up, ACLs are configured globally on\n
55
00:05:32,180 --> 00:05:38,360
ACLs are made up of an ordered sequence of\n
56
00:05:38,360 --> 00:05:44,870
For example, to fulfill our requirement, we\n
57
00:05:44,870 --> 00:05:53,439
ACE 1 says if source IP equals 192.168.1.0/24,\n
58
00:05:54,439 --> 00:06:02,009
ACE 2 says if source IP equals 192.168.2.0/24,\ndeny the traffic.
59
00:06:02,009 --> 00:06:06,800
ACE 3 says that all other traffic should be\npermitted.
60
00:06:06,800 --> 00:06:13,360
The order of these entries is very important,\n
61
00:06:13,360 --> 00:06:18,819
Configuring an ACL in global config mode will\n
62
00:06:18,819 --> 00:06:23,979
After being created, the ACL must be applied\nto an interface.
63
00:06:23,978 --> 00:06:26,879
ACLs are applied either inbound or outbound.
64
00:06:31,750 --> 00:06:34,930
Let’s say we configured it on R1.
65
00:06:34,930 --> 00:06:38,509
So it has been created, but it hasn’t been\napplied yet.
66
00:06:38,509 --> 00:06:44,079
Let’s walk through some examples of applying\n
67
00:06:45,668 --> 00:06:48,180
Once again, here are the requirements.
68
00:06:48,180 --> 00:06:53,550
Depending on which interface we apply the\n
69
00:06:53,550 --> 00:06:58,009
we will either succeed in meeting the requirements\nor fail.
70
00:06:58,009 --> 00:07:02,740
For example, what if we applied it outbound\non G0/2.
71
00:07:02,740 --> 00:07:06,689
That means it will only take effect on traffic\nexiting G0/2.
72
00:07:06,689 --> 00:07:09,769
Does that fulfill the requirements?
73
00:07:09,769 --> 00:07:12,680
The answer is no, it doesn’t fulfill the\nrequirement.
74
00:07:14,470 --> 00:07:20,479
Because R1 will only use the ACL to filter\n
75
00:07:20,478 --> 00:07:27,860
If PC3 tries to ping SRV1, when the ping reaches\n
76
00:07:27,860 --> 00:07:31,490
the traffic is entering G0/2, not exiting\nit.
77
00:07:31,490 --> 00:07:37,009
So, R1 will forward the traffic to R2, which\n
78
00:07:37,009 --> 00:07:43,349
Now, when SRV1 sends the reply to PC3, R1\n
79
00:07:43,350 --> 00:07:47,009
should be forwarded out of G0/2 or not.
80
00:07:47,009 --> 00:07:50,129
It will check the entries of ACL1 in sequence.
81
00:07:50,129 --> 00:07:54,509
If source IP = 192.168.1.0/24.
82
00:07:54,509 --> 00:07:59,789
Well, the source is SRV1, so that doesn’t\napply.
83
00:07:59,790 --> 00:08:04,127
If source IP = 192.168.2.0/24.
84
00:08:04,127 --> 00:08:08,040
That doesn’t apply either, the source is\nnot in that subnet.
85
00:08:08,040 --> 00:08:14,658
So, R1 reaches the last entry which says permit\n
86
00:08:16,240 --> 00:08:25,430
PC3 was able to access SRV1, even though hosts\n
87
00:08:25,430 --> 00:08:30,470
Clearly, we didn’t apply this ACL correctly.
88
00:08:30,470 --> 00:08:34,350
What if we applied the ACL inbound on G0/2?
89
00:08:34,350 --> 00:08:38,340
That means R1 will check the ACL for all traffic\nentering G0/2.
90
00:08:38,340 --> 00:08:45,030
So, if PC3 tries to ping SRV1, R1 will check\nthe ACL.
91
00:08:45,029 --> 00:08:49,000
Once again, it will check the entries in order,\n
92
00:08:51,159 --> 00:08:58,250
The source isn’t in that subnet, so it checks\nthe next entry.
93
00:09:03,100 --> 00:09:11,670
The source is 192.168.2.1, which is in 192.168.2.0/24,\n
94
00:09:11,669 --> 00:09:15,169
That means that R1 will take the specified\n
95
00:09:15,169 --> 00:09:20,579
So, R1 drops the traffic, it doesn’t forward\nthe packet.
96
00:09:20,580 --> 00:09:25,330
Once a router finds a match and takes an action,\n
97
00:09:25,330 --> 00:09:29,450
ACL, so this ‘permit all other traffic’\nis ignored.
98
00:09:29,450 --> 00:09:32,340
So, does this fulfill our requirements?
99
00:09:36,120 --> 00:09:43,700
192.168.1.0/24 will be able to access 10.0.1.0/24\n
100
00:09:45,470 --> 00:09:55,639
Also, hosts in 192.168.2.0/24 are prevented\n
101
00:09:55,639 --> 00:09:58,439
R1 dropped the traffic from PC3.
102
00:09:58,440 --> 00:10:05,470
However, by applying the ACL inbound on G0/2\n
103
00:10:05,470 --> 00:10:13,360
This blocks hosts in 192.168.2.0/24 from communicating\n
104
00:10:14,360 --> 00:10:19,399
PC3 and PC4 can communicate with each other,\nbut that’s it.
105
00:10:19,399 --> 00:10:23,309
So, this is not the best way to apply this\nACL.
106
00:10:23,309 --> 00:10:28,750
There are some other possibilities we could\n
107
00:10:28,750 --> 00:10:34,559
R2’s G0/0, but let’s take a look at the\nbest option.
