Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:04,349 --> 00:00:07,869 This is a free, complete course for the CCNA. 2 00:00:07,870 --> 00:00:12,030 If you like these videos, please subscribe\n 3 00:00:12,029 --> 00:00:16,519 Also, please like and leave a comment, and\n 4 00:00:19,969 --> 00:00:24,649 In this video we will cover standard ACLs,\naccess control lists. 5 00:00:24,649 --> 00:00:30,879 I’ll be splitting up ACLs into two days,\n 6 00:00:34,039 --> 00:00:38,829 ACLs are in the exam topics under section\n 7 00:00:38,829 --> 00:00:45,780 Specifically, topic 5.6, which says you must\n 8 00:00:47,149 --> 00:00:55,649 It doesn’t specify IPv4 or IPv6, but for\n 9 00:00:55,649 --> 00:01:01,259 Perhaps later I’ll make an extra video introducing\n 10 00:01:03,899 --> 00:01:07,540 Here’s what we’ll cover in today’s video. 11 00:01:09,780 --> 00:01:12,060 I’ll introduce their basic purpose. 12 00:01:12,060 --> 00:01:17,859 I’ll talk about ACL logic, how they are\n 13 00:01:17,859 --> 00:01:21,980 I’ll introduce the basic types of ACLs on\nCisco routers. 14 00:01:21,980 --> 00:01:28,228 After that I’ll show you how to configure\n 15 00:01:31,569 --> 00:01:36,379 As always, watch until the end of the quiz\n 16 00:01:36,379 --> 00:01:42,408 CCNA, the best practice exams for the CCNA,\n 17 00:01:48,780 --> 00:01:54,210 ACLs, Access Control Lists, actually have\nmultiple uses. 18 00:01:54,209 --> 00:01:59,609 The name ‘access control’ tells us that\n 19 00:01:59,609 --> 00:02:05,590 For example, Host A should be allowed to access\n 20 00:02:05,590 --> 00:02:14,400 to access Server A. In Day 34, this video,\n 21 00:02:15,400 --> 00:02:21,230 So, like I just said, controlling which devices\n 22 00:02:21,229 --> 00:02:27,789 However, although that is the main purpose\n 23 00:02:27,789 --> 00:02:31,500 Later in the course you’ll see some other\nuses of ACLs. 24 00:02:31,500 --> 00:02:35,400 But for now, we’ll focus on ACLs from a\n 25 00:02:35,400 --> 00:02:38,250 access to different parts of the network. 26 00:02:38,250 --> 00:02:44,919 So, when using ACLs in this way, ACLs function\n 27 00:02:44,919 --> 00:02:49,128 to permit or discard specific traffic. 28 00:02:49,128 --> 00:02:54,009 As you know, if a router receives a packet\n 29 00:02:54,009 --> 00:02:58,798 it will by default forward the packet according\n 30 00:02:58,799 --> 00:03:02,188 However ACLs let us control that. 31 00:03:02,188 --> 00:03:07,489 Even if the router has a route to the destination,\n 32 00:03:10,318 --> 00:03:16,069 ACLs can filter traffic based on the source\n 33 00:03:19,509 --> 00:03:24,939 For the CCNA, we’ll just focus on those\n 34 00:03:24,939 --> 00:03:27,509 can get more advanced with ACLs also. 35 00:03:27,509 --> 00:03:32,500 Okay, I think showing you will make things\n 36 00:03:32,500 --> 00:03:38,848 So, we have two routers, R1 and R2, with a\n 37 00:03:38,848 --> 00:03:46,098 The 192.168.1.0/24 network is connected to\n 38 00:03:48,889 --> 00:03:53,699 Notice that, instead of including a switch\n 39 00:03:53,699 --> 00:03:57,908 to the switch, I represent the network segment\nlike this. 40 00:03:57,908 --> 00:04:00,400 This is common in network diagrams. 41 00:04:00,400 --> 00:04:07,670 In reality, all of the PCs in the 192.168.1.0/24\n 42 00:04:07,669 --> 00:04:11,979 switch is connected to R1, but we don’t\n 43 00:04:14,300 --> 00:04:22,310 The 192.168.2.0/24 network, with PC3 and PC4,\n 44 00:04:22,310 --> 00:04:31,649 The 10.0.1.0/24 network, with SRV1, is connected\n 45 00:04:33,410 --> 00:04:37,759 I’ll use this network to demonstrate how\nACLs work. 46 00:04:37,759 --> 00:04:43,919 So, without looking at the actual configurations\n 47 00:04:45,589 --> 00:04:51,638 We shouldn’t just configure ACLs randomly,\n 48 00:04:51,639 --> 00:04:58,918 For example, let’s say the network policy\n 49 00:04:58,918 --> 00:05:02,370 able to access the 10.0.1.0/24 network. 50 00:05:02,370 --> 00:05:07,030 They should be able to access files on SRV1,\nfor example. 51 00:05:07,029 --> 00:05:15,559 However, hosts in the 192.168.2.0/24 network\n 52 00:05:15,560 --> 00:05:23,089 PC3 and PC4, for example, should not be able\n 53 00:05:23,089 --> 00:05:26,750 How can we use ACLs to achieve this? 54 00:05:26,750 --> 00:05:32,180 First up, ACLs are configured globally on\n 55 00:05:32,180 --> 00:05:38,360 ACLs are made up of an ordered sequence of\n 56 00:05:38,360 --> 00:05:44,870 For example, to fulfill our requirement, we\n 57 00:05:44,870 --> 00:05:53,439 ACE 1 says if source IP equals 192.168.1.0/24,\n 58 00:05:54,439 --> 00:06:02,009 ACE 2 says if source IP equals 192.168.2.0/24,\ndeny the traffic. 59 00:06:02,009 --> 00:06:06,800 ACE 3 says that all other traffic should be\npermitted. 60 00:06:06,800 --> 00:06:13,360 The order of these entries is very important,\n 61 00:06:13,360 --> 00:06:18,819 Configuring an ACL in global config mode will\n 62 00:06:18,819 --> 00:06:23,979 After being created, the ACL must be applied\nto an interface. 63 00:06:23,978 --> 00:06:26,879 ACLs are applied either inbound or outbound. 64 00:06:31,750 --> 00:06:34,930 Let’s say we configured it on R1. 