Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,646 --> 00:00:03,266
>> Okay I'm going to say
some words and I want you
2
00:00:03,266 --> 00:00:05,616
to tell me how you feel when you think about it.
3
00:00:05,616 --> 00:00:07,196
There's a feeling associated with this, okay?
4
00:00:07,196 --> 00:00:09,156
So here we go.
5
00:00:09,396 --> 00:00:11,506
Fuzzy bunny, okay.
6
00:00:11,926 --> 00:00:14,616
How about this one?
7
00:00:14,616 --> 00:00:15,746
Ice cream cone.
8
00:00:16,196 --> 00:00:18,786
Uh-hmm. You get the feeling around that.
9
00:00:18,786 --> 00:00:20,306
Okay, let me throw one more at you.
10
00:00:21,006 --> 00:00:21,756
Subnetting.
11
00:00:22,266 --> 00:00:26,486
[Laughs] Its like, which one of
this is not like the other right?
12
00:00:26,486 --> 00:00:29,546
Now, now I'm hoping at this does
point you, you've had a chance to go
13
00:00:29,546 --> 00:00:31,276
through this series and you
gone through subnetting.
14
00:00:31,276 --> 00:00:35,256
You're feeling-- you're feeling like a fuzzy
bunny right, when you think about something.
15
00:00:35,256 --> 00:00:39,226
But I would tell, think about how you felt
about it before you gotten those nuggets
16
00:00:39,226 --> 00:00:41,636
and before you had an understanding
of subnetting.
17
00:00:41,636 --> 00:00:46,776
Well, that's how a lot of people feel
when I say the word, Access Control List.
18
00:00:46,776 --> 00:00:47,766
Yes, that's three words.
19
00:00:47,766 --> 00:00:52,596
But when I say that, people go
[inaudible], because it's a big concept.
20
00:00:52,646 --> 00:00:58,666
There's a lot wrapped around it because it's use
for a ton of things inside of the Cisco device
21
00:00:58,766 --> 00:01:01,856
and there is some understanding
that has to go with it.
22
00:01:01,856 --> 00:01:05,766
As in, if you've encountered
Access Control Lists before, you--
23
00:01:05,766 --> 00:01:08,266
a lot of times will walk with if you've
encountered them in the real world,
24
00:01:08,266 --> 00:01:09,896
or heard of them, seen them before.
25
00:01:10,136 --> 00:01:11,416
You walk way go "Whoa!"
26
00:01:11,416 --> 00:01:14,136
That was one of those weird
and I didn't quite get that.
27
00:01:14,136 --> 00:01:17,796
Well, I'm hoping that by the time
we're done here, you will feel the same
28
00:01:17,796 --> 00:01:20,576
about Access Control List
as you do about ice cream
29
00:01:20,576 --> 00:01:22,646
and fuzzy bunnies and even hopefully subnetting.
30
00:01:22,866 --> 00:01:24,386
We're going to look at what these are,
31
00:01:24,856 --> 00:01:26,996
what they're use for 'cause
they're not just for access?
32
00:01:27,386 --> 00:01:29,046
It's not just for turning a router
33
00:01:29,046 --> 00:01:31,386
into a firewall although that's
one thing you can do with them.
34
00:01:31,816 --> 00:01:35,106
We'll look at how to use them
for security how they are use
35
00:01:35,106 --> 00:01:37,486
and then we'll look at types
of access control list.
36
00:01:38,686 --> 00:01:42,016
Let's start of with what they are, definition.
37
00:01:42,336 --> 00:01:46,696
An Access-Lists is nothing more than a list,
38
00:01:46,926 --> 00:01:49,786
that's the name implies of
permit and deny statements.
39
00:01:50,256 --> 00:01:56,386
So you can see right here on the
screen, I've got permit 192.168.2.50,
40
00:01:56,386 --> 00:01:59,006
so immediately the question
is, permit it to what?
41
00:01:59,006 --> 00:02:01,856
Well, we're not going to
talk about that right now.
42
00:02:02,086 --> 00:02:03,576
[Laughs] That got to kind of comes later.
43
00:02:03,706 --> 00:02:09,056
So okay, well what about the-- okay
deny 192.168.1.0, that the whole subnet.
44
00:02:09,056 --> 00:02:12,056
Immediately our mind goes to denied from what?
45
00:02:12,056 --> 00:02:13,956
Well, we're not going to talk right
46
00:02:14,116 --> 00:02:19,476
because that's not what an
Access-List is, that's how it's applied.
47
00:02:19,876 --> 00:02:23,606
Now, I'm being very intentional with
my words here because I really want you
48
00:02:23,606 --> 00:02:27,496
to catch what an Access-List--
let's to do it one more.