108
00:10:34,559 --> 00:10:40,179
The best location to place this ACL is outbound\n
109
00:10:43,169 --> 00:10:49,459
If PC3 tries to ping SRV1, R2 will check the\n
110
00:10:52,299 --> 00:11:00,250
The first entry says if source IP equals 192.168.1.0/24\n
111
00:11:03,960 --> 00:11:09,210
If source IP is in 192.168.2.0/24, then deny.
112
00:11:09,210 --> 00:11:14,660
The source is in that subnet, so the packet\n
113
00:11:14,659 --> 00:11:25,759
So, that satisfies the second requirement,\n
114
00:11:25,759 --> 00:11:32,889
What if PC1, in 192.168.1.0/24, tried to ping\nSRV1?
115
00:11:32,889 --> 00:11:38,939
Before forwarding the packet out of its G0/1\n
116
00:11:38,940 --> 00:11:44,890
If the source IP is in 192.168.1.0/24, then\npermit.
117
00:11:44,889 --> 00:11:53,100
The source is 192.168.1.1, so the packet is\n
118
00:11:53,100 --> 00:11:57,790
Both requirements have been satisfied, and\n
119
00:11:57,789 --> 00:12:04,419
I hope that demonstration helped you understand\n
120
00:12:04,419 --> 00:12:07,409
If you’re still a little confused, don’t\nworry.
121
00:12:07,409 --> 00:12:11,250
Let me explain a little more about some of\n
122
00:12:11,250 --> 00:12:17,919
So, ACLs are configured in global config mode,\n
123
00:12:17,919 --> 00:12:21,870
When applying it to an interface, you specify\na direction.
124
00:12:21,870 --> 00:12:26,230
This tells the router to either check packets\n
125
00:12:29,269 --> 00:12:35,500
ACLs are made up of one or more ACEs, access\ncontrol entries.
126
00:12:35,500 --> 00:12:40,549
When the router checks a packet against the\n
127
00:12:43,740 --> 00:12:51,830
For example here in ACL 1, the router will\n
128
00:12:51,830 --> 00:12:57,680
then it will check if the packet’s source\n
129
00:12:57,679 --> 00:13:01,269
match either of those it will permit it.
130
00:13:01,269 --> 00:13:05,889
Another point I briefly mentioned before,\n
131
00:13:05,889 --> 00:13:11,500
the ACL, the router takes the action and stops\n
132
00:13:11,500 --> 00:13:15,190
All entries below the matching entry will\nbe ignored.
133
00:13:17,450 --> 00:13:20,680
Here we have a router and another ACL.
134
00:13:20,679 --> 00:13:29,329
The first entry in the ACL says if source\n
135
00:13:29,330 --> 00:13:37,440
However the second entry says if source IP\n
136
00:13:37,440 --> 00:13:43,920
What effect will this have if applied outbound\n
137
00:13:43,919 --> 00:13:50,459
If a packet with a source IP of 192.168.1.1\n
138
00:13:50,460 --> 00:13:55,009
out of G0/0 the router will check it against\nthe ACL.
139
00:13:55,009 --> 00:14:01,139
The source is 192.168.1.1, which matches the\n
140
00:14:02,620 --> 00:14:07,429
This second entry will simply be ignored.
141
00:14:07,429 --> 00:14:11,469
Now I’ve reversed entries 1 and 2 in ACL\n2.
142
00:14:11,470 --> 00:14:15,940
What will the effect be if the same packet\n
143
00:14:15,940 --> 00:14:20,330
It will once again check ACL 2 before forwarding\nthe packet.
144
00:14:20,330 --> 00:14:25,200
The first entry tells the router to deny the\n
145
00:14:27,700 --> 00:14:31,210
Entry 2, which tells the router to permit\n
146
00:14:31,210 --> 00:14:36,519
So, I think you can see how important the\n
147
00:14:36,519 --> 00:14:39,220
Now, here’s one more point about ACLs.
148
00:14:39,220 --> 00:14:45,190
A maximum of one ACL can be applied to a single\n
149
00:14:45,190 --> 00:14:53,730
So, one inbound ACL is allowed and one outbound\n
150
00:14:53,730 --> 00:14:58,300
If you apply a second ACL to an interface\n
151
00:15:02,019 --> 00:15:06,629
Next up, another important part of ACLs, the\n‘implicit deny’.
152
00:15:09,009 --> 00:15:12,929
What happens if a packet doesn’t match any\n
153
00:15:12,929 --> 00:15:17,859
So, here’s the same ACL, and the same router.
154
00:15:17,860 --> 00:15:23,190
This time the router receives a packet with\nsource IP 10.0.0.1.
155
00:15:23,190 --> 00:15:30,470
Before forwarding it out of G0/0, the router\n
156
00:15:32,289 --> 00:15:34,409
And it doesn’t match the second entry either.
157
00:15:36,490 --> 00:15:41,240
The answer is, the router will deny the packet,\n
158
00:15:41,240 --> 00:15:44,409
This is what we call the ‘implicit deny’.
159
00:15:44,409 --> 00:15:49,049
Even though there is no entry in the ACL telling\n
160
00:15:49,049 --> 00:15:55,219
there is an invisible entry at the end, if\n
161
00:15:58,169 --> 00:16:03,759
To summarize this point, there is an implicit\n
162
00:16:03,759 --> 00:16:07,629
This tells the router to deny all traffic\n
163
00:16:10,139 --> 00:16:15,429
Always be aware of the implicit deny when\n
164
00:16:19,610 --> 00:16:24,759
Now that you have an idea of the basic operations\n
165
00:16:24,759 --> 00:16:30,360
of ACLs you will learn about in today’s\nvideo and in Day 35.
