Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,646 --> 00:00:03,266 >> Okay I'm going to say some words and I want you 2 00:00:03,266 --> 00:00:05,616 to tell me how you feel when you think about it. 3 00:00:05,616 --> 00:00:07,196 There's a feeling associated with this, okay? 4 00:00:07,196 --> 00:00:09,156 So here we go. 5 00:00:09,396 --> 00:00:11,506 Fuzzy bunny, okay. 6 00:00:11,926 --> 00:00:14,616 How about this one? 7 00:00:14,616 --> 00:00:15,746 Ice cream cone. 8 00:00:16,196 --> 00:00:18,786 Uh-hmm. You get the feeling around that. 9 00:00:18,786 --> 00:00:20,306 Okay, let me throw one more at you. 10 00:00:21,006 --> 00:00:21,756 Subnetting. 11 00:00:22,266 --> 00:00:26,486 [Laughs] Its like, which one of this is not like the other right? 12 00:00:26,486 --> 00:00:29,546 Now, now I'm hoping at this does point you, you've had a chance to go 13 00:00:29,546 --> 00:00:31,276 through this series and you gone through subnetting. 14 00:00:31,276 --> 00:00:35,256 You're feeling-- you're feeling like a fuzzy bunny right, when you think about something. 15 00:00:35,256 --> 00:00:39,226 But I would tell, think about how you felt about it before you gotten those nuggets 16 00:00:39,226 --> 00:00:41,636 and before you had an understanding of subnetting. 17 00:00:41,636 --> 00:00:46,776 Well, that's how a lot of people feel when I say the word, Access Control List. 18 00:00:46,776 --> 00:00:47,766 Yes, that's three words. 19 00:00:47,766 --> 00:00:52,596 But when I say that, people go [inaudible], because it's a big concept. 20 00:00:52,646 --> 00:00:58,666 There's a lot wrapped around it because it's use for a ton of things inside of the Cisco device 21 00:00:58,766 --> 00:01:01,856 and there is some understanding that has to go with it. 22 00:01:01,856 --> 00:01:05,766 As in, if you've encountered Access Control Lists before, you-- 23 00:01:05,766 --> 00:01:08,266 a lot of times will walk with if you've encountered them in the real world, 24 00:01:08,266 --> 00:01:09,896 or heard of them, seen them before. 25 00:01:10,136 --> 00:01:11,416 You walk way go "Whoa!" 26 00:01:11,416 --> 00:01:14,136 That was one of those weird and I didn't quite get that. 27 00:01:14,136 --> 00:01:17,796 Well, I'm hoping that by the time we're done here, you will feel the same 28 00:01:17,796 --> 00:01:20,576 about Access Control List as you do about ice cream 29 00:01:20,576 --> 00:01:22,646 and fuzzy bunnies and even hopefully subnetting. 30 00:01:22,866 --> 00:01:24,386 We're going to look at what these are, 31 00:01:24,856 --> 00:01:26,996 what they're use for 'cause they're not just for access? 32 00:01:27,386 --> 00:01:29,046 It's not just for turning a router 33 00:01:29,046 --> 00:01:31,386 into a firewall although that's one thing you can do with them. 34 00:01:31,816 --> 00:01:35,106 We'll look at how to use them for security how they are use 35 00:01:35,106 --> 00:01:37,486 and then we'll look at types of access control list. 36 00:01:38,686 --> 00:01:42,016 Let's start of with what they are, definition. 37 00:01:42,336 --> 00:01:46,696 An Access-Lists is nothing more than a list, 38 00:01:46,926 --> 00:01:49,786 that's the name implies of permit and deny statements. 39 00:01:50,256 --> 00:01:56,386 So you can see right here on the screen, I've got permit 192.168.2.50, 40 00:01:56,386 --> 00:01:59,006 so immediately the question is, permit it to what? 41 00:01:59,006 --> 00:02:01,856 Well, we're not going to talk about that right now. 42 00:02:02,086 --> 00:02:03,576 [Laughs] That got to kind of comes later. 43 00:02:03,706 --> 00:02:09,056 So okay, well what about the-- okay deny 192.168.1.0, that the whole subnet. 44 00:02:09,056 --> 00:02:12,056 Immediately our mind goes to denied from what? 45 00:02:12,056 --> 00:02:13,956 Well, we're not going to talk right 46 00:02:14,116 --> 00:02:19,476 because that's not what an Access-List is, that's how it's applied. 47 00:02:19,876 --> 00:02:23,606 Now, I'm being very intentional with my words here because I really want you 48 00:02:23,606 --> 00:02:27,496 to catch what an Access-List-- let's to do it one more. 49 00:02:27,496 --> 00:02:31,746 Permit TCP Port 80 for this host, okay? 50 00:02:31,746 --> 00:02:35,686 Do you see how it leaves you feeling incomplete like you're only half way there? 51 00:02:35,976 --> 00:02:37,726 You're like, okay, I get it. 52 00:02:37,726 --> 00:02:39,666 You're permitting that port so-- so what? 53 00:02:39,666 --> 00:02:45,026 To that server from that server, what is being permitted to do or like you feel, 54 00:02:45,026 --> 00:02:49,606 like I get what the statement says, it's like if somebody walked up you, you know, 55 00:02:49,606 --> 00:02:53,776 then they're kind of twitching and they're like, "The brown cow jumped over the bridge." 56 00:02:54,046 --> 00:02:57,256 And you're looking there like, "I have no contacts to what you're saying. 57 00:02:57,256 --> 00:02:58,206 You are crazy." 58 00:02:58,336 --> 00:03:00,656 Well, that's what an Access-List by itself is. 59 00:03:00,656 --> 00:03:01,406 It's crazy. 