49
00:02:27,496 --> 00:02:31,746
Permit TCP Port 80 for this host, okay?
50
00:02:31,746 --> 00:02:35,686
Do you see how it leaves you feeling
incomplete like you're only half way there?
51
00:02:35,976 --> 00:02:37,726
You're like, okay, I get it.
52
00:02:37,726 --> 00:02:39,666
You're permitting that port so-- so what?
53
00:02:39,666 --> 00:02:45,026
To that server from that server, what is
being permitted to do or like you feel,
54
00:02:45,026 --> 00:02:49,606
like I get what the statement says, it's
like if somebody walked up you, you know,
55
00:02:49,606 --> 00:02:53,776
then they're kind of twitching and they're
like, "The brown cow jumped over the bridge."
56
00:02:54,046 --> 00:02:57,256
And you're looking there like, "I have
no contacts to what you're saying.
57
00:02:57,256 --> 00:02:58,206
You are crazy."
58
00:02:58,336 --> 00:03:00,656
Well, that's what an Access-List by itself is.
59
00:03:00,656 --> 00:03:01,406
It's crazy.
60
00:03:01,406 --> 00:03:05,006
It's just a list of permit and deny
statements that do nothing until--
61
00:03:05,006 --> 00:03:08,946
okay, okay so I've given you, this
is the technical definition right?
62
00:03:09,316 --> 00:03:10,216
Here's what it is.
63
00:03:11,436 --> 00:03:18,246
Access-Lists are a matching mechanism, right?
64
00:03:18,456 --> 00:03:20,706
It is a matching mechanism.
65
00:03:21,176 --> 00:03:24,096
So, I'm trying to think of a good analogy.
66
00:03:24,096 --> 00:03:25,726
I can't even-- let's do this.
67
00:03:25,726 --> 00:03:28,256
I'm making this on the fly
so we'll see if it works.
68
00:03:28,256 --> 00:03:31,296
So let's say, let's say that you had
a million dollars and you're like,
69
00:03:31,296 --> 00:03:32,516
I'm going to give this money away.
70
00:03:33,026 --> 00:03:36,966
And so, there's-- there's-- you've put an ad
in the paper and a thousand people come to you
71
00:03:37,276 --> 00:03:39,036
and say, "I want your million dollars."
72
00:03:39,326 --> 00:03:40,186
And so you're like, "Okay.
73
00:03:40,186 --> 00:03:43,036
Well, I can't just give it to all 1000 of you.
74
00:03:43,036 --> 00:03:44,446
I have to filter you down.
75
00:03:44,446 --> 00:03:48,056
I have to kind of, you know, figure
out criteria that I want to make."
76
00:03:48,346 --> 00:03:50,666
I'm like, as I'm thinking,
where is analogy going?
77
00:03:50,666 --> 00:03:52,436
Jeremy [phonetic] is going to
teach us how to discriminate today.
78
00:03:52,716 --> 00:03:54,806
I'm sorry, I don't know how
this is going to work out.
79
00:03:54,806 --> 00:03:58,346
So, let's just say, you're like, okay, everybody
and all thousand people are in front of you.
80
00:03:58,346 --> 00:04:00,146
You're like, "Everybody that has a blue shirt.
81
00:04:00,146 --> 00:04:01,956
I'm sorry you don't get the million dollars.
82
00:04:02,076 --> 00:04:02,696
Just go home.
83
00:04:02,696 --> 00:04:08,086
Okay, everybody that makes this amount of money
or more, you don't need my million dollars.
84
00:04:08,086 --> 00:04:08,566
You make enough.
85
00:04:08,566 --> 00:04:12,866
Go home." So you start filtering all
this things until you finally get what--
86
00:04:12,866 --> 00:04:14,896
what you want, the things that are left.
87
00:04:15,226 --> 00:04:18,376
That's a weird analogy but that's
kind of what an Access-List is.
88
00:04:18,406 --> 00:04:20,976
So, now put in perspective of your router.
89
00:04:20,976 --> 00:04:25,316
It doesn't have a million dollars but it does
have a ton of traffic going in and out of it.
90
00:04:25,316 --> 00:04:29,966
And there's times where you want to much
certain stuff to do something with it.
91
00:04:30,366 --> 00:04:34,256
You want to-- you want to for instance
match your voice over IP traffic.
92
00:04:35,196 --> 00:04:41,496
Why? Because you want to tell the router that's
special, it's very special traffic that goes
93
00:04:41,496 --> 00:04:48,496
above everything else and has the priority
and to do that we use, an Access-List.