166
00:16:30,360 --> 00:16:35,779
There are two main types of ACLs, and those\n
167
00:16:35,779 --> 00:16:41,750
The first type are standard ACLs, these match\n
168
00:16:43,629 --> 00:16:48,700
The two types of standard ACLs are standard\n
169
00:16:51,789 --> 00:16:56,740
And there are also standard named ACLs, which\n
170
00:16:56,740 --> 00:17:01,279
There are also differences in how you configure\n
171
00:17:03,440 --> 00:17:08,220
In addition to standard ACLs, there are also\nextended ACLs.
172
00:17:08,220 --> 00:17:14,079
These are more complex and can match based\n
173
00:17:14,079 --> 00:17:19,319
and/or destination port numbers, as well as\nsome other things.
174
00:17:19,319 --> 00:17:25,480
Like standard ACLs, there are numbered and\n
175
00:17:25,480 --> 00:17:30,920
As I said in the beginning of the video, today\n
176
00:17:30,920 --> 00:17:36,269
All of the examples so far have been standard\n
177
00:17:39,009 --> 00:17:44,470
In Day 35 I’ll tell you all about extended\n
178
00:17:44,470 --> 00:17:49,610
standard ACLs and then see how to actually\nconfigure them.
179
00:17:49,609 --> 00:17:53,519
So let’s get into standard numbered ACLs.
180
00:17:53,519 --> 00:17:58,650
As I just mentioned, standard ACLs match traffic\n
181
00:17:59,650 --> 00:18:02,880
So, standard ACLs are quite simple.
182
00:18:02,880 --> 00:18:08,140
The router doesn’t check the destination\n
183
00:18:09,420 --> 00:18:14,400
It just looks at the source IP address of\n
184
00:18:16,210 --> 00:18:19,000
Numbered ACLs are identified with a number.
185
00:18:19,000 --> 00:18:24,029
You can, of course, configure multiple ACLs\n
186
00:18:26,319 --> 00:18:31,659
Numbered ACLs use a number like ACL 1, ACL\n2, etc.
187
00:18:31,660 --> 00:18:35,100
There are also named ACLs, which I’ll introduce\nlater.
188
00:18:37,720 --> 00:18:42,860
Different types of ACLs have a different range\n
189
00:18:42,859 --> 00:18:49,919
Standard ACLs can use 1 to 99 and 1300 to\n1999.
190
00:18:49,920 --> 00:18:55,600
Originally, standard ACLs could only use 1\n
191
00:18:55,599 --> 00:18:59,449
99 standard ACLs on a single router.
192
00:18:59,450 --> 00:19:04,250
Later this was expanded to include 1300 to 1999.
193
00:19:04,250 --> 00:19:10,680
So, you can’t configure a standard ACL with\n
194
00:19:14,150 --> 00:19:18,430
Here are a bunch of different ACL types, and\n
195
00:19:19,890 --> 00:19:22,670
You don’t have to memorize all of these,\nof course.
196
00:19:22,670 --> 00:19:32,039
For now, just remember the standard ACL ranges,\n
197
00:19:35,019 --> 00:19:39,889
‘IP ACL’ is the type of ACL you have to\nlearn for the CCNA.
198
00:19:39,890 --> 00:19:44,090
I just wanted to show you that there are lots\n
199
00:19:45,980 --> 00:19:51,039
Here’s the basic command to configure a\nstandard numbered ACL.
200
00:19:51,039 --> 00:19:53,779
ACCESS-LIST, followed by the number.
201
00:19:53,779 --> 00:20:00,599
We’re configuring standard ACLs, so this\n
202
00:20:03,500 --> 00:20:09,380
Then you specify either deny or permit, and\n
203
00:20:10,920 --> 00:20:14,640
Hopefully you remember wildcard masks from\n
204
00:20:14,640 --> 00:20:20,170
Don’t try to use a standard subnet mask\nwhen configuring ACLs.
205
00:20:20,170 --> 00:20:25,529
So, this is how you configure a single entry\nin access-list 1.
206
00:20:26,680 --> 00:20:31,490
ACCESS-LIST 1 DENY 1.1.1.1 0.0.0.0.
207
00:20:31,490 --> 00:20:40,109
So, this denies 1.1.1.1/32, meaning only 1.1.1.1,\na single host.
208
00:20:40,109 --> 00:20:46,879
Now, when you specify a /32 mask in an ACL,\n
209
00:20:48,089 --> 00:20:54,399
You can just specify 1.1.1.1, and the router\n
210
00:20:54,400 --> 00:20:58,840
So, these are just two different ways of configuring\n
211
00:20:58,839 --> 00:21:03,319
Now, there is one more method of configuring\na /32 entry.
212
00:21:03,319 --> 00:21:08,559
It’s considered an old method, but it still\n
213
00:21:08,559 --> 00:21:14,109
To specify a single host, you can use the\n
214
00:21:14,109 --> 00:21:19,119
Again, in effect this is exactly the same\n
215
00:21:21,069 --> 00:21:25,269
So, all three of these are the same in effect.
216
00:21:25,269 --> 00:21:31,190
Note that the 2nd and 3rd options here can\n
217
00:21:32,369 --> 00:21:37,529
If you’re matching a /24 network, for example,\n
218
00:21:37,529 --> 00:21:41,579
to specify the wildcard mask of 0.0.0.255.
219
00:21:41,579 --> 00:21:47,730
Okay, so let’s say we used one of those\n
220
00:21:51,630 --> 00:21:56,800
If we leave the ACL as is, all other traffic\n
221
00:21:57,799 --> 00:22:02,339
So, let’s make another entry in this ACL\nto permit traffic.