60 00:03:01,406 --> 00:03:05,006 It's just a list of permit and deny statements that do nothing until-- 61 00:03:05,006 --> 00:03:08,946 okay, okay so I've given you, this is the technical definition right? 62 00:03:09,316 --> 00:03:10,216 Here's what it is. 63 00:03:11,436 --> 00:03:18,246 Access-Lists are a matching mechanism, right? 64 00:03:18,456 --> 00:03:20,706 It is a matching mechanism. 65 00:03:21,176 --> 00:03:24,096 So, I'm trying to think of a good analogy. 66 00:03:24,096 --> 00:03:25,726 I can't even-- let's do this. 67 00:03:25,726 --> 00:03:28,256 I'm making this on the fly so we'll see if it works. 68 00:03:28,256 --> 00:03:31,296 So let's say, let's say that you had a million dollars and you're like, 69 00:03:31,296 --> 00:03:32,516 I'm going to give this money away. 70 00:03:33,026 --> 00:03:36,966 And so, there's-- there's-- you've put an ad in the paper and a thousand people come to you 71 00:03:37,276 --> 00:03:39,036 and say, "I want your million dollars." 72 00:03:39,326 --> 00:03:40,186 And so you're like, "Okay. 73 00:03:40,186 --> 00:03:43,036 Well, I can't just give it to all 1000 of you. 74 00:03:43,036 --> 00:03:44,446 I have to filter you down. 75 00:03:44,446 --> 00:03:48,056 I have to kind of, you know, figure out criteria that I want to make." 76 00:03:48,346 --> 00:03:50,666 I'm like, as I'm thinking, where is analogy going? 77 00:03:50,666 --> 00:03:52,436 Jeremy [phonetic] is going to teach us how to discriminate today. 78 00:03:52,716 --> 00:03:54,806 I'm sorry, I don't know how this is going to work out. 79 00:03:54,806 --> 00:03:58,346 So, let's just say, you're like, okay, everybody and all thousand people are in front of you. 80 00:03:58,346 --> 00:04:00,146 You're like, "Everybody that has a blue shirt. 81 00:04:00,146 --> 00:04:01,956 I'm sorry you don't get the million dollars. 82 00:04:02,076 --> 00:04:02,696 Just go home. 83 00:04:02,696 --> 00:04:08,086 Okay, everybody that makes this amount of money or more, you don't need my million dollars. 84 00:04:08,086 --> 00:04:08,566 You make enough. 85 00:04:08,566 --> 00:04:12,866 Go home." So you start filtering all this things until you finally get what-- 86 00:04:12,866 --> 00:04:14,896 what you want, the things that are left. 87 00:04:15,226 --> 00:04:18,376 That's a weird analogy but that's kind of what an Access-List is. 88 00:04:18,406 --> 00:04:20,976 So, now put in perspective of your router. 89 00:04:20,976 --> 00:04:25,316 It doesn't have a million dollars but it does have a ton of traffic going in and out of it. 90 00:04:25,316 --> 00:04:29,966 And there's times where you want to much certain stuff to do something with it. 91 00:04:30,366 --> 00:04:34,256 You want to-- you want to for instance match your voice over IP traffic. 92 00:04:35,196 --> 00:04:41,496 Why? Because you want to tell the router that's special, it's very special traffic that goes 93 00:04:41,496 --> 00:04:48,496 above everything else and has the priority and to do that we use, an Access-List. 94 00:04:48,496 --> 00:04:53,176 Now, it's an Access-List that's applied in the way of quality of service. 95 00:04:53,496 --> 00:04:55,036 That's one way that we apply. 96 00:04:55,286 --> 00:05:00,576 Or you might say, "Okay, okay, I've got-- I've got net set up." 97 00:05:00,806 --> 00:05:02,816 So you know, up here is the internet. 98 00:05:04,116 --> 00:05:08,456 And I want to make sure that people can surf the internet, and I'm going to translate, 99 00:05:08,456 --> 00:05:11,386 then I'm going to apply net, network address translation 100 00:05:11,386 --> 00:05:14,896 so that the people are able to access the internet. 101 00:05:14,896 --> 00:05:19,646 Well, when you do net, you have to specify what traffic gets netted. 102 00:05:20,076 --> 00:05:23,326 So that is done by an Access-List. 103 00:05:23,506 --> 00:05:26,556 It-- It's you know, when you see this, you're like, "Oh man, 104 00:05:26,556 --> 00:05:28,066 that totally feels like a firewall." 105 00:05:28,066 --> 00:05:30,426 Right? It's like permit and deny and all-- all that. 106 00:05:30,426 --> 00:05:33,426 It feels like-- feels like a firewall and that is absolutely one way 107 00:05:33,426 --> 00:05:37,056 that you can use an Access-List is like a firewall to say, this is allowed, 108 00:05:37,056 --> 00:05:45,056 this is blocked, but there is, so many features in the Cisco Router that depend on being able 109 00:05:45,056 --> 00:05:48,776 to identify traffic and that's all an Access-List is. 110 00:05:48,776 --> 00:05:51,616 So, so that's why I left a very vague at the beginning. 111 00:05:51,616 --> 00:05:54,466 I'm like, "Well, here is a list of statements", and I said, "Permit this. 112 00:05:54,466 --> 00:05:54,866 Deny that." 113 00:05:55,046 --> 00:05:57,146 But I wouldn't go-- I wouldn't go there. 114 00:05:57,146 --> 00:06:03,116 I wouldn't say, well, here's how it's applied because how you apply it depends on what kind 115 00:06:03,116 --> 00:06:04,986 of feature you're looking to create. 116 00:06:04,986 --> 00:06:06,946 Now, I put making french toss in there. 117 00:06:06,946 --> 00:06:07,916 That's not literal. 