94
00:04:48,496 --> 00:04:53,176
Now, it's an Access-List that's applied
in the way of quality of service.
95
00:04:53,496 --> 00:04:55,036
That's one way that we apply.
96
00:04:55,286 --> 00:05:00,576
Or you might say, "Okay, okay,
I've got-- I've got net set up."
97
00:05:00,806 --> 00:05:02,816
So you know, up here is the internet.
98
00:05:04,116 --> 00:05:08,456
And I want to make sure that people can surf
the internet, and I'm going to translate,
99
00:05:08,456 --> 00:05:11,386
then I'm going to apply net,
network address translation
100
00:05:11,386 --> 00:05:14,896
so that the people are able
to access the internet.
101
00:05:14,896 --> 00:05:19,646
Well, when you do net, you have to
specify what traffic gets netted.
102
00:05:20,076 --> 00:05:23,326
So that is done by an Access-List.
103
00:05:23,506 --> 00:05:26,556
It-- It's you know, when you
see this, you're like, "Oh man,
104
00:05:26,556 --> 00:05:28,066
that totally feels like a firewall."
105
00:05:28,066 --> 00:05:30,426
Right? It's like permit and
deny and all-- all that.
106
00:05:30,426 --> 00:05:33,426
It feels like-- feels like a firewall
and that is absolutely one way
107
00:05:33,426 --> 00:05:37,056
that you can use an Access-List is like
a firewall to say, this is allowed,
108
00:05:37,056 --> 00:05:45,056
this is blocked, but there is, so many features
in the Cisco Router that depend on being able
109
00:05:45,056 --> 00:05:48,776
to identify traffic and that's
all an Access-List is.
110
00:05:48,776 --> 00:05:51,616
So, so that's why I left a
very vague at the beginning.
111
00:05:51,616 --> 00:05:54,466
I'm like, "Well, here is a list of
statements", and I said, "Permit this.
112
00:05:54,466 --> 00:05:54,866
Deny that."
113
00:05:55,046 --> 00:05:57,146
But I wouldn't go-- I wouldn't go there.
114
00:05:57,146 --> 00:06:03,116
I wouldn't say, well, here's how it's applied
because how you apply it depends on what kind
115
00:06:03,116 --> 00:06:04,986
of feature you're looking to create.
116
00:06:04,986 --> 00:06:06,946
Now, I put making french toss in there.
117
00:06:06,946 --> 00:06:07,916
That's not literal.
118
00:06:08,136 --> 00:06:14,406
I'm just saying that, I mean, this list can go
on and on and on, any feature in the Cisco IOS,
119
00:06:14,406 --> 00:06:18,416
in the Cisco Router that requires
you to identify a certain set
120
00:06:18,416 --> 00:06:22,896
of traffic is almost always going to
be identifies using an Access-List.
121
00:06:24,376 --> 00:06:28,166
Let me illustrate this by giving you an
example of one of the more common ways
122
00:06:28,166 --> 00:06:31,266
that Access-Lists are used
and that is for security.
123
00:06:31,436 --> 00:06:35,596
This is-- this is when people hear the term
Access-Lists, immediately what their mind goes
124
00:06:35,596 --> 00:06:38,356
to because they're like, oh, that's
sounds like a, you know, access,
125
00:06:38,356 --> 00:06:40,976
security kind of function then they
can definitely be used with that.
126
00:06:40,976 --> 00:06:46,986
So, first thing that we do is go into
global configuration mode and create a list.
127
00:06:46,986 --> 00:06:50,826
Now, you actually identified the
list by either a number or a name.
128
00:06:50,946 --> 00:06:52,536
We'll look at the config in the next nugget.
129
00:06:52,636 --> 00:06:57,206
So, let's just say I create
list number 50 and in that list,
130
00:06:57,206 --> 00:07:01,416
the first statement that
I make is Permit 10.1.5.1.
131
00:07:01,416 --> 00:07:04,466
Maybe that's-- that's specific host
that I'm really want to focus on.
132
00:07:04,796 --> 00:07:09,136
Now, the second one is there's a sky has been
surfing the web all day, I'm done with in.
133
00:07:09,266 --> 00:07:13,276
I'm denying 192.168.1.53.
134
00:07:13,276 --> 00:07:20,036
Then I go down and I say, well, but you know
what the subnet 172.30.0.0 /16 so that means,
135
00:07:20,286 --> 00:07:26,266
essentially the first two octets of that
subnet are or what to look at and permitted.
136
00:07:26,266 --> 00:07:32,416
So, if I have you know, some guy down
here, that's 172.30.1.52, he'll come in,
137
00:07:32,416 --> 00:07:37,956
the routers says, okay, well you are 172.30/16"
that's says first two octets are relevant.