222
00:22:06,980 --> 00:22:10,640
This tells the router to permit all traffic,\nwith any source IP.
223
00:22:13,339 --> 00:22:18,429
The ANY keyword is convenient, but how can\n
224
00:22:20,869 --> 00:22:27,179
Pause the video and think about it, what IP\n
225
00:22:27,180 --> 00:22:39,720
Okay, the answer is 0.0.0.0 255.255.255.255,\n
226
00:22:39,720 --> 00:22:43,460
So, these two options are exactly the same.
227
00:22:43,460 --> 00:22:47,960
As you can see, ACL configuration can be quite\nflexible.
228
00:22:47,960 --> 00:22:53,250
In these examples I’ll use a variety of\n
229
00:22:53,250 --> 00:22:56,579
but feel free to pick your favorite and just\nuse that.
230
00:22:56,579 --> 00:23:03,309
‘ANY’, for example, is much quicker to\n
231
00:23:03,309 --> 00:23:10,909
Finally, here’s one more thing you can configure\n
232
00:23:10,910 --> 00:23:13,279
This is like an interface description.
233
00:23:13,279 --> 00:23:17,740
It doesn’t have any effect on the ACL, it’s\n
234
00:23:17,740 --> 00:23:22,660
the purpose of the ACL when looking at it\nin the configuration.
235
00:23:22,660 --> 00:23:27,279
Note that the command is ACCESS-LIST 1 REMARK,\n
236
00:23:27,279 --> 00:23:32,619
The hashtags, or pound symbols, whatever you\n
237
00:23:33,660 --> 00:23:38,210
I just use them to make it easier to see when\n
238
00:23:38,210 --> 00:23:43,680
Okay, so I tried actually configuring that\n
239
00:23:43,680 --> 00:23:48,490
For both the deny and permit entries I decided\n
240
00:23:49,859 --> 00:23:54,849
Then I used SHOW ACCESS-LISTS, which displays\n
241
00:23:54,849 --> 00:23:57,250
There are a few things to point out here.
242
00:23:57,250 --> 00:24:04,490
First up, notice that the router automatically\n
243
00:24:06,619 --> 00:24:10,259
The router does this when you use a /32 mask.
244
00:24:10,259 --> 00:24:19,450
Also, PERMIT 0.0.0.0 255.255.255.255 was automatically\n
245
00:24:19,450 --> 00:24:22,870
You probably also noticed that the remark\n
246
00:24:25,069 --> 00:24:30,049
Finally, notice that each entry is given a\n
247
00:24:30,049 --> 00:24:34,589
I configured the DENY statement first, and\n
248
00:24:35,980 --> 00:24:39,680
Remember, the order of these entries is very\nimportant.
249
00:24:39,680 --> 00:24:45,900
If the PERMIT ANY entry was first, all traffic\n
250
00:24:47,990 --> 00:24:52,101
On modern devices, the router should prevent\n
251
00:24:52,101 --> 00:24:55,290
you should still be aware of how important\nthe order is.
252
00:24:55,289 --> 00:24:59,869
Okay, next I used the command SHOW IP ACCESS-LISTS.
253
00:24:59,869 --> 00:25:04,058
Notice that the output is exactly the same\n
254
00:25:04,058 --> 00:25:07,559
As you saw before, there are many kinds of\nACLs.
255
00:25:07,559 --> 00:25:14,470
SHOW ACCESS-LISTS displays all kinds, but\n
256
00:25:14,470 --> 00:25:17,600
the kind we will be configuring in these videos.
257
00:25:17,599 --> 00:25:21,269
You can use either command to check your ACLs,\n
258
00:25:21,269 --> 00:25:27,129
Finally, I used SHOW RUNNING-CONFIG, followed\n
259
00:25:27,130 --> 00:25:31,620
to only show lines in the config that include\nACCESS-LIST.
260
00:25:31,619 --> 00:25:35,449
Notice once again that the deny and permit\n
261
00:25:36,450 --> 00:25:39,110
Also, the remark is displayed this time.
262
00:25:39,109 --> 00:25:43,979
Now, remember I said you have to actually\n
263
00:25:45,720 --> 00:25:52,930
From interface config mode, use IP ACCESS-GROUP,\n
264
00:25:52,930 --> 00:25:55,690
then the ACL number, then IN or OUT.
265
00:25:55,690 --> 00:25:59,740
Now let’s get into a real example of using\n
266
00:26:01,150 --> 00:26:04,070
Here’s the same network as before.
267
00:26:04,069 --> 00:26:08,609
I’ll give some requirements, and we’ll\n
268
00:26:10,710 --> 00:26:15,520
On R1 I’ll configure standard numbered ACLs\n
269
00:26:15,520 --> 00:26:20,269
standard named ACLs and we’ll configure\n
270
00:26:21,779 --> 00:26:27,569
Okay, first here are some requirements which\n
271
00:26:27,569 --> 00:26:37,210
PC1 should be able to access the 192.168.2.0/24\n
272
00:26:37,210 --> 00:26:39,670
be able to access 192.168.2.0/24.
273
00:26:39,670 --> 00:26:46,000
So, here’s how I configured and applied\n
274
00:26:46,000 --> 00:26:52,519
First, I configured ACL 1 with an entry permitting\n
275
00:26:52,519 --> 00:26:59,500
That will achieve the first requirement, allowing\n
276
00:26:59,500 --> 00:27:04,440
Then I configured an entry denying the 192.168.1.0/24\nnetwork.
277
00:27:04,440 --> 00:27:06,940
This will fulfill the second requirement.
278
00:27:06,940 --> 00:27:09,000
The order of these is very important.