118 00:06:08,136 --> 00:06:14,406 I'm just saying that, I mean, this list can go on and on and on, any feature in the Cisco IOS, 119 00:06:14,406 --> 00:06:18,416 in the Cisco Router that requires you to identify a certain set 120 00:06:18,416 --> 00:06:22,896 of traffic is almost always going to be identifies using an Access-List. 121 00:06:24,376 --> 00:06:28,166 Let me illustrate this by giving you an example of one of the more common ways 122 00:06:28,166 --> 00:06:31,266 that Access-Lists are used and that is for security. 123 00:06:31,436 --> 00:06:35,596 This is-- this is when people hear the term Access-Lists, immediately what their mind goes 124 00:06:35,596 --> 00:06:38,356 to because they're like, oh, that's sounds like a, you know, access, 125 00:06:38,356 --> 00:06:40,976 security kind of function then they can definitely be used with that. 126 00:06:40,976 --> 00:06:46,986 So, first thing that we do is go into global configuration mode and create a list. 127 00:06:46,986 --> 00:06:50,826 Now, you actually identified the list by either a number or a name. 128 00:06:50,946 --> 00:06:52,536 We'll look at the config in the next nugget. 129 00:06:52,636 --> 00:06:57,206 So, let's just say I create list number 50 and in that list, 130 00:06:57,206 --> 00:07:01,416 the first statement that I make is Permit 10.1.5.1. 131 00:07:01,416 --> 00:07:04,466 Maybe that's-- that's specific host that I'm really want to focus on. 132 00:07:04,796 --> 00:07:09,136 Now, the second one is there's a sky has been surfing the web all day, I'm done with in. 133 00:07:09,266 --> 00:07:13,276 I'm denying 192.168.1.53. 134 00:07:13,276 --> 00:07:20,036 Then I go down and I say, well, but you know what the subnet 172.30.0.0 /16 so that means, 135 00:07:20,286 --> 00:07:26,266 essentially the first two octets of that subnet are or what to look at and permitted. 136 00:07:26,266 --> 00:07:32,416 So, if I have you know, some guy down here, that's 172.30.1.52, he'll come in, 137 00:07:32,416 --> 00:07:37,956 the routers says, okay, well you are 172.30/16" that's says first two octets are relevant. 138 00:07:38,186 --> 00:07:39,746 So that's what I'm going to look at. 139 00:07:39,746 --> 00:07:40,736 So you are permitted. 140 00:07:40,896 --> 00:07:43,996 I don't really care that you have 1.52 on the end. 141 00:07:44,156 --> 00:07:44,686 That's fine. 142 00:07:44,686 --> 00:07:47,316 So, so that's kind of how the list is right. 143 00:07:47,316 --> 00:07:48,496 Now, let's look at the rules. 144 00:07:48,716 --> 00:07:52,186 The list is red from top to the bottom and it will stop at the first match. 145 00:07:52,526 --> 00:07:54,546 Men, I should have thought of a better example. 146 00:07:54,546 --> 00:07:57,686 So let's say, okay, let's imagine this. 147 00:07:57,806 --> 00:07:58,796 Pretend that's not that. 148 00:07:59,056 --> 00:08:03,036 It is actually 172.30.1.5 right? 149 00:08:03,036 --> 00:08:04,076 There is that PC. 150 00:08:04,076 --> 00:08:06,736 So, let's say, that host is out here. 151 00:08:06,946 --> 00:08:08,106 He comes into the router. 152 00:08:08,106 --> 00:08:10,056 He says, "Hey, I'm 172.30.1.5." 153 00:08:10,056 --> 00:08:11,326 It says, "Okay are you this person?" 154 00:08:11,556 --> 00:08:12,296 "Nope, I'm not. 155 00:08:12,296 --> 00:08:13,826 'Cause if you were, you wouldn't have permitted. 156 00:08:14,126 --> 00:08:15,166 Are you this person?" 157 00:08:15,166 --> 00:08:16,286 He goes, "Yes, I am. 158 00:08:16,286 --> 00:08:17,006 I'm sorry you're denied." 159 00:08:17,156 --> 00:08:20,916 It does not go on to the next name and to find out, well, actually you would-- 160 00:08:20,916 --> 00:08:23,566 would have permitted if you would have made it this far. 161 00:08:23,566 --> 00:08:27,296 It's like one of those movies you know, where somebody's reaching for that-- 162 00:08:27,556 --> 00:08:31,776 the serum that would cure them from the poison, whatever they just drunk 163 00:08:31,776 --> 00:08:33,466 and then they die like a centimeter away. 164 00:08:33,466 --> 00:08:34,486 I hate those kind of movies. 165 00:08:34,756 --> 00:08:36,576 But they died just like a centimeter away. 166 00:08:36,576 --> 00:08:38,436 So it's like, well, if you would have just made it further, 167 00:08:38,436 --> 00:08:41,496 you would have but I'm sorry, we had to deny. 168 00:08:41,546 --> 00:08:45,396 Now, at the bottom of this Access-List, is an 'implicit deny'. 169 00:08:45,886 --> 00:08:47,136 You don't see it. 170 00:08:47,776 --> 00:08:51,906 You don't-- it won't show up in the show commands or anything like that but it's there. 171 00:08:52,296 --> 00:08:56,916 Meaning, as soon as you create an Access-List, you say, do this, do that, do this, do that, 172 00:08:57,066 --> 00:09:00,426 you create this list of statements and the list goes on and on and on, however, 173 00:09:00,426 --> 00:09:04,316 long you wanted to be, there is no cap on how big this list can be. 174 00:09:04,316 --> 00:09:06,376 You can make them 500 statements if you want to. 175 00:09:06,686 --> 00:09:09,446 But at the very end of it is an implicit deny. 176 00:09:10,166 --> 00:09:14,896 And what that means is, if you have not been permitted somewhere in this list and you get 177 00:09:14,896 --> 00:09:16,366 to the end, you're going to be denied. 