138
00:07:38,186 --> 00:07:39,746
So that's what I'm going to look at.
139
00:07:39,746 --> 00:07:40,736
So you are permitted.
140
00:07:40,896 --> 00:07:43,996
I don't really care that
you have 1.52 on the end.
141
00:07:44,156 --> 00:07:44,686
That's fine.
142
00:07:44,686 --> 00:07:47,316
So, so that's kind of how the list is right.
143
00:07:47,316 --> 00:07:48,496
Now, let's look at the rules.
144
00:07:48,716 --> 00:07:52,186
The list is red from top to the bottom
and it will stop at the first match.
145
00:07:52,526 --> 00:07:54,546
Men, I should have thought of a better example.
146
00:07:54,546 --> 00:07:57,686
So let's say, okay, let's imagine this.
147
00:07:57,806 --> 00:07:58,796
Pretend that's not that.
148
00:07:59,056 --> 00:08:03,036
It is actually 172.30.1.5 right?
149
00:08:03,036 --> 00:08:04,076
There is that PC.
150
00:08:04,076 --> 00:08:06,736
So, let's say, that host is out here.
151
00:08:06,946 --> 00:08:08,106
He comes into the router.
152
00:08:08,106 --> 00:08:10,056
He says, "Hey, I'm 172.30.1.5."
153
00:08:10,056 --> 00:08:11,326
It says, "Okay are you this person?"
154
00:08:11,556 --> 00:08:12,296
"Nope, I'm not.
155
00:08:12,296 --> 00:08:13,826
'Cause if you were, you wouldn't have permitted.
156
00:08:14,126 --> 00:08:15,166
Are you this person?"
157
00:08:15,166 --> 00:08:16,286
He goes, "Yes, I am.
158
00:08:16,286 --> 00:08:17,006
I'm sorry you're denied."
159
00:08:17,156 --> 00:08:20,916
It does not go on to the next name and
to find out, well, actually you would--
160
00:08:20,916 --> 00:08:23,566
would have permitted if you
would have made it this far.
161
00:08:23,566 --> 00:08:27,296
It's like one of those movies you know,
where somebody's reaching for that--
162
00:08:27,556 --> 00:08:31,776
the serum that would cure them from
the poison, whatever they just drunk
163
00:08:31,776 --> 00:08:33,466
and then they die like a centimeter away.
164
00:08:33,466 --> 00:08:34,486
I hate those kind of movies.
165
00:08:34,756 --> 00:08:36,576
But they died just like a centimeter away.
166
00:08:36,576 --> 00:08:38,436
So it's like, well, if you
would have just made it further,
167
00:08:38,436 --> 00:08:41,496
you would have but I'm sorry, we had to deny.
168
00:08:41,546 --> 00:08:45,396
Now, at the bottom of this
Access-List, is an 'implicit deny'.
169
00:08:45,886 --> 00:08:47,136
You don't see it.
170
00:08:47,776 --> 00:08:51,906
You don't-- it won't show up in the show
commands or anything like that but it's there.
171
00:08:52,296 --> 00:08:56,916
Meaning, as soon as you create an Access-List,
you say, do this, do that, do this, do that,
172
00:08:57,066 --> 00:09:00,426
you create this list of statements and
the list goes on and on and on, however,
173
00:09:00,426 --> 00:09:04,316
long you wanted to be, there is no
cap on how big this list can be.
174
00:09:04,316 --> 00:09:06,376
You can make them 500 statements if you want to.
175
00:09:06,686 --> 00:09:09,446
But at the very end of it is an implicit deny.
176
00:09:10,166 --> 00:09:14,896
And what that means is, if you have not been
permitted somewhere in this list and you get
177
00:09:14,896 --> 00:09:16,366
to the end, you're going to be denied.
178
00:09:16,756 --> 00:09:23,176
Totally reverses the way that routers
work as soon as you apply one of this.
179
00:09:23,246 --> 00:09:27,186
Routers unlike firewalls, routers
when you connect up you know,
180
00:09:27,186 --> 00:09:30,946
we've got FastEthernet0/0 connected
will whole bunch of computers over here
181
00:09:31,096 --> 00:09:33,216
and they're all happy and they're
trying to search the internet,
182
00:09:33,426 --> 00:09:36,486
routers by default will like,
"Hey, everybody's welcome.
183
00:09:36,486 --> 00:09:37,236
Come on in.
184
00:09:37,236 --> 00:09:37,826
You know, come on in.
185
00:09:37,826 --> 00:09:38,726
You're welcome too."
186
00:09:38,956 --> 00:09:41,606
No permission restriction whatsoever.