279
00:27:09,000 --> 00:27:17,930
If I denied 192.168.1.0/24 first, PC1 would\n
280
00:27:17,930 --> 00:27:21,929
if I put an entry permitting PC1 after the\ndeny entry.
281
00:27:21,929 --> 00:27:25,040
Remember, ACLs are processed in order from\ntop to bottom.
282
00:27:25,039 --> 00:27:30,089
Once a match is found, the action is taken\n
283
00:27:30,089 --> 00:27:32,709
entry are not processed, they are ignored.
284
00:27:32,710 --> 00:27:36,210
Finally, I configured a permit any entry at\nthe end.
285
00:27:36,210 --> 00:27:40,319
Remember the implicit deny that is hidden\n
286
00:27:40,319 --> 00:27:45,349
If I don’t include this permit any at the\n
287
00:27:45,349 --> 00:27:50,009
192.168.1.0/24 network, it will block all\nother traffic.
288
00:27:50,009 --> 00:27:56,629
The only device that will be able to access\n
289
00:27:57,980 --> 00:28:02,179
Every single other device would be blocked.
290
00:28:02,179 --> 00:28:06,000
Our requirements don’t tell us to block\n
291
00:28:08,190 --> 00:28:14,130
Finally I applied the ACL to R1’s G0/2 interface\n
292
00:28:16,900 --> 00:28:20,330
I could have, for example, applied it inbound\non G0/1.
293
00:28:20,329 --> 00:28:26,519
Well, here’s a good rule-of-thumb for applying\n
294
00:28:26,519 --> 00:28:30,960
Standard ACLs should be applied as close to\n
295
00:28:30,960 --> 00:28:36,130
You may be thinking, what do I mean by ‘destination’,\n
296
00:28:37,130 --> 00:28:43,990
Well, in this case we are trying to control\n
297
00:28:46,289 --> 00:28:52,230
If I applied ACL 1 inbound on R1’s G0/1\n
298
00:28:52,230 --> 00:28:56,870
subnet except R1 from accessing anything outside\n
299
00:28:56,869 --> 00:29:02,949
However, if I apply it correctly, outbound\n
300
00:29:02,950 --> 00:29:06,870
tries to access the 192.168.2.0/24 network.
301
00:29:06,869 --> 00:29:09,469
So, remember this rule-of-thumb.
302
00:29:09,470 --> 00:29:14,410
Standards ACLs should be applied as close\n
303
00:29:14,410 --> 00:29:18,000
If you don’t do that, you might block more\n
304
00:29:18,000 --> 00:29:21,829
Now let’s see how that ACL will work.
305
00:29:27,079 --> 00:29:32,308
It doesn’t check the ACL yet, because we\n
306
00:29:32,308 --> 00:29:37,589
R1 looks up the destination in its routing\n
307
00:29:38,589 --> 00:29:45,058
However, ACL 1 is applied outbound on G0/2,\n
308
00:29:46,058 --> 00:29:50,019
It starts at the top, with entry 10, permit\n
309
00:29:50,019 --> 00:29:57,750
The ping’s source is PC1, 192.168.1.1, so\nthat’s a match.
310
00:29:57,750 --> 00:30:02,759
It will take the action, which is to permit\n
311
00:30:02,759 --> 00:30:08,270
PC3 will be able to reply, because there is\n
312
00:30:13,329 --> 00:30:18,879
R1 receives the ping on G0/1, but it doesn’t\n
313
00:30:20,819 --> 00:30:24,049
Once again it checks the routing table and\n
314
00:30:24,049 --> 00:30:30,980
of G0/2, but because ACL 1 is applied outbound\n
315
00:30:30,980 --> 00:30:36,447
It checks the top entry first, permit 192.168.1.1/32.
316
00:30:36,446 --> 00:30:41,519
The source of the ping is 192.168.1.2, so\nit doesn’t match.
317
00:30:41,519 --> 00:30:46,896
Then it checks the next entry, deny 192.168.1.0/24.
318
00:30:46,896 --> 00:30:52,339
PC2’s IP is in this subnet, so it matches\n
319
00:30:53,720 --> 00:30:55,579
It won’t forward the ping to PC3.
320
00:30:55,579 --> 00:31:01,269
Okay, now let’s move on to standard named\nACLs.
321
00:31:01,269 --> 00:31:05,960
Standard named ACLs are still standard ACLs,\n
322
00:31:07,970 --> 00:31:12,170
However, instead of a number they are identified\nwith a name.
323
00:31:12,170 --> 00:31:16,730
You could, for example, name the ACL ‘BLOCK_BOB’.
324
00:31:16,730 --> 00:31:21,700
Standard named ACLs are configured by entering\n
325
00:31:21,700 --> 00:31:24,029
then configuring each entry within that mode.
326
00:31:24,029 --> 00:31:27,428
So, a little different than standard numbered\nACLs.
327
00:31:27,429 --> 00:31:34,259
Here’s how you enter that config mode, IP\n
328
00:31:34,259 --> 00:31:37,109
Remember to use IP in front of the command.
329
00:31:37,109 --> 00:31:44,099
For standard numbered ACLs the command is\n
330
00:31:44,099 --> 00:31:50,209
Then you enter standard named ACL config mode\n
331
00:31:50,210 --> 00:31:53,880
Note that you can now specify an entry number\n
332
00:31:55,301 --> 00:32:00,469
If you don’t entries will be numbered 10,\n
333
00:32:02,869 --> 00:32:06,359
Each entry’s number will be 10 more than\nthe previous one.
334
00:32:06,359 --> 00:32:10,289
But with this function, you can manually specify\n
335
00:32:13,769 --> 00:32:19,990
First I create the ACL BLOCK_BOB and enter\n
336
00:32:19,990 --> 00:32:24,710
Then I configured a statement denying 1.1.1.1/32.