178 00:09:16,756 --> 00:09:23,176 Totally reverses the way that routers work as soon as you apply one of this. 179 00:09:23,246 --> 00:09:27,186 Routers unlike firewalls, routers when you connect up you know, 180 00:09:27,186 --> 00:09:30,946 we've got FastEthernet0/0 connected will whole bunch of computers over here 181 00:09:31,096 --> 00:09:33,216 and they're all happy and they're trying to search the internet, 182 00:09:33,426 --> 00:09:36,486 routers by default will like, "Hey, everybody's welcome. 183 00:09:36,486 --> 00:09:37,236 Come on in. 184 00:09:37,236 --> 00:09:37,826 You know, come on in. 185 00:09:37,826 --> 00:09:38,726 You're welcome too." 186 00:09:38,956 --> 00:09:41,606 No permission restriction whatsoever. 187 00:09:41,866 --> 00:09:46,326 These guys can freely past in the internet and the internet can freely past to him 188 00:09:46,596 --> 00:09:51,346 without an issue until you apply your first Access-List. 189 00:09:52,216 --> 00:09:55,026 It's like putting this little guard on the line you know, here-- 190 00:09:55,026 --> 00:09:56,636 here's our little guard standing here. 191 00:09:56,636 --> 00:09:59,366 If that's where I apply it, I don't know why he's head's a cloud. 192 00:09:59,366 --> 00:09:59,976 That's his hat, I supposed. 193 00:10:00,066 --> 00:10:04,956 So the guard is sitting there and he is protecting the router you know, 194 00:10:04,956 --> 00:10:08,856 from stuff coming to the internet or, from stuff going out to the internet. 195 00:10:08,856 --> 00:10:09,386 We don't know. 196 00:10:09,386 --> 00:10:12,196 We have to discuss the direction first of all. 197 00:10:12,196 --> 00:10:13,886 But that's what that guy is here to do. 198 00:10:14,156 --> 00:10:17,696 So, as soon as I apply an Access-List, no more is. 199 00:10:17,696 --> 00:10:18,736 There are these free for all. 200 00:10:18,736 --> 00:10:19,616 Everybody is allowed. 201 00:10:19,786 --> 00:10:22,786 We had now have implicit deny to deal with, more on that later. 202 00:10:22,966 --> 00:10:26,916 Access-List is applied to an interface inbound or outbound. 203 00:10:27,176 --> 00:10:33,696 This is one of two of the most difficult things to get with Access-List, perspective. 204 00:10:34,936 --> 00:10:36,266 How does this impact to router? 205 00:10:36,266 --> 00:10:41,456 So, so when I create Access-List 50, it-- let me just give you a heads up. 206 00:10:41,456 --> 00:10:44,626 This is going to be created in global configuration mode. 207 00:10:45,166 --> 00:10:50,306 Global as in, remember things that created in global impact the whole router. 208 00:10:50,536 --> 00:10:55,456 So, from global configuration, I make this list, but it's not going to do anything 209 00:10:55,656 --> 00:10:57,826 until I go and assign it to an interface. 210 00:10:57,826 --> 00:10:59,226 This list says we're trying out security. 211 00:10:59,226 --> 00:11:05,286 So let's say, I go into FastEthernet0/0, the command allows me to apply this so I would say, 212 00:11:05,286 --> 00:11:08,476 you know, I'll show you the command on the next lecture but in plane English, 213 00:11:08,636 --> 00:11:13,576 apply Access-List 50 and I can either type an inbound or outbound 214 00:11:14,146 --> 00:11:16,086 and that is one of the most confusing things. 215 00:11:16,086 --> 00:11:17,146 People use to-- so what does that mean? 216 00:11:17,146 --> 00:11:21,766 Like out from the internet, out from, in from the router. 217 00:11:21,766 --> 00:11:26,326 Like this words, just the words themselves, they're like, what do you mean in or out? 218 00:11:26,326 --> 00:11:27,756 Like in from here? 219 00:11:27,756 --> 00:11:28,686 Or in from there? 220 00:11:28,686 --> 00:11:30,236 Or out from, what does that mean? 221 00:11:31,006 --> 00:11:34,386 When you're thinking-- let me give you, I'll mention this so when we get to config again. 222 00:11:34,846 --> 00:11:38,046 But one of the biggest things that you can do to catch the direction 223 00:11:38,146 --> 00:11:40,816 to figure this out is be a router. 224 00:11:41,946 --> 00:11:43,126 I'm serious. 225 00:11:43,126 --> 00:11:44,626 Let's say we've got a router right here. 226 00:11:44,776 --> 00:11:49,076 It's got two interfaces FastEthernet0/1 and FastEthernet0/0. 227 00:11:49,076 --> 00:11:50,916 I'm trying to figure out the direction. 228 00:11:51,066 --> 00:11:53,556 I know that I want to filter you know, right here is the internet right? 229 00:11:53,556 --> 00:11:58,326 And I want to filter you know, all this internet traffic that's coming to me and I have 230 00:11:58,326 --> 00:12:00,086 to decide what direction to I apply? 231 00:12:00,086 --> 00:12:01,126 In or out? 232 00:12:01,126 --> 00:12:01,876 You know, what is that? 233 00:12:01,996 --> 00:12:02,896 Be the router. 234 00:12:03,066 --> 00:12:05,856 So, if I'm the router you know, you hold out your arms. 235 00:12:05,856 --> 00:12:06,616 I do all this all the time. 236 00:12:06,616 --> 00:12:07,136 I know it's weird. 