65 00:06:34,930 --> 00:06:38,509 So it has been created, but it hasn’t been\napplied yet. 66 00:06:38,509 --> 00:06:44,079 Let’s walk through some examples of applying\n 67 00:06:45,668 --> 00:06:48,180 Once again, here are the requirements. 68 00:06:48,180 --> 00:06:53,550 Depending on which interface we apply the\n 69 00:06:53,550 --> 00:06:58,009 we will either succeed in meeting the requirements\nor fail. 70 00:06:58,009 --> 00:07:02,740 For example, what if we applied it outbound\non G0/2. 71 00:07:02,740 --> 00:07:06,689 That means it will only take effect on traffic\nexiting G0/2. 72 00:07:06,689 --> 00:07:09,769 Does that fulfill the requirements? 73 00:07:09,769 --> 00:07:12,680 The answer is no, it doesn’t fulfill the\nrequirement. 74 00:07:14,470 --> 00:07:20,479 Because R1 will only use the ACL to filter\n 75 00:07:20,478 --> 00:07:27,860 If PC3 tries to ping SRV1, when the ping reaches\n 76 00:07:27,860 --> 00:07:31,490 the traffic is entering G0/2, not exiting\nit. 77 00:07:31,490 --> 00:07:37,009 So, R1 will forward the traffic to R2, which\n 78 00:07:37,009 --> 00:07:43,349 Now, when SRV1 sends the reply to PC3, R1\n 79 00:07:43,350 --> 00:07:47,009 should be forwarded out of G0/2 or not. 80 00:07:47,009 --> 00:07:50,129 It will check the entries of ACL1 in sequence. 81 00:07:50,129 --> 00:07:54,509 If source IP = 192.168.1.0/24. 82 00:07:54,509 --> 00:07:59,789 Well, the source is SRV1, so that doesn’t\napply. 83 00:07:59,790 --> 00:08:04,127 If source IP = 192.168.2.0/24. 84 00:08:04,127 --> 00:08:08,040 That doesn’t apply either, the source is\nnot in that subnet. 85 00:08:08,040 --> 00:08:14,658 So, R1 reaches the last entry which says permit\n 86 00:08:16,240 --> 00:08:25,430 PC3 was able to access SRV1, even though hosts\n 87 00:08:25,430 --> 00:08:30,470 Clearly, we didn’t apply this ACL correctly. 88 00:08:30,470 --> 00:08:34,350 What if we applied the ACL inbound on G0/2? 89 00:08:34,350 --> 00:08:38,340 That means R1 will check the ACL for all traffic\nentering G0/2. 90 00:08:38,340 --> 00:08:45,030 So, if PC3 tries to ping SRV1, R1 will check\nthe ACL. 91 00:08:45,029 --> 00:08:49,000 Once again, it will check the entries in order,\n 92 00:08:51,159 --> 00:08:58,250 The source isn’t in that subnet, so it checks\nthe next entry. 93 00:09:03,100 --> 00:09:11,670 The source is 192.168.2.1, which is in 192.168.2.0/24,\n 94 00:09:11,669 --> 00:09:15,169 That means that R1 will take the specified\n 95 00:09:15,169 --> 00:09:20,579 So, R1 drops the traffic, it doesn’t forward\nthe packet. 96 00:09:20,580 --> 00:09:25,330 Once a router finds a match and takes an action,\n 97 00:09:25,330 --> 00:09:29,450 ACL, so this ‘permit all other traffic’\nis ignored. 98 00:09:29,450 --> 00:09:32,340 So, does this fulfill our requirements? 99 00:09:36,120 --> 00:09:43,700 192.168.1.0/24 will be able to access 10.0.1.0/24\n 100 00:09:45,470 --> 00:09:55,639 Also, hosts in 192.168.2.0/24 are prevented\n 101 00:09:55,639 --> 00:09:58,439 R1 dropped the traffic from PC3. 102 00:09:58,440 --> 00:10:05,470 However, by applying the ACL inbound on G0/2\n 103 00:10:05,470 --> 00:10:13,360 This blocks hosts in 192.168.2.0/24 from communicating\n 104 00:10:14,360 --> 00:10:19,399 PC3 and PC4 can communicate with each other,\nbut that’s it. 105 00:10:19,399 --> 00:10:23,309 So, this is not the best way to apply this\nACL. 106 00:10:23,309 --> 00:10:28,750 There are some other possibilities we could\n 107 00:10:28,750 --> 00:10:34,559 R2’s G0/0, but let’s take a look at the\nbest option. 108 00:10:34,559 --> 00:10:40,179 The best location to place this ACL is outbound\n 109 00:10:43,169 --> 00:10:49,459 If PC3 tries to ping SRV1, R2 will check the\n 110 00:10:52,299 --> 00:11:00,250 The first entry says if source IP equals 192.168.1.0/24\n 111 00:11:03,960 --> 00:11:09,210 If source IP is in 192.168.2.0/24, then deny. 112 00:11:09,210 --> 00:11:14,660 The source is in that subnet, so the packet\n 113 00:11:14,659 --> 00:11:25,759 So, that satisfies the second requirement,\n 114 00:11:25,759 --> 00:11:32,889 What if PC1, in 192.168.1.0/24, tried to ping\nSRV1? 115 00:11:32,889 --> 00:11:38,939 Before forwarding the packet out of its G0/1\n 116 00:11:38,940 --> 00:11:44,890 If the source IP is in 192.168.1.0/24, then\npermit. 117 00:11:44,889 --> 00:11:53,100 The source is 192.168.1.1, so the packet is\n 118 00:11:53,100 --> 00:11:57,790 Both requirements have been satisfied, and\n 119 00:11:57,789 --> 00:12:04,419 I hope that demonstration helped you understand\n 120 00:12:04,419 --> 00:12:07,409 If you’re still a little confused, don’t\nworry. 121 00:12:07,409 --> 00:12:11,250 Let me explain a little more about some of\n 122 00:12:11,250 --> 00:12:17,919 So, ACLs are configured in global config mode,\n 123 00:12:17,919 --> 00:12:21,870 When applying it to an interface, you specify\na direction. 124 00:12:21,870 --> 00:12:26,230 This tells the router to either check packets\n 125 00:12:29,269 --> 00:12:35,500 ACLs are made up of one or more ACEs, access\ncontrol entries. 