337
00:32:24,710 --> 00:32:29,990
Note that I manually configured the entry\n
338
00:32:29,990 --> 00:32:33,250
Then I configured a permit any entry, with\n
339
00:32:36,039 --> 00:32:40,289
This isn’t necessary, of course, but remarks\n
340
00:32:41,680 --> 00:32:46,808
Then I moved to interface configuration mode,\n
341
00:32:46,808 --> 00:32:51,720
IP ACCESS-GROUP, ACL name, and then IN or\nOUT.
342
00:32:51,720 --> 00:32:54,929
Let’s check with some show commands.
343
00:32:54,929 --> 00:32:57,850
Once again, I used SHOW ACCESS-LISTS.
344
00:32:57,849 --> 00:33:03,559
The ACL is shown, and you can see each entry\n
345
00:33:03,559 --> 00:33:05,649
Then I checked the running config.
346
00:33:05,650 --> 00:33:10,870
Notice I used a different method of filtering\n
347
00:33:10,869 --> 00:33:14,879
This displays just the ACL section of the\nrunning config.
348
00:33:14,880 --> 00:33:20,210
If I used ‘INCLUDE ACCESS-LIST’ like before,\n
349
00:33:20,210 --> 00:33:24,798
However, it wouldn’t actually display any\n
350
00:33:24,798 --> 00:33:30,039
don’t include ACCESS-LIST, even though they\n
351
00:33:30,039 --> 00:33:33,920
When I filter using SECTION, I can view the\nwhole ACL.
352
00:33:33,920 --> 00:33:38,450
You can see each entry including the remark,\n
353
00:33:40,299 --> 00:33:45,259
Okay, let’s try configuring some standard\nnamed ACLs on R2.
354
00:33:45,259 --> 00:33:48,009
So, here are the requirements.
355
00:33:48,009 --> 00:33:54,000
PCs in 192.168.1.0/24 can’t access 10.0.2.0/24.
356
00:33:54,000 --> 00:34:03,349
PC3 can’t access 10.0.1.0/24, but other\n
357
00:34:03,349 --> 00:34:11,089
PC1 can access 10.0.1.0/24, but other PCs\n
358
00:34:11,090 --> 00:34:15,340
We’ll need two ACLs to do this properly.
359
00:34:15,340 --> 00:34:18,490
If you think you can, try to solve this yourself.
360
00:34:18,489 --> 00:34:20,019
But I’ll show you my solution.
361
00:34:20,019 --> 00:34:28,730
So, we’ll configure one ACL to control access\n
362
00:34:29,800 --> 00:34:35,980
Then we’ll configure another ACL to control\n
363
00:34:39,489 --> 00:34:46,129
Here’s the first ACL, I called it TO_10.0.2.0/24.
364
00:34:46,130 --> 00:34:52,480
First I denied the 192.168.1.0/24 network,\n
365
00:34:52,480 --> 00:34:54,539
Then I applied it outbound on G0/2.
366
00:34:54,539 --> 00:35:02,099
So, PC1 and PC2 will be blocked from accessing\n
367
00:35:04,940 --> 00:35:10,260
I called the second ACL TO_10.0.1.0/24.
368
00:35:10,260 --> 00:35:14,580
First I denied PC3, 192.168.2.1.
369
00:35:14,579 --> 00:35:17,829
Then I permitted the rest of the PCs in PC3’s\nnetwork.
370
00:35:17,829 --> 00:35:23,480
I then permitted PC1, but denied the other\nPCs in PC1’s network.
371
00:35:23,480 --> 00:35:26,210
Then I permitted all other traffic.
372
00:35:26,210 --> 00:35:30,090
Finally I applied the ACL outbound on the\nG0/1 interface.
373
00:35:31,719 --> 00:35:35,519
ACL configuration can be flexible sometimes,\n
374
00:35:39,199 --> 00:35:44,279
Let’s check those ACLs with SHOW IP ACCESS-LISTS.
375
00:35:44,280 --> 00:35:50,070
Do you notice something strange about the\nTO_10.0.1.0/24 ACL?
376
00:35:50,070 --> 00:35:51,109
Look at the sequence numbers.
377
00:35:51,108 --> 00:35:55,869
30, then 10, then 20, then 40, then 50.
378
00:35:55,869 --> 00:35:58,490
And look at the order I configured them.
379
00:35:58,489 --> 00:36:02,929
The sequence numbers match the order I configured\n
380
00:36:06,500 --> 00:36:11,789
This is a very advanced question about the\n
381
00:36:11,789 --> 00:36:17,190
are processed, you definitely won’t find\n
382
00:36:18,329 --> 00:36:23,219
The router may re-order the /32 entries, the\n
383
00:36:24,409 --> 00:36:27,569
This improves the efficiency of processing\nthe ACL.
384
00:36:27,570 --> 00:36:31,220
However, it does not change the overall effect\nof the ACL.
385
00:36:31,219 --> 00:36:35,469
So, it makes sense for the router to change\n
386
00:36:35,469 --> 00:36:39,099
more efficiently without affecting the outcome.
387
00:36:39,099 --> 00:36:43,769
Note that this is done for both standard named\n
388
00:36:43,769 --> 00:36:48,519
apply to the simpler examples I showed for\n
389
00:36:48,519 --> 00:36:52,800
Also note that I checked in Packet Tracer,\n
390
00:36:52,800 --> 00:36:58,830
It will simply display the entries in order\n
391
00:36:58,829 --> 00:37:03,719
Before finishing up, I’ll just walk through\n
392
00:37:03,719 --> 00:37:08,819
PC2 wants to access server 1, so it pings\nto test connectivity.