237 00:12:07,236 --> 00:12:08,686 But I hold up my arms to where I'm-- 238 00:12:08,686 --> 00:12:12,366 I'm like you know, flying like a-- like a guy who's flying. 239 00:12:12,546 --> 00:12:16,856 So my arms are straight out from my side and I look at my right arm and I look at 240 00:12:16,856 --> 00:12:18,706 and say, "You are FastEthernet0/0." 241 00:12:18,706 --> 00:12:21,216 I look at to my left arm which is-- which is whole lot to decide. 242 00:12:21,216 --> 00:12:23,126 And you're arem-- do this with me please. 243 00:12:23,126 --> 00:12:24,036 Put your arms up. 244 00:12:24,036 --> 00:12:25,156 It's going to feel weird. 245 00:12:25,156 --> 00:12:25,756 It's all right. 246 00:12:25,946 --> 00:12:26,716 Nobody's watching. 247 00:12:26,986 --> 00:12:29,366 On the left arm, that's FastEthernet0/0. 248 00:12:29,366 --> 00:12:31,466 So, this is-- let me, I got to show you a picture. 249 00:12:31,466 --> 00:12:35,696 This is literally me with bigger arms right now, standing out your, and me being the router, 250 00:12:35,696 --> 00:12:42,886 this is a FA0/0, this is 0/1 and I'm going to say, okay so if apply it out on this interface. 251 00:12:42,886 --> 00:12:47,886 If I say Access-List 50 that means it's coming out of me like out of my soul right here. 252 00:12:48,086 --> 00:12:49,316 Traffic is coming out. 253 00:12:49,316 --> 00:12:51,476 So, if it's coming out me where is it coming from? 254 00:12:52,536 --> 00:12:53,446 Somewhere else. 255 00:12:53,446 --> 00:12:55,906 It probably came in my right arm and decided to go out-- 256 00:12:55,906 --> 00:12:59,866 out my left arm or maybe I have a WAN link in my head, it's coming in-- 257 00:12:59,866 --> 00:13:03,046 in there, you know, that's coming in there but it's going out here 258 00:13:03,046 --> 00:13:05,936 because the routing table said it had to go out there to get to the internet. 259 00:13:05,986 --> 00:13:09,286 So, again me being the router, holding my arms out to my sides, 260 00:13:09,286 --> 00:13:11,446 I look and I go, okay so it's going out that way. 261 00:13:11,916 --> 00:13:14,666 The-- you know, so if I were to say, "Okay well, 262 00:13:14,666 --> 00:13:16,816 I don't want to filter stuff going to the internet. 263 00:13:16,906 --> 00:13:18,906 I want to filter coming from the internet." 264 00:13:18,906 --> 00:13:24,406 Again, holding my arms out, I'm looking them go, okay, then it must be coming in my right arm 265 00:13:25,046 --> 00:13:26,966 or right arm depending on which perspective you had. 266 00:13:27,106 --> 00:13:28,746 It's coming in my right arm. 267 00:13:28,746 --> 00:13:31,606 So that's-- so I'm applying it in FastEthernet0/0. 268 00:13:31,766 --> 00:13:32,566 Be a router. 269 00:13:33,266 --> 00:13:35,636 It's the best thing that you can be when you're trying to do. 270 00:13:35,636 --> 00:13:37,826 Now, I don't stick my arms at all the way if I'm in a-- 271 00:13:37,826 --> 00:13:39,856 in a data center something could do-- what are you doing? 272 00:13:40,026 --> 00:13:41,236 But I still use my fingers. 273 00:13:41,236 --> 00:13:44,396 I mentally, I visually have to do it for myself. 274 00:13:44,436 --> 00:13:45,406 I point with my fingers. 275 00:13:45,406 --> 00:13:47,636 I go, "Okay, so I'm going out this direction so it's can be in". 276 00:13:48,046 --> 00:13:50,396 The reason-- you might say, "Okay Jeremy, I get it. 277 00:13:50,726 --> 00:13:52,786 Stop now. Why are you emphasizing it?" 278 00:13:52,926 --> 00:13:55,626 'Cause this is the fastest way to take down and entire network. 279 00:13:57,856 --> 00:14:00,596 What I just told you was that at the bottom 280 00:14:00,596 --> 00:14:03,776 of every single Access-List is an implicit deny, right? 281 00:14:03,956 --> 00:14:05,686 Deny everything. 282 00:14:06,386 --> 00:14:12,016 So if I am applying that in the wrong direction, you know, and maybe I meant to, you know, 283 00:14:12,016 --> 00:14:14,626 say "Permit this, permit, deny that, permit this", you know. 284 00:14:14,626 --> 00:14:17,936 And so I'm saying these people are allowed to surf the internet right? 285 00:14:18,656 --> 00:14:24,476 So if I said, this people from my organization, and all those happy people exist over here. 286 00:14:24,696 --> 00:14:27,546 They need to surf the internet so I would say, "Okay, well they are allowed 287 00:14:27,776 --> 00:14:30,856 to go out the internet connection." 288 00:14:31,456 --> 00:14:33,126 You know, so this would be applied outbound. 289 00:14:33,296 --> 00:14:35,546 What if I mistakenly apply to inbound? 290 00:14:36,096 --> 00:14:39,926 Well, all of these are private IP addresses. 291 00:14:40,346 --> 00:14:42,106 They don't exist on the internet. 292 00:14:42,716 --> 00:14:46,556 So by applying this Access-List on the inbound-- 293 00:14:46,556 --> 00:14:49,846 oops, I did the wrong direction by applying it inbound right there, 294 00:14:50,656 --> 00:14:52,996 none of these will come in from the internet. 