126 00:12:35,500 --> 00:12:40,549 When the router checks a packet against the\n 127 00:12:43,740 --> 00:12:51,830 For example here in ACL 1, the router will\n 128 00:12:51,830 --> 00:12:57,680 then it will check if the packet’s source\n 129 00:12:57,679 --> 00:13:01,269 match either of those it will permit it. 130 00:13:01,269 --> 00:13:05,889 Another point I briefly mentioned before,\n 131 00:13:05,889 --> 00:13:11,500 the ACL, the router takes the action and stops\n 132 00:13:11,500 --> 00:13:15,190 All entries below the matching entry will\nbe ignored. 133 00:13:17,450 --> 00:13:20,680 Here we have a router and another ACL. 134 00:13:20,679 --> 00:13:29,329 The first entry in the ACL says if source\n 135 00:13:29,330 --> 00:13:37,440 However the second entry says if source IP\n 136 00:13:37,440 --> 00:13:43,920 What effect will this have if applied outbound\n 137 00:13:43,919 --> 00:13:50,459 If a packet with a source IP of 192.168.1.1\n 138 00:13:50,460 --> 00:13:55,009 out of G0/0 the router will check it against\nthe ACL. 139 00:13:55,009 --> 00:14:01,139 The source is 192.168.1.1, which matches the\n 140 00:14:02,620 --> 00:14:07,429 This second entry will simply be ignored. 141 00:14:07,429 --> 00:14:11,469 Now I’ve reversed entries 1 and 2 in ACL\n2. 142 00:14:11,470 --> 00:14:15,940 What will the effect be if the same packet\n 143 00:14:15,940 --> 00:14:20,330 It will once again check ACL 2 before forwarding\nthe packet. 144 00:14:20,330 --> 00:14:25,200 The first entry tells the router to deny the\n 145 00:14:27,700 --> 00:14:31,210 Entry 2, which tells the router to permit\n 146 00:14:31,210 --> 00:14:36,519 So, I think you can see how important the\n 147 00:14:36,519 --> 00:14:39,220 Now, here’s one more point about ACLs. 148 00:14:39,220 --> 00:14:45,190 A maximum of one ACL can be applied to a single\n 149 00:14:45,190 --> 00:14:53,730 So, one inbound ACL is allowed and one outbound\n 150 00:14:53,730 --> 00:14:58,300 If you apply a second ACL to an interface\n 151 00:15:02,019 --> 00:15:06,629 Next up, another important part of ACLs, the\n‘implicit deny’. 152 00:15:09,009 --> 00:15:12,929 What happens if a packet doesn’t match any\n 153 00:15:12,929 --> 00:15:17,859 So, here’s the same ACL, and the same router. 154 00:15:17,860 --> 00:15:23,190 This time the router receives a packet with\nsource IP 10.0.0.1. 155 00:15:23,190 --> 00:15:30,470 Before forwarding it out of G0/0, the router\n 156 00:15:32,289 --> 00:15:34,409 And it doesn’t match the second entry either. 157 00:15:36,490 --> 00:15:41,240 The answer is, the router will deny the packet,\n 158 00:15:41,240 --> 00:15:44,409 This is what we call the ‘implicit deny’. 159 00:15:44,409 --> 00:15:49,049 Even though there is no entry in the ACL telling\n 160 00:15:49,049 --> 00:15:55,219 there is an invisible entry at the end, if\n 161 00:15:58,169 --> 00:16:03,759 To summarize this point, there is an implicit\n 162 00:16:03,759 --> 00:16:07,629 This tells the router to deny all traffic\n 163 00:16:10,139 --> 00:16:15,429 Always be aware of the implicit deny when\n 164 00:16:19,610 --> 00:16:24,759 Now that you have an idea of the basic operations\n 165 00:16:24,759 --> 00:16:30,360 of ACLs you will learn about in today’s\nvideo and in Day 35. 166 00:16:30,360 --> 00:16:35,779 There are two main types of ACLs, and those\n 167 00:16:35,779 --> 00:16:41,750 The first type are standard ACLs, these match\n 168 00:16:43,629 --> 00:16:48,700 The two types of standard ACLs are standard\n 169 00:16:51,789 --> 00:16:56,740 And there are also standard named ACLs, which\n 170 00:16:56,740 --> 00:17:01,279 There are also differences in how you configure\n 171 00:17:03,440 --> 00:17:08,220 In addition to standard ACLs, there are also\nextended ACLs. 172 00:17:08,220 --> 00:17:14,079 These are more complex and can match based\n 173 00:17:14,079 --> 00:17:19,319 and/or destination port numbers, as well as\nsome other things. 174 00:17:19,319 --> 00:17:25,480 Like standard ACLs, there are numbered and\n 175 00:17:25,480 --> 00:17:30,920 As I said in the beginning of the video, today\n 176 00:17:30,920 --> 00:17:36,269 All of the examples so far have been standard\n 177 00:17:39,009 --> 00:17:44,470 In Day 35 I’ll tell you all about extended\n 178 00:17:44,470 --> 00:17:49,610 standard ACLs and then see how to actually\nconfigure them. 179 00:17:49,609 --> 00:17:53,519 So let’s get into standard numbered ACLs. 180 00:17:53,519 --> 00:17:58,650 As I just mentioned, standard ACLs match traffic\n 181 00:17:59,650 --> 00:18:02,880 So, standard ACLs are quite simple. 182 00:18:02,880 --> 00:18:08,140 The router doesn’t check the destination\n 183 00:18:09,420 --> 00:18:14,400 It just looks at the source IP address of\n 184 00:18:16,210 --> 00:18:19,000 Numbered ACLs are identified with a number. 185 00:18:19,000 --> 00:18:24,029 You can, of course, configure multiple ACLs\n 186 00:18:26,319 --> 00:18:31,659 Numbered ACLs use a number like ACL 1, ACL\n2, etc. 187 00:18:31,660 --> 00:18:35,100 There are also named ACLs, which I’ll introduce\nlater. 188 00:18:37,720 --> 00:18:42,860 Different types of ACLs have a different range\n 189 00:18:42,859 --> 00:18:49,919 Standard ACLs can use 1 to 99 and 1300 to\n1999. 