393
00:37:08,820 --> 00:37:14,030
The ping reaches R2, which is directly connected\n
394
00:37:14,030 --> 00:37:21,340
However, the TO_10.0.1.0/24 ACL is applied\n
395
00:37:21,340 --> 00:37:24,190
against that ACL before forwarding it.
396
00:37:24,190 --> 00:37:29,320
The source is 192.168.1.2, so it doesn’t\nmatch the top entry.
397
00:37:29,320 --> 00:37:32,430
It doesn’t match the next one either, or\nthe next one.
398
00:37:32,429 --> 00:37:38,859
However, it matches entry 40, because the\n
399
00:37:38,860 --> 00:37:43,119
So, it denies the packet, it does not forward\nit to SRV1.
400
00:37:43,119 --> 00:37:47,559
Okay, let’s review and then move on to the\nquiz.
401
00:37:47,559 --> 00:37:50,489
In this video I covered what ACLs are.
402
00:37:50,489 --> 00:37:54,549
They are used to identify and control traffic\nin the network.
403
00:37:54,550 --> 00:37:58,369
I introduced ACL logic, how ACLs are processed.
404
00:37:58,369 --> 00:38:03,450
The entries in an ACL are processed from top\n
405
00:38:03,449 --> 00:38:07,368
the action is taken and the remaining entries\nare not processed.
406
00:38:07,369 --> 00:38:11,769
I introduced the ACL types you need to know\nfor the CCNA.
407
00:38:11,769 --> 00:38:17,440
They are standard ACLs and extended ACLs,\n
408
00:38:19,659 --> 00:38:24,089
In this video I covered standard ACLs, which\n
409
00:38:24,090 --> 00:38:26,230
the source IP address of the packet.
410
00:38:26,230 --> 00:38:32,510
I showed two main ways of configuring standard\n
411
00:38:34,130 --> 00:38:38,530
They are both just different ways of configuring\nstandard ACLs.
412
00:38:38,530 --> 00:38:42,580
Standard numbered ACLs are configured like\n
413
00:38:42,579 --> 00:38:46,269
config mode with the ACCESS-LIST command.
414
00:38:46,269 --> 00:38:52,130
For standard named ACLs, you use the IP ACCESS-LIST\n
415
00:38:52,130 --> 00:38:55,549
mode, and then configure the entries.
416
00:38:55,550 --> 00:39:00,190
Make sure to watch until the end of today’s\n
417
00:39:00,190 --> 00:39:03,929
the best practice exams for the CCNA, CCNP,\nand more.
418
00:39:03,929 --> 00:39:09,210
Okay, let’s go to question 1 of the quiz.
419
00:39:09,210 --> 00:39:18,650
Which ACL, when applied outbound on R2’s\n
420
00:39:18,650 --> 00:39:22,740
Here are four ACLs, which one fulfills that\nrequirement?
421
00:39:22,739 --> 00:39:28,339
Pause the video to think about your answer.
422
00:39:30,809 --> 00:39:35,039
Entry 10 permits PC1 and entry 20 permits\nPC4.
423
00:39:35,039 --> 00:39:37,710
The implicit deny will deny all other traffic.
424
00:39:37,710 --> 00:39:42,720
So, ACL 1 fulfills the requirements, and the\nother ACLs do not.
425
00:39:46,599 --> 00:39:51,230
Which interface should the following ACL be\n
426
00:39:52,289 --> 00:39:55,750
Here’s the ACL, and here’s the requirement.
427
00:39:55,750 --> 00:39:58,869
Pause the video to think about your answer.
428
00:40:01,869 --> 00:40:06,769
The interface should be R2’s G0/2 interface,\n
429
00:40:06,769 --> 00:40:12,000
Remember that rule-of-thumb, standard ACLs\n
430
00:40:13,760 --> 00:40:19,900
We are controlling access to 10.0.2.0/24,\n
431
00:40:19,900 --> 00:40:24,079
Therefore the ACL should be applied outbound\non R2’s G0/2.
432
00:40:27,829 --> 00:40:30,480
You issue the following commands on R2.
433
00:40:30,480 --> 00:40:34,260
Which statement about the effect of the configurations\n
434
00:40:34,260 --> 00:40:36,570
Here are the configurations on R2.
435
00:40:38,039 --> 00:40:40,659
A, all traffic will be denied.
436
00:40:40,659 --> 00:40:45,549
B, traffic from the 10.0.0.0/24 network will\nbe denied.
437
00:40:45,550 --> 00:40:50,830
C, traffic from the 172.16.0.0/24 network\nwill be denied.
438
00:40:50,829 --> 00:40:57,119
Or D, traffic from the 192.168.0.0/24 network\nwill be denied.
439
00:40:57,119 --> 00:41:02,000
Pause the video to think about your answer.
440
00:41:02,000 --> 00:41:08,030
The answer is B, traffic from the 10.0.0.0/24\n
441
00:41:08,030 --> 00:41:12,160
Each interface can only have one ACL applied\nin each direction.
442
00:41:12,159 --> 00:41:16,949
If you apply another ACL to the same interface\n
443
00:41:18,780 --> 00:41:24,769
In this case, the last ACL you applied was\n
444
00:41:31,760 --> 00:41:38,170
If this ACL is applied inbound on R1 G0/0,\n
445
00:41:51,440 --> 00:41:57,519
Pause the video to think about your answer.