295 00:14:53,696 --> 00:14:58,396 So, essentially, in all internet traffic, you will say, "No, you're not this. 296 00:14:58,396 --> 00:14:59,066 No you're not this. 297 00:14:59,066 --> 00:15:00,396 No, no, no, no, no, no. 298 00:15:00,506 --> 00:15:03,696 Denied." You pretty much took down the entire internet connection 299 00:15:03,696 --> 00:15:05,726 for the company by applying to wrong direction. 300 00:15:05,906 --> 00:15:10,006 You may had have the greatest Access-List in the world, but just by that one command, 301 00:15:10,816 --> 00:15:14,536 you can savor your connection and I can tell you, I've done it. 302 00:15:14,536 --> 00:15:19,226 I've done it more times that I'm ashamed to tell you right now. 303 00:15:19,406 --> 00:15:23,456 Because sometimes you just keep going and like, oh, oh, apply and here's the worst thing. 304 00:15:23,546 --> 00:15:27,206 The worst thing of it all, is you're managing-- let's say, you're managing this router 305 00:15:27,426 --> 00:15:32,206 and you happen to be sitting at home at you know, 1:00 in the afternoon, that's a worst. 306 00:15:32,206 --> 00:15:35,556 Or maybe 1:00 in the morning and you apply the Access-List in the wrong direction 307 00:15:35,666 --> 00:15:37,756 and you savor you connection to the router. 308 00:15:38,006 --> 00:15:39,276 You're telling that session dies. 309 00:15:39,276 --> 00:15:43,456 You're SSH doesn't [inaudible] because you just cut of your access to that rather remotely. 310 00:15:44,496 --> 00:15:45,856 I've been there. 311 00:15:45,856 --> 00:15:50,536 I know what it feels like to be calling people at 2:00 in the morning saying, "I'm sorry. 312 00:15:50,536 --> 00:15:52,146 I need to be late into the building. 313 00:15:52,596 --> 00:15:53,356 Yes I know. 314 00:15:53,356 --> 00:15:56,606 I know what time it is but you're company will be off-line in the morning. 315 00:15:56,606 --> 00:15:57,766 Yes, yes. I'm sorry. 316 00:15:58,376 --> 00:15:59,526 That's sad day." 317 00:15:59,716 --> 00:16:02,916 You know, all are smiling aside that is a sad day. 318 00:16:03,086 --> 00:16:08,836 So, that's why it's hugely emphasized how important the direction is. 319 00:16:09,256 --> 00:16:12,426 There are multiple types of Access-List that you can create. 320 00:16:12,706 --> 00:16:17,866 However, boil it down to two that you will use on a regular daily, 321 00:16:17,866 --> 00:16:19,806 almost daily basis depending on what you do. 322 00:16:20,386 --> 00:16:24,496 They are Standard Access-List and Extended Access-List. 323 00:16:25,496 --> 00:16:32,326 Standard Access-List is used to match things based on only; 324 00:16:32,366 --> 00:16:35,296 we should put little, only the source address. 325 00:16:35,926 --> 00:16:41,556 Because of that, they have lower processor utilization and you know, 326 00:16:41,556 --> 00:16:46,416 the effect that they have depends on how you apply them and that goes for any Access-List. 327 00:16:46,416 --> 00:16:48,716 So let me expand a little bit on that. 328 00:16:48,716 --> 00:16:51,096 When I say a Standard Access, that's only matches on the source. 329 00:16:51,096 --> 00:16:54,026 Let's again say that we're applying it in terms of security. 330 00:16:54,276 --> 00:16:58,176 I've go a router here that has a connection to two different PCs. 331 00:16:58,456 --> 00:17:04,946 Top PC is 10.1.1.50, bottom is 10.1.1.51 okay? 332 00:17:04,946 --> 00:17:09,626 Standard Access-List can filter only on the source address. 333 00:17:09,826 --> 00:17:14,606 So, I can say, 10.1.1.50 is permitted. 334 00:17:15,176 --> 00:17:18,866 10.1.1.51 is denied. 335 00:17:19,596 --> 00:17:22,736 So I can't, you know, when you said, well denied from what? 336 00:17:22,736 --> 00:17:23,746 Denied how? 337 00:17:23,986 --> 00:17:25,886 Well, again it depends on where you apply. 338 00:17:25,886 --> 00:17:27,746 So let me-- let me give a couple of more connections. 339 00:17:27,746 --> 00:17:31,936 Let's say, we got a WAN link there, maybe this connects to a branch office, 340 00:17:32,286 --> 00:17:34,676 Texas, you know, or whatever you know. 341 00:17:34,676 --> 00:17:35,976 So, you've got a bigger network here. 342 00:17:35,976 --> 00:17:40,496 So let's say, I want 10.1.1.50 to be permitted to access the internet; 343 00:17:40,496 --> 00:17:45,016 10.1.1.51 to be denied for accessing the net. 344 00:17:45,166 --> 00:17:49,386 So what I can do is apply that outbound right here. 345 00:17:50,776 --> 00:17:53,916 So as this guy, tries to go out to access the internet, 346 00:17:54,156 --> 00:17:56,006 he will be filter and says, "Oh you're allowed. 347 00:17:56,006 --> 00:17:56,716 Okay great." 348 00:17:56,826 --> 00:17:57,596 You can go through. 349 00:17:58,126 --> 00:18:00,846 This guy, as he comes in, it will say, "Oops, sorry. 350 00:18:00,956 --> 00:18:03,146 Denied." You are not going to be access that. 351 00:18:03,146 --> 00:18:06,866 Now, let me just-- I'm getting a little ahead of myself but that's okay. 352 00:18:06,866 --> 00:18:09,726 Some of your might look at this and say, "Well, 353 00:18:09,726 --> 00:18:14,406 could I have applied this Access-List instead of outbound right here? 354 00:18:14,406 --> 00:18:16,186 Could have I applied it inbound right here?" 355 00:18:17,656 --> 00:18:20,466 Yes, you can do almost anything and the Cisco Router. 