190 00:18:49,920 --> 00:18:55,600 Originally, standard ACLs could only use 1\n 191 00:18:55,599 --> 00:18:59,449 99 standard ACLs on a single router. 192 00:18:59,450 --> 00:19:04,250 Later this was expanded to include 1300 to 1999. 193 00:19:04,250 --> 00:19:10,680 So, you can’t configure a standard ACL with\n 194 00:19:14,150 --> 00:19:18,430 Here are a bunch of different ACL types, and\n 195 00:19:19,890 --> 00:19:22,670 You don’t have to memorize all of these,\nof course. 196 00:19:22,670 --> 00:19:32,039 For now, just remember the standard ACL ranges,\n 197 00:19:35,019 --> 00:19:39,889 ‘IP ACL’ is the type of ACL you have to\nlearn for the CCNA. 198 00:19:39,890 --> 00:19:44,090 I just wanted to show you that there are lots\n 199 00:19:45,980 --> 00:19:51,039 Here’s the basic command to configure a\nstandard numbered ACL. 200 00:19:51,039 --> 00:19:53,779 ACCESS-LIST, followed by the number. 201 00:19:53,779 --> 00:20:00,599 We’re configuring standard ACLs, so this\n 202 00:20:03,500 --> 00:20:09,380 Then you specify either deny or permit, and\n 203 00:20:10,920 --> 00:20:14,640 Hopefully you remember wildcard masks from\n 204 00:20:14,640 --> 00:20:20,170 Don’t try to use a standard subnet mask\nwhen configuring ACLs. 205 00:20:20,170 --> 00:20:25,529 So, this is how you configure a single entry\nin access-list 1. 206 00:20:26,680 --> 00:20:31,490 ACCESS-LIST 1 DENY 1.1.1.1 0.0.0.0. 207 00:20:31,490 --> 00:20:40,109 So, this denies 1.1.1.1/32, meaning only 1.1.1.1,\na single host. 208 00:20:40,109 --> 00:20:46,879 Now, when you specify a /32 mask in an ACL,\n 209 00:20:48,089 --> 00:20:54,399 You can just specify 1.1.1.1, and the router\n 210 00:20:54,400 --> 00:20:58,840 So, these are just two different ways of configuring\n 211 00:20:58,839 --> 00:21:03,319 Now, there is one more method of configuring\na /32 entry. 212 00:21:03,319 --> 00:21:08,559 It’s considered an old method, but it still\n 213 00:21:08,559 --> 00:21:14,109 To specify a single host, you can use the\n 214 00:21:14,109 --> 00:21:19,119 Again, in effect this is exactly the same\n 215 00:21:21,069 --> 00:21:25,269 So, all three of these are the same in effect. 216 00:21:25,269 --> 00:21:31,190 Note that the 2nd and 3rd options here can\n 217 00:21:32,369 --> 00:21:37,529 If you’re matching a /24 network, for example,\n 218 00:21:37,529 --> 00:21:41,579 to specify the wildcard mask of 0.0.0.255. 219 00:21:41,579 --> 00:21:47,730 Okay, so let’s say we used one of those\n 220 00:21:51,630 --> 00:21:56,800 If we leave the ACL as is, all other traffic\n 221 00:21:57,799 --> 00:22:02,339 So, let’s make another entry in this ACL\nto permit traffic. 222 00:22:06,980 --> 00:22:10,640 This tells the router to permit all traffic,\nwith any source IP. 223 00:22:13,339 --> 00:22:18,429 The ANY keyword is convenient, but how can\n 224 00:22:20,869 --> 00:22:27,179 Pause the video and think about it, what IP\n 225 00:22:27,180 --> 00:22:39,720 Okay, the answer is 0.0.0.0 255.255.255.255,\n 226 00:22:39,720 --> 00:22:43,460 So, these two options are exactly the same. 227 00:22:43,460 --> 00:22:47,960 As you can see, ACL configuration can be quite\nflexible. 228 00:22:47,960 --> 00:22:53,250 In these examples I’ll use a variety of\n 229 00:22:53,250 --> 00:22:56,579 but feel free to pick your favorite and just\nuse that. 230 00:22:56,579 --> 00:23:03,309 ‘ANY’, for example, is much quicker to\n 231 00:23:03,309 --> 00:23:10,909 Finally, here’s one more thing you can configure\n 232 00:23:10,910 --> 00:23:13,279 This is like an interface description. 233 00:23:13,279 --> 00:23:17,740 It doesn’t have any effect on the ACL, it’s\n 234 00:23:17,740 --> 00:23:22,660 the purpose of the ACL when looking at it\nin the configuration. 235 00:23:22,660 --> 00:23:27,279 Note that the command is ACCESS-LIST 1 REMARK,\n 236 00:23:27,279 --> 00:23:32,619 The hashtags, or pound symbols, whatever you\n 237 00:23:33,660 --> 00:23:38,210 I just use them to make it easier to see when\n 238 00:23:38,210 --> 00:23:43,680 Okay, so I tried actually configuring that\n 239 00:23:43,680 --> 00:23:48,490 For both the deny and permit entries I decided\n 240 00:23:49,859 --> 00:23:54,849 Then I used SHOW ACCESS-LISTS, which displays\n 241 00:23:54,849 --> 00:23:57,250 There are a few things to point out here. 242 00:23:57,250 --> 00:24:04,490 First up, notice that the router automatically\n 243 00:24:06,619 --> 00:24:10,259 The router does this when you use a /32 mask. 244 00:24:10,259 --> 00:24:19,450 Also, PERMIT 0.0.0.0 255.255.255.255 was automatically\n 245 00:24:19,450 --> 00:24:22,870 You probably also noticed that the remark\n 246 00:24:25,069 --> 00:24:30,049 Finally, notice that each entry is given a\n 247 00:24:30,049 --> 00:24:34,589 I configured the DENY statement first, and\n 248 00:24:35,980 --> 00:24:39,680 Remember, the order of these entries is very\nimportant. 249 00:24:39,680 --> 00:24:45,900 If the PERMIT ANY entry was first, all traffic\n 250 00:24:47,990 --> 00:24:52,101 On modern devices, the router should prevent\n 251 00:24:52,101 --> 00:24:55,290 you should still be aware of how important\nthe order is. 252 00:24:55,289 --> 00:24:59,869 Okay, next I used the command SHOW IP ACCESS-LISTS. 