446
00:42:00,019 --> 00:42:06,039
This is because of where the ACL was applied,\n
447
00:42:06,039 --> 00:42:11,279
When the PCs try to ping SRV2, R1 won’t\n
448
00:42:12,929 --> 00:42:18,279
When the reply from SRV2 arrives on R1’s\n
449
00:42:18,280 --> 00:42:24,710
However, the source of the reply will be SRV2’s\n
450
00:42:24,710 --> 00:42:27,670
by the ‘permit any’ at the end of the\nACL.
451
00:42:27,670 --> 00:42:31,519
So, all PCs will be able to successfully ping\nSRV2.
452
00:42:36,190 --> 00:42:39,519
What happens if a packet doesn’t match any\nentries of an ACL?
453
00:42:39,519 --> 00:42:43,108
A, the packet will be forwarded to the default\ngateway.
454
00:42:43,108 --> 00:42:47,000
B, the packet will be checked using the next\navailable ACL.
455
00:42:49,750 --> 00:42:53,699
Or D, the action of the most specific match\nwill be taken.
456
00:42:53,699 --> 00:42:58,358
Pause the video to think about your answer.
457
00:42:58,358 --> 00:43:01,179
The answer is C, the packet will be dropped.
458
00:43:01,179 --> 00:43:06,029
Every ACL includes an ‘implicit deny’\n
459
00:43:06,030 --> 00:43:08,300
don’t match any of the ACL’s entries.
460
00:43:10,489 --> 00:43:13,209
Okay, that’s all for the quiz.
461
00:43:13,210 --> 00:43:18,409
Now let’s take a look at a bonus question\n
462
00:43:18,409 --> 00:43:23,509
Okay, here's today's Boson ExSim practice\nquestion.
463
00:43:23,510 --> 00:43:26,920
Which of the following statements is true\nregarding ACLs?
464
00:43:28,400 --> 00:43:34,309
A, ACLs are processed from the least specific\n
465
00:43:34,309 --> 00:43:39,369
B, ACLs are processed from the first entry\n
466
00:43:39,369 --> 00:43:44,539
C, ACLs are processed from the last entry\n
467
00:43:44,539 --> 00:43:50,090
Or D, ACLs are processed from the most specific\n
468
00:43:50,090 --> 00:43:54,410
Okay, if you just watched the video you should\n
469
00:43:54,409 --> 00:43:58,619
So, pause the video now to think about the\nanswer.
470
00:44:02,280 --> 00:44:07,510
As I mentioned in the video, ACLs are processed\n
471
00:44:09,369 --> 00:44:12,500
So, B should be the correct answer.
472
00:44:12,500 --> 00:44:16,539
I'll select B and then click on show answer.
473
00:44:18,679 --> 00:44:24,649
So, here's Boson's explanation, quite detailed.
474
00:44:24,650 --> 00:44:28,010
You can pause the video now if you want to\n
475
00:44:29,010 --> 00:44:33,869
These explanations are one of the great things\n
476
00:44:33,869 --> 00:44:40,900
Okay, and there's also a reference to both\n
477
00:44:40,900 --> 00:44:47,079
Cisco Press and a link to some Cisco documentation\n
478
00:44:47,079 --> 00:44:49,920
Configuring IP Access Lists: Process ACLs.
479
00:44:49,920 --> 00:44:53,090
So, this is another great resource.
480
00:44:53,090 --> 00:44:57,240
Okay, so that's Boson ExSim for the CCNA.
481
00:44:57,239 --> 00:45:02,699
These are the practice exams I used to study\n
482
00:45:04,079 --> 00:45:10,980
So if you want to get a copy of Boson ExSim,\n
483
00:45:10,980 --> 00:45:13,840
There are supplementary materials for this\nvideo.
484
00:45:13,840 --> 00:45:17,269
There is a flashcard deck to use with the\nsoftware ‘Anki’.
485
00:45:17,269 --> 00:45:21,739
There will also be a packet tracer practice\n
486
00:45:21,739 --> 00:45:23,129
That will be in the next video.
487
00:45:23,130 --> 00:45:27,630
Sign up for my mailing list via the link in\n
488
00:45:27,630 --> 00:45:32,500
the flashcards and packet tracer lab files\nfor the course.
489
00:45:32,500 --> 00:45:36,849
Before finishing today’s video I want to\n
490
00:45:36,849 --> 00:45:39,470
To join, please click the ‘Join’ button\nunder the video.
491
00:45:39,469 --> 00:45:47,221
Thank you to Junhong, OJ, Magrathea, TheGunguy,\n
492
00:45:47,221 --> 00:45:53,528
Prakaash, Nasir, Erlison, Apogee, Marko, Flodo,\n
493
00:45:53,528 --> 00:46:00,539
Funnydart, Scott, Hassan, Marek, Velvijaykum,\n
494
00:46:00,539 --> 00:46:03,338
Devin, Lito, Yonatan, and Vance.
495
00:46:03,338 --> 00:46:08,279
Sorry if I pronounced your name incorrectly,\n
496
00:46:08,280 --> 00:46:12,340
One of you is still displaying as Channel\n
497
00:46:12,340 --> 00:46:15,480
me know and I’ll see if YouTube can fix\nit.
498
00:46:15,480 --> 00:46:19,980
This is the list of JCNP-level members at\n
499
00:46:21,840 --> 00:46:25,950
If you signed up recently and your name isn’t\n
500
00:46:30,760 --> 00:46:34,730
Please subscribe to the channel, like the\n
501
00:46:34,730 --> 00:46:38,000
with anyone else studying for the CCNA.
502
00:46:38,000 --> 00:46:40,789
If you want to leave a tip, check the links\nin the description.
503
00:46:40,789 --> 00:46:46,500
I'm also a Brave verified publisher and accept\n
41932
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.