356 00:18:20,676 --> 00:18:26,166 However, would not have the desired result, because what would happen is this guy 357 00:18:26,166 --> 00:18:28,936 as he tried to get into that interface, it would say, "you're permitted", 358 00:18:28,936 --> 00:18:32,336 so he's in now he can go wherever he wants to, right here, right here, right here. 359 00:18:32,596 --> 00:18:37,086 This guy when he tries to get in, maybe I only wanted to filter him from internet access right? 360 00:18:37,306 --> 00:18:39,356 But as soon as he tries to get in, what's the access will say? 361 00:18:40,286 --> 00:18:45,856 Deny, 10.1.1.51 is denied so he can even get to the branch office. 362 00:18:45,856 --> 00:18:47,996 He can't go out whatever that link goes to. 363 00:18:47,996 --> 00:18:52,606 Surely he can't go out to the internet, but we may have cut them off from too much stuff. 364 00:18:52,606 --> 00:18:57,936 So, when I say, affect depends on application, you can see, just based on the one router 365 00:18:58,116 --> 00:19:01,676 that I have in this picture, where you apply it makes the difference. 366 00:19:01,976 --> 00:19:03,696 Extended Access-List. 367 00:19:03,696 --> 00:19:06,406 Now-- but let me also mention one more thing. 368 00:19:06,406 --> 00:19:12,116 Standard Access-List can be use but are not often used for security. 369 00:19:12,676 --> 00:19:18,066 The reason why is they catch too much and most people say, okay, well I want to deny them 370 00:19:18,066 --> 00:19:21,786 if he goes there but not there and if he uses this port or things like that, 371 00:19:22,056 --> 00:19:26,516 Standard Access-Lists are usually used for other applications like, quality of service. 372 00:19:26,516 --> 00:19:30,856 I could say, this whole in that work gets the priority over that one, anywhere that they go. 373 00:19:31,106 --> 00:19:33,046 That's easy to match with the Standard Access-List. 374 00:19:33,326 --> 00:19:38,356 I could say, you know, for instance, this whole network is allowed to be netted. 375 00:19:38,356 --> 00:19:41,846 Network address translation, that's another common use of Standard Access-List. 376 00:19:41,846 --> 00:19:44,246 So, it can be used for security but it's too often. 377 00:19:44,246 --> 00:19:48,126 Extended is where the security is most often used. 378 00:19:48,496 --> 00:19:55,586 This one matches based on source and destination address or IP address as well as the protocol 379 00:19:55,796 --> 00:19:57,956 and the source and destination port numbers. 380 00:19:58,436 --> 00:19:59,646 So, let me define this. 381 00:20:00,046 --> 00:20:03,076 So the source and destination IP address is who you are and where you're going. 382 00:20:03,136 --> 00:20:08,686 So what I can do is apply in the Extended here that says, I want to permit this guy 383 00:20:09,096 --> 00:20:14,526 if he is accessing the website of DNS server or whatever 4.2.2.2. 384 00:20:14,606 --> 00:20:16,026 Otherwise I want to deny it. 385 00:20:16,026 --> 00:20:18,136 I can't do that with the Standard Access-List. 386 00:20:18,136 --> 00:20:20,836 The standard just says, "This is you and you are permitted." 387 00:20:20,836 --> 00:20:24,556 I can say from what or from where whereas an extended, I can't. 388 00:20:24,556 --> 00:20:26,236 So source and destination IP address. 389 00:20:26,536 --> 00:20:30,946 Protocol. Protocol meaning the sub-protocols of TCP/IP. 390 00:20:31,166 --> 00:20:36,156 When you first learned TCP/IP, you quickly realize there's more to it than meets that I. 391 00:20:36,156 --> 00:20:37,456 There is TCP. 392 00:20:37,666 --> 00:20:39,586 There is UDP. 393 00:20:39,586 --> 00:20:43,416 There is ICMP which is use for things like pings and all that. 394 00:20:43,416 --> 00:20:45,076 TCP and UDP we've talked about. 395 00:20:45,076 --> 00:20:46,856 I think we even mentioned this one. 396 00:20:46,856 --> 00:20:50,326 There is ESP which is use for VPNs. 397 00:20:50,326 --> 00:20:52,256 And we're getting to things like OSPF. 398 00:20:52,256 --> 00:20:57,436 I mean these are all protocols that exist inside of this TCP/IP protocol suite 399 00:20:57,716 --> 00:21:01,046 and technically at layer 4 of the OSM model. 400 00:21:01,186 --> 00:21:04,416 We can match anyone of those using extended Access-List. 401 00:21:04,416 --> 00:21:11,236 So I can say maybe I want to allow TCP Port 80, and we'll talk about port numbers a little bit. 402 00:21:11,416 --> 00:21:13,066 But deny UDP Port 80. 403 00:21:13,246 --> 00:21:19,196 I can separate those but allow pings which is "Echo request" from ICPM. 404 00:21:19,196 --> 00:21:21,996 So there're all kinds of things I can do with the protocol and then source 405 00:21:21,996 --> 00:21:25,626 and destination port numbers, that's the actual, you know, so I can say TCP. 406 00:21:25,686 --> 00:21:30,416 I want to allow all of TCP or maybe I just wanted to do Port 80 which is HTTP, 407 00:21:30,586 --> 00:21:31,816 that's what that port lines up to. 408 00:21:31,956 --> 00:21:35,776 Or maybe I want to only allow Port 25 which is SMTP. 409 00:21:37,056 --> 00:21:38,836 That's e-mail services. 