253 00:24:59,869 --> 00:25:04,058 Notice that the output is exactly the same\n 254 00:25:04,058 --> 00:25:07,559 As you saw before, there are many kinds of\nACLs. 255 00:25:07,559 --> 00:25:14,470 SHOW ACCESS-LISTS displays all kinds, but\n 256 00:25:14,470 --> 00:25:17,600 the kind we will be configuring in these videos. 257 00:25:17,599 --> 00:25:21,269 You can use either command to check your ACLs,\n 258 00:25:21,269 --> 00:25:27,129 Finally, I used SHOW RUNNING-CONFIG, followed\n 259 00:25:27,130 --> 00:25:31,620 to only show lines in the config that include\nACCESS-LIST. 260 00:25:31,619 --> 00:25:35,449 Notice once again that the deny and permit\n 261 00:25:36,450 --> 00:25:39,110 Also, the remark is displayed this time. 262 00:25:39,109 --> 00:25:43,979 Now, remember I said you have to actually\n 263 00:25:45,720 --> 00:25:52,930 From interface config mode, use IP ACCESS-GROUP,\n 264 00:25:52,930 --> 00:25:55,690 then the ACL number, then IN or OUT. 265 00:25:55,690 --> 00:25:59,740 Now let’s get into a real example of using\n 266 00:26:01,150 --> 00:26:04,070 Here’s the same network as before. 267 00:26:04,069 --> 00:26:08,609 I’ll give some requirements, and we’ll\n 268 00:26:10,710 --> 00:26:15,520 On R1 I’ll configure standard numbered ACLs\n 269 00:26:15,520 --> 00:26:20,269 standard named ACLs and we’ll configure\n 270 00:26:21,779 --> 00:26:27,569 Okay, first here are some requirements which\n 271 00:26:27,569 --> 00:26:37,210 PC1 should be able to access the 192.168.2.0/24\n 272 00:26:37,210 --> 00:26:39,670 be able to access 192.168.2.0/24. 273 00:26:39,670 --> 00:26:46,000 So, here’s how I configured and applied\n 274 00:26:46,000 --> 00:26:52,519 First, I configured ACL 1 with an entry permitting\n 275 00:26:52,519 --> 00:26:59,500 That will achieve the first requirement, allowing\n 276 00:26:59,500 --> 00:27:04,440 Then I configured an entry denying the 192.168.1.0/24\nnetwork. 277 00:27:04,440 --> 00:27:06,940 This will fulfill the second requirement. 278 00:27:06,940 --> 00:27:09,000 The order of these is very important. 279 00:27:09,000 --> 00:27:17,930 If I denied 192.168.1.0/24 first, PC1 would\n 280 00:27:17,930 --> 00:27:21,929 if I put an entry permitting PC1 after the\ndeny entry. 281 00:27:21,929 --> 00:27:25,040 Remember, ACLs are processed in order from\ntop to bottom. 282 00:27:25,039 --> 00:27:30,089 Once a match is found, the action is taken\n 283 00:27:30,089 --> 00:27:32,709 entry are not processed, they are ignored. 284 00:27:32,710 --> 00:27:36,210 Finally, I configured a permit any entry at\nthe end. 285 00:27:36,210 --> 00:27:40,319 Remember the implicit deny that is hidden\n 286 00:27:40,319 --> 00:27:45,349 If I don’t include this permit any at the\n 287 00:27:45,349 --> 00:27:50,009 192.168.1.0/24 network, it will block all\nother traffic. 288 00:27:50,009 --> 00:27:56,629 The only device that will be able to access\n 289 00:27:57,980 --> 00:28:02,179 Every single other device would be blocked. 290 00:28:02,179 --> 00:28:06,000 Our requirements don’t tell us to block\n 291 00:28:08,190 --> 00:28:14,130 Finally I applied the ACL to R1’s G0/2 interface\n 292 00:28:16,900 --> 00:28:20,330 I could have, for example, applied it inbound\non G0/1. 293 00:28:20,329 --> 00:28:26,519 Well, here’s a good rule-of-thumb for applying\n 294 00:28:26,519 --> 00:28:30,960 Standard ACLs should be applied as close to\n 295 00:28:30,960 --> 00:28:36,130 You may be thinking, what do I mean by ‘destination’,\n 296 00:28:37,130 --> 00:28:43,990 Well, in this case we are trying to control\n 297 00:28:46,289 --> 00:28:52,230 If I applied ACL 1 inbound on R1’s G0/1\n 298 00:28:52,230 --> 00:28:56,870 subnet except R1 from accessing anything outside\n 299 00:28:56,869 --> 00:29:02,949 However, if I apply it correctly, outbound\n 300 00:29:02,950 --> 00:29:06,870 tries to access the 192.168.2.0/24 network. 301 00:29:06,869 --> 00:29:09,469 So, remember this rule-of-thumb. 302 00:29:09,470 --> 00:29:14,410 Standards ACLs should be applied as close\n 303 00:29:14,410 --> 00:29:18,000 If you don’t do that, you might block more\n 304 00:29:18,000 --> 00:29:21,829 Now let’s see how that ACL will work. 305 00:29:27,079 --> 00:29:32,308 It doesn’t check the ACL yet, because we\n 306 00:29:32,308 --> 00:29:37,589 R1 looks up the destination in its routing\n 307 00:29:38,589 --> 00:29:45,058 However, ACL 1 is applied outbound on G0/2,\n 308 00:29:46,058 --> 00:29:50,019 It starts at the top, with entry 10, permit\n 309 00:29:50,019 --> 00:29:57,750 The ping’s source is PC1, 192.168.1.1, so\nthat’s a match. 310 00:29:57,750 --> 00:30:02,759 It will take the action, which is to permit\n 311 00:30:02,759 --> 00:30:08,270 PC3 will be able to reply, because there is\n 312 00:30:13,329 --> 00:30:18,879 R1 receives the ping on G0/1, but it doesn’t\n 313 00:30:20,819 --> 00:30:24,049 Once again it checks the routing table and\n 314 00:30:24,049 --> 00:30:30,980 of G0/2, but because ACL 1 is applied outbound\n 315 00:30:30,980 --> 00:30:36,447 It checks the top entry first, permit 192.168.1.1/32. 316 00:30:36,446 --> 00:30:41,519 The source of the ping is 192.168.1.2, so\nit doesn’t match. 317 00:30:41,519 --> 00:30:46,896 Then it checks the next entry, deny 192.168.1.0/24. 318 00:30:46,896 --> 00:30:52,339 PC2’s IP is in this subnet, so it matches\n 319 00:30:53,720 --> 00:30:55,579 It won’t forward the ping to PC3. 320 00:30:55,579 --> 00:31:01,269 Okay, now let’s move on to standard named\nACLs. 321 00:31:01,269 --> 00:31:05,960 Standard named ACLs are still standard ACLs,\n 322 00:31:07,970 --> 00:31:12,170 However, instead of a number they are identified\nwith a name. 323 00:31:12,170 --> 00:31:16,730 You could, for example, name the ACL ‘BLOCK_BOB’. 324 00:31:16,730 --> 00:31:21,700 Standard named ACLs are configured by entering\n 325 00:31:21,700 --> 00:31:24,029 then configuring each entry within that mode. 326 00:31:24,029 --> 00:31:27,428 So, a little different than standard numbered\nACLs. 327 00:31:27,429 --> 00:31:34,259 Here’s how you enter that config mode, IP\n 328 00:31:34,259 --> 00:31:37,109 Remember to use IP in front of the command. 329 00:31:37,109 --> 00:31:44,099 For standard numbered ACLs the command is\n 330 00:31:44,099 --> 00:31:50,209 Then you enter standard named ACL config mode\n 331 00:31:50,210 --> 00:31:53,880 Note that you can now specify an entry number\n 332 00:31:55,301 --> 00:32:00,469 If you don’t entries will be numbered 10,\n 333 00:32:02,869 --> 00:32:06,359 Each entry’s number will be 10 more than\nthe previous one. 334 00:32:06,359 --> 00:32:10,289 But with this function, you can manually specify\n 335 00:32:13,769 --> 00:32:19,990 First I create the ACL BLOCK_BOB and enter\n 336 00:32:19,990 --> 00:32:24,710 Then I configured a statement denying 1.1.1.1/32. 337 00:32:24,710 --> 00:32:29,990 Note that I manually configured the entry\n 338 00:32:29,990 --> 00:32:33,250 Then I configured a permit any entry, with\n 339 00:32:36,039 --> 00:32:40,289 This isn’t necessary, of course, but remarks\n 340 00:32:41,680 --> 00:32:46,808 Then I moved to interface configuration mode,\n 341 00:32:46,808 --> 00:32:51,720 IP ACCESS-GROUP, ACL name, and then IN or\nOUT. 342 00:32:51,720 --> 00:32:54,929 Let’s check with some show commands. 343 00:32:54,929 --> 00:32:57,850 Once again, I used SHOW ACCESS-LISTS. 344 00:32:57,849 --> 00:33:03,559 The ACL is shown, and you can see each entry\n 345 00:33:03,559 --> 00:33:05,649 Then I checked the running config. 346 00:33:05,650 --> 00:33:10,870 Notice I used a different method of filtering\n 347 00:33:10,869 --> 00:33:14,879 This displays just the ACL section of the\nrunning config. 348 00:33:14,880 --> 00:33:20,210 If I used ‘INCLUDE ACCESS-LIST’ like before,\n 349 00:33:20,210 --> 00:33:24,798 However, it wouldn’t actually display any\n 350 00:33:24,798 --> 00:33:30,039 don’t include ACCESS-LIST, even though they\n 351 00:33:30,039 --> 00:33:33,920 When I filter using SECTION, I can view the\nwhole ACL. 352 00:33:33,920 --> 00:33:38,450 You can see each entry including the remark,\n 353 00:33:40,299 --> 00:33:45,259 Okay, let’s try configuring some standard\nnamed ACLs on R2. 354 00:33:45,259 --> 00:33:48,009 So, here are the requirements. 355 00:33:48,009 --> 00:33:54,000 PCs in 192.168.1.0/24 can’t access 10.0.2.0/24. 356 00:33:54,000 --> 00:34:03,349 PC3 can’t access 10.0.1.0/24, but other\n 357 00:34:03,349 --> 00:34:11,089 PC1 can access 10.0.1.0/24, but other PCs\n 358 00:34:11,090 --> 00:34:15,340 We’ll need two ACLs to do this properly. 359 00:34:15,340 --> 00:34:18,490 If you think you can, try to solve this yourself. 360 00:34:18,489 --> 00:34:20,019 But I’ll show you my solution. 361 00:34:20,019 --> 00:34:28,730 So, we’ll configure one ACL to control access\n 362 00:34:29,800 --> 00:34:35,980 Then we’ll configure another ACL to control\n 363 00:34:39,489 --> 00:34:46,129 Here’s the first ACL, I called it TO_10.0.2.0/24. 364 00:34:46,130 --> 00:34:52,480 First I denied the 192.168.1.0/24 network,\n 365 00:34:52,480 --> 00:34:54,539 Then I applied it outbound on G0/2. 366 00:34:54,539 --> 00:35:02,099 So, PC1 and PC2 will be blocked from accessing\n 367 00:35:04,940 --> 00:35:10,260 I called the second ACL TO_10.0.1.0/24. 368 00:35:10,260 --> 00:35:14,580 First I denied PC3, 192.168.2.1. 369 00:35:14,579 --> 00:35:17,829 Then I permitted the rest of the PCs in PC3’s\nnetwork. 370 00:35:17,829 --> 00:35:23,480 I then permitted PC1, but denied the other\nPCs in PC1’s network. 371 00:35:23,480 --> 00:35:26,210 Then I permitted all other traffic. 372 00:35:26,210 --> 00:35:30,090 Finally I applied the ACL outbound on the\nG0/1 interface. 373 00:35:31,719 --> 00:35:35,519 ACL configuration can be flexible sometimes,\n 374 00:35:39,199 --> 00:35:44,279 Let’s check those ACLs with SHOW IP ACCESS-LISTS. 375 00:35:44,280 --> 00:35:50,070 Do you notice something strange about the\nTO_10.0.1.0/24 ACL? 376 00:35:50,070 --> 00:35:51,109 Look at the sequence numbers. 377 00:35:51,108 --> 00:35:55,869 30, then 10, then 20, then 40, then 50. 