410 00:21:38,836 --> 00:21:43,386 Now, this guy does cause for Higher Processor Utilization because he's examining more 411 00:21:43,386 --> 00:21:45,576 so it's going to cause a little more on that side. 412 00:21:45,906 --> 00:21:49,066 And this one is where that fear of Access-Lists comes from. 413 00:21:49,066 --> 00:21:52,316 That syntax of it takes a little time to learn and get use to. 414 00:21:52,316 --> 00:21:56,196 So give yourself some grace when you're learning this that it may take you a couple of times, 415 00:21:56,196 --> 00:21:58,106 okay, it's one of those like subnetting. 416 00:21:58,106 --> 00:21:59,496 First time you see like, what? 417 00:21:59,496 --> 00:22:01,956 You know, and then as you see it more and more like, "Okay, 418 00:22:01,956 --> 00:22:03,086 I'm starting to piece this together." 419 00:22:03,766 --> 00:22:08,416 Last one is something called a Reflexive Access-Lists. 420 00:22:08,596 --> 00:22:10,166 We may talk about this one. 421 00:22:10,166 --> 00:22:14,966 What this does is allow return traffic for internal request. 422 00:22:16,036 --> 00:22:17,576 Here's what that means. 423 00:22:18,406 --> 00:22:23,666 Sometimes when people first think and learn about Access-List, they go crazy. 424 00:22:23,666 --> 00:22:24,926 What did I just do? 425 00:22:25,396 --> 00:22:26,706 Here we go. 426 00:22:26,706 --> 00:22:31,476 They go a little bit crazy because they are like, "Okay, you know, I want to come in here 427 00:22:31,476 --> 00:22:36,476 and I want to make sure that my network is secure so I am going to deny everything 428 00:22:36,476 --> 00:22:38,856 from the internet 'cause there're all kinds of mean people out here. 429 00:22:38,856 --> 00:22:41,286 We want to block them all and you know, I keep them out of my network." 430 00:22:41,696 --> 00:22:47,876 Well that's great but what happens when your internal computer comes in and says, 431 00:22:47,876 --> 00:22:53,966 well I want to get to Google or I want to get to Microsoft.com to do some researcher Cisco.com. 432 00:22:53,966 --> 00:22:58,856 And Cisco tries to send website information back to you well, they can't. 433 00:22:58,856 --> 00:23:04,066 So yes, you know, it's kind of like perfect security, you would never have anybody be able 434 00:23:04,066 --> 00:23:05,886 to do anything and now you are secure. 435 00:23:05,886 --> 00:23:06,426 That is true. 436 00:23:06,426 --> 00:23:08,016 But we have to allow some usability. 437 00:23:08,016 --> 00:23:13,996 So when you bring that up, you're like oh, well is there a way that I can watched it somehow 438 00:23:14,306 --> 00:23:19,336 and when it-- they rather see something being requested then I allow just what was requested 439 00:23:19,336 --> 00:23:19,926 to come back. 440 00:23:20,236 --> 00:23:20,706 The answer is yeah. 441 00:23:20,926 --> 00:23:23,026 That's exactly what it reflects of Access-List does. 442 00:23:23,026 --> 00:23:25,446 Some people call it TCP Established Access-Lists. 443 00:23:25,446 --> 00:23:27,946 So that's, I mean your router has eyes. 444 00:23:27,946 --> 00:23:31,616 And as traffic goes out, it's always watching and says, "Okay, 445 00:23:31,616 --> 00:23:34,226 I see what destination you're going to. 446 00:23:34,226 --> 00:23:35,366 What port you're going on. 447 00:23:35,366 --> 00:23:36,676 What sequence number you're using." 448 00:23:36,886 --> 00:23:40,996 So when that side and only that site, only responding to the request 449 00:23:40,996 --> 00:23:44,786 that I saw comes back, I will allow it to come through. 450 00:23:45,076 --> 00:23:49,896 But once we're done, once we tear down that connection and when you close your browser 451 00:23:49,896 --> 00:23:51,476 or whatever, we kill the TCP session, 452 00:23:52,006 --> 00:23:55,076 now that website will be denied from ever coming in uninvited. 453 00:23:55,596 --> 00:23:58,306 So here we go again, you're ready? 454 00:23:58,826 --> 00:24:00,246 Fuzzy bunny. 455 00:24:00,996 --> 00:24:02,006 I'm just kidding. 456 00:24:02,156 --> 00:24:04,966 And so, do Access-List feel a little better? 457 00:24:05,326 --> 00:24:06,266 Probably not! 458 00:24:06,266 --> 00:24:08,816 Honestly, at this point, if I were you, you know, you might say, okay, 459 00:24:08,816 --> 00:24:10,286 well, I kind of see what you're doing. 460 00:24:10,286 --> 00:24:15,516 And I get the concepts but Access-Lists are really learned by doing. 461 00:24:15,516 --> 00:24:20,546 And that's what I planned on using the next two nuggets to do is go through Access-List with, 462 00:24:20,546 --> 00:24:23,146 I mean just like we did subnetting example, after example. 463 00:24:23,146 --> 00:24:24,536 Okay, get it, example again. 464 00:24:24,646 --> 00:24:25,206 Okay, get that? 465 00:24:25,206 --> 00:24:26,136 Okay, example again. 466 00:24:26,136 --> 00:24:30,456 So we just keep seeing it and seeing it until we are absolutely 100 percent sure we've got it. 467 00:24:30,656 --> 00:24:34,386 For now, I hope this been informative for you and I'd like to thank you for viewing. 43603