378 00:35:55,869 --> 00:35:58,490 And look at the order I configured them. 379 00:35:58,489 --> 00:36:02,929 The sequence numbers match the order I configured\n 380 00:36:06,500 --> 00:36:11,789 This is a very advanced question about the\n 381 00:36:11,789 --> 00:36:17,190 are processed, you definitely won’t find\n 382 00:36:18,329 --> 00:36:23,219 The router may re-order the /32 entries, the\n 383 00:36:24,409 --> 00:36:27,569 This improves the efficiency of processing\nthe ACL. 384 00:36:27,570 --> 00:36:31,220 However, it does not change the overall effect\nof the ACL. 385 00:36:31,219 --> 00:36:35,469 So, it makes sense for the router to change\n 386 00:36:35,469 --> 00:36:39,099 more efficiently without affecting the outcome. 387 00:36:39,099 --> 00:36:43,769 Note that this is done for both standard named\n 388 00:36:43,769 --> 00:36:48,519 apply to the simpler examples I showed for\n 389 00:36:48,519 --> 00:36:52,800 Also note that I checked in Packet Tracer,\n 390 00:36:52,800 --> 00:36:58,830 It will simply display the entries in order\n 391 00:36:58,829 --> 00:37:03,719 Before finishing up, I’ll just walk through\n 392 00:37:03,719 --> 00:37:08,819 PC2 wants to access server 1, so it pings\nto test connectivity. 393 00:37:08,820 --> 00:37:14,030 The ping reaches R2, which is directly connected\n 394 00:37:14,030 --> 00:37:21,340 However, the TO_10.0.1.0/24 ACL is applied\n 395 00:37:21,340 --> 00:37:24,190 against that ACL before forwarding it. 396 00:37:24,190 --> 00:37:29,320 The source is 192.168.1.2, so it doesn’t\nmatch the top entry. 397 00:37:29,320 --> 00:37:32,430 It doesn’t match the next one either, or\nthe next one. 398 00:37:32,429 --> 00:37:38,859 However, it matches entry 40, because the\n 399 00:37:38,860 --> 00:37:43,119 So, it denies the packet, it does not forward\nit to SRV1. 400 00:37:43,119 --> 00:37:47,559 Okay, let’s review and then move on to the\nquiz. 401 00:37:47,559 --> 00:37:50,489 In this video I covered what ACLs are. 402 00:37:50,489 --> 00:37:54,549 They are used to identify and control traffic\nin the network. 403 00:37:54,550 --> 00:37:58,369 I introduced ACL logic, how ACLs are processed. 404 00:37:58,369 --> 00:38:03,450 The entries in an ACL are processed from top\n 405 00:38:03,449 --> 00:38:07,368 the action is taken and the remaining entries\nare not processed. 406 00:38:07,369 --> 00:38:11,769 I introduced the ACL types you need to know\nfor the CCNA. 407 00:38:11,769 --> 00:38:17,440 They are standard ACLs and extended ACLs,\n 408 00:38:19,659 --> 00:38:24,089 In this video I covered standard ACLs, which\n 409 00:38:24,090 --> 00:38:26,230 the source IP address of the packet. 410 00:38:26,230 --> 00:38:32,510 I showed two main ways of configuring standard\n 411 00:38:34,130 --> 00:38:38,530 They are both just different ways of configuring\nstandard ACLs. 412 00:38:38,530 --> 00:38:42,580 Standard numbered ACLs are configured like\n 413 00:38:42,579 --> 00:38:46,269 config mode with the ACCESS-LIST command. 414 00:38:46,269 --> 00:38:52,130 For standard named ACLs, you use the IP ACCESS-LIST\n 415 00:38:52,130 --> 00:38:55,549 mode, and then configure the entries. 416 00:38:55,550 --> 00:39:00,190 Make sure to watch until the end of today’s\n 417 00:39:00,190 --> 00:39:03,929 the best practice exams for the CCNA, CCNP,\nand more. 418 00:39:03,929 --> 00:39:09,210 Okay, let’s go to question 1 of the quiz. 419 00:39:09,210 --> 00:39:18,650 Which ACL, when applied outbound on R2’s\n 420 00:39:18,650 --> 00:39:22,740 Here are four ACLs, which one fulfills that\nrequirement? 421 00:39:22,739 --> 00:39:28,339 Pause the video to think about your answer. 422 00:39:30,809 --> 00:39:35,039 Entry 10 permits PC1 and entry 20 permits\nPC4. 423 00:39:35,039 --> 00:39:37,710 The implicit deny will deny all other traffic. 424 00:39:37,710 --> 00:39:42,720 So, ACL 1 fulfills the requirements, and the\nother ACLs do not. 425 00:39:46,599 --> 00:39:51,230 Which interface should the following ACL be\n 426 00:39:52,289 --> 00:39:55,750 Here’s the ACL, and here’s the requirement. 427 00:39:55,750 --> 00:39:58,869 Pause the video to think about your answer. 428 00:40:01,869 --> 00:40:06,769 The interface should be R2’s G0/2 interface,\n 429 00:40:06,769 --> 00:40:12,000 Remember that rule-of-thumb, standard ACLs\n 430 00:40:13,760 --> 00:40:19,900 We are controlling access to 10.0.2.0/24,\n 431 00:40:19,900 --> 00:40:24,079 Therefore the ACL should be applied outbound\non R2’s G0/2. 432 00:40:27,829 --> 00:40:30,480 You issue the following commands on R2. 433 00:40:30,480 --> 00:40:34,260 Which statement about the effect of the configurations\n 434 00:40:34,260 --> 00:40:36,570 Here are the configurations on R2. 435 00:40:38,039 --> 00:40:40,659 A, all traffic will be denied. 436 00:40:40,659 --> 00:40:45,549 B, traffic from the 10.0.0.0/24 network will\nbe denied. 437 00:40:45,550 --> 00:40:50,830 C, traffic from the 172.16.0.0/24 network\nwill be denied. 438 00:40:50,829 --> 00:40:57,119 Or D, traffic from the 192.168.0.0/24 network\nwill be denied. 439 00:40:57,119 --> 00:41:02,000 Pause the video to think about your answer. 440 00:41:02,000 --> 00:41:08,030 The answer is B, traffic from the 10.0.0.0/24\n 441 00:41:08,030 --> 00:41:12,160 Each interface can only have one ACL applied\nin each direction. 442 00:41:12,159 --> 00:41:16,949 If you apply another ACL to the same interface\n 443 00:41:18,780 --> 00:41:24,769 In this case, the last ACL you applied was\n 444 00:41:31,760 --> 00:41:38,170 If this ACL is applied inbound on R1 G0/0,\n 445 00:41:51,440 --> 00:41:57,519 Pause the video to think about your answer. 446 00:42:00,019 --> 00:42:06,039 This is because of where the ACL was applied,\n 447 00:42:06,039 --> 00:42:11,279 When the PCs try to ping SRV2, R1 won’t\n 448 00:42:12,929 --> 00:42:18,279 When the reply from SRV2 arrives on R1’s\n 449 00:42:18,280 --> 00:42:24,710 However, the source of the reply will be SRV2’s\n 450 00:42:24,710 --> 00:42:27,670 by the ‘permit any’ at the end of the\nACL. 451 00:42:27,670 --> 00:42:31,519 So, all PCs will be able to successfully ping\nSRV2. 452 00:42:36,190 --> 00:42:39,519 What happens if a packet doesn’t match any\nentries of an ACL? 453 00:42:39,519 --> 00:42:43,108 A, the packet will be forwarded to the default\ngateway. 454 00:42:43,108 --> 00:42:47,000 B, the packet will be checked using the next\navailable ACL. 455 00:42:49,750 --> 00:42:53,699 Or D, the action of the most specific match\nwill be taken. 456 00:42:53,699 --> 00:42:58,358 Pause the video to think about your answer. 457 00:42:58,358 --> 00:43:01,179 The answer is C, the packet will be dropped. 458 00:43:01,179 --> 00:43:06,029 Every ACL includes an ‘implicit deny’\n 459 00:43:06,030 --> 00:43:08,300 don’t match any of the ACL’s entries. 460 00:43:10,489 --> 00:43:13,209 Okay, that’s all for the quiz. 461 00:43:13,210 --> 00:43:18,409 Now let’s take a look at a bonus question\n 462 00:43:18,409 --> 00:43:23,509 Okay, here's today's Boson ExSim practice\nquestion. 463 00:43:23,510 --> 00:43:26,920 Which of the following statements is true\nregarding ACLs? 464 00:43:28,400 --> 00:43:34,309 A, ACLs are processed from the least specific\n 465 00:43:34,309 --> 00:43:39,369 B, ACLs are processed from the first entry\n 466 00:43:39,369 --> 00:43:44,539 C, ACLs are processed from the last entry\n 467 00:43:44,539 --> 00:43:50,090 Or D, ACLs are processed from the most specific\n 468 00:43:50,090 --> 00:43:54,410 Okay, if you just watched the video you should\n 469 00:43:54,409 --> 00:43:58,619 So, pause the video now to think about the\nanswer. 470 00:44:02,280 --> 00:44:07,510 As I mentioned in the video, ACLs are processed\n 471 00:44:09,369 --> 00:44:12,500 So, B should be the correct answer. 472 00:44:12,500 --> 00:44:16,539 I'll select B and then click on show answer. 473 00:44:18,679 --> 00:44:24,649 So, here's Boson's explanation, quite detailed. 474 00:44:24,650 --> 00:44:28,010 You can pause the video now if you want to\n 475 00:44:29,010 --> 00:44:33,869 These explanations are one of the great things\n 476 00:44:33,869 --> 00:44:40,900 Okay, and there's also a reference to both\n 477 00:44:40,900 --> 00:44:47,079 Cisco Press and a link to some Cisco documentation\n 478 00:44:47,079 --> 00:44:49,920 Configuring IP Access Lists: Process ACLs. 479 00:44:49,920 --> 00:44:53,090 So, this is another great resource. 480 00:44:53,090 --> 00:44:57,240 Okay, so that's Boson ExSim for the CCNA. 481 00:44:57,239 --> 00:45:02,699 These are the practice exams I used to study\n 482 00:45:04,079 --> 00:45:10,980 So if you want to get a copy of Boson ExSim,\n 483 00:45:10,980 --> 00:45:13,840 There are supplementary materials for this\nvideo. 484 00:45:13,840 --> 00:45:17,269 There is a flashcard deck to use with the\nsoftware ‘Anki’. 485 00:45:17,269 --> 00:45:21,739 There will also be a packet tracer practice\n 486 00:45:21,739 --> 00:45:23,129 That will be in the next video. 487 00:45:23,130 --> 00:45:27,630 Sign up for my mailing list via the link in\n 488 00:45:27,630 --> 00:45:32,500 the flashcards and packet tracer lab files\nfor the course. 489 00:45:32,500 --> 00:45:36,849 Before finishing today’s video I want to\n 490 00:45:36,849 --> 00:45:39,470 To join, please click the ‘Join’ button\nunder the video. 491 00:45:39,469 --> 00:45:47,221 Thank you to Junhong, OJ, Magrathea, TheGunguy,\n 492 00:45:47,221 --> 00:45:53,528 Prakaash, Nasir, Erlison, Apogee, Marko, Flodo,\n 493 00:45:53,528 --> 00:46:00,539 Funnydart, Scott, Hassan, Marek, Velvijaykum,\n 494 00:46:00,539 --> 00:46:03,338 Devin, Lito, Yonatan, and Vance. 495 00:46:03,338 --> 00:46:08,279 Sorry if I pronounced your name incorrectly,\n 496 00:46:08,280 --> 00:46:12,340 One of you is still displaying as Channel\n 497 00:46:12,340 --> 00:46:15,480 me know and I’ll see if YouTube can fix\nit. 498 00:46:15,480 --> 00:46:19,980 This is the list of JCNP-level members at\n 499 00:46:21,840 --> 00:46:25,950 If you signed up recently and your name isn’t\n 500 00:46:30,760 --> 00:46:34,730 Please subscribe to the channel, like the\n 501 00:46:34,730 --> 00:46:38,000 with anyone else studying for the CCNA. 502 00:46:38,000 --> 00:46:40,789 If you want to leave a tip, check the links\nin the description. 503 00:46:40,789 --> 00:46:46,500 I'm also a Brave verified publisher and accept\n 41932