187
00:09:41,866 --> 00:09:46,326
These guys can freely past in the internet
and the internet can freely past to him
188
00:09:46,596 --> 00:09:51,346
without an issue until you
apply your first Access-List.
189
00:09:52,216 --> 00:09:55,026
It's like putting this little
guard on the line you know, here--
190
00:09:55,026 --> 00:09:56,636
here's our little guard standing here.
191
00:09:56,636 --> 00:09:59,366
If that's where I apply it, I
don't know why he's head's a cloud.
192
00:09:59,366 --> 00:09:59,976
That's his hat, I supposed.
193
00:10:00,066 --> 00:10:04,956
So the guard is sitting there and he
is protecting the router you know,
194
00:10:04,956 --> 00:10:08,856
from stuff coming to the internet or,
from stuff going out to the internet.
195
00:10:08,856 --> 00:10:09,386
We don't know.
196
00:10:09,386 --> 00:10:12,196
We have to discuss the direction first of all.
197
00:10:12,196 --> 00:10:13,886
But that's what that guy is here to do.
198
00:10:14,156 --> 00:10:17,696
So, as soon as I apply an
Access-List, no more is.
199
00:10:17,696 --> 00:10:18,736
There are these free for all.
200
00:10:18,736 --> 00:10:19,616
Everybody is allowed.
201
00:10:19,786 --> 00:10:22,786
We had now have implicit deny to
deal with, more on that later.
202
00:10:22,966 --> 00:10:26,916
Access-List is applied to an
interface inbound or outbound.
203
00:10:27,176 --> 00:10:33,696
This is one of two of the most difficult
things to get with Access-List, perspective.
204
00:10:34,936 --> 00:10:36,266
How does this impact to router?
205
00:10:36,266 --> 00:10:41,456
So, so when I create Access-List 50,
it-- let me just give you a heads up.
206
00:10:41,456 --> 00:10:44,626
This is going to be created
in global configuration mode.
207
00:10:45,166 --> 00:10:50,306
Global as in, remember things that
created in global impact the whole router.
208
00:10:50,536 --> 00:10:55,456
So, from global configuration, I make this
list, but it's not going to do anything
209
00:10:55,656 --> 00:10:57,826
until I go and assign it to an interface.
210
00:10:57,826 --> 00:10:59,226
This list says we're trying out security.
211
00:10:59,226 --> 00:11:05,286
So let's say, I go into FastEthernet0/0, the
command allows me to apply this so I would say,
212
00:11:05,286 --> 00:11:08,476
you know, I'll show you the command on
the next lecture but in plane English,
213
00:11:08,636 --> 00:11:13,576
apply Access-List 50 and I can
either type an inbound or outbound
214
00:11:14,146 --> 00:11:16,086
and that is one of the most confusing things.
215
00:11:16,086 --> 00:11:17,146
People use to-- so what does that mean?
216
00:11:17,146 --> 00:11:21,766
Like out from the internet,
out from, in from the router.
217
00:11:21,766 --> 00:11:26,326
Like this words, just the words themselves,
they're like, what do you mean in or out?
218
00:11:26,326 --> 00:11:27,756
Like in from here?
219
00:11:27,756 --> 00:11:28,686
Or in from there?
220
00:11:28,686 --> 00:11:30,236
Or out from, what does that mean?
221
00:11:31,006 --> 00:11:34,386
When you're thinking-- let me give you, I'll
mention this so when we get to config again.
222
00:11:34,846 --> 00:11:38,046
But one of the biggest things that
you can do to catch the direction
223
00:11:38,146 --> 00:11:40,816
to figure this out is be a router.
224
00:11:41,946 --> 00:11:43,126
I'm serious.
225
00:11:43,126 --> 00:11:44,626
Let's say we've got a router right here.
226
00:11:44,776 --> 00:11:49,076
It's got two interfaces FastEthernet0/1
and FastEthernet0/0.
227
00:11:49,076 --> 00:11:50,916
I'm trying to figure out the direction.
228
00:11:51,066 --> 00:11:53,556
I know that I want to filter you know,
right here is the internet right?
229
00:11:53,556 --> 00:11:58,326
And I want to filter you know, all this
internet traffic that's coming to me and I have
230
00:11:58,326 --> 00:12:00,086
to decide what direction to I apply?
231
00:12:00,086 --> 00:12:01,126
In or out?
232
00:12:01,126 --> 00:12:01,876
You know, what is that?
233
00:12:01,996 --> 00:12:02,896
Be the router.
234
00:12:03,066 --> 00:12:05,856
So, if I'm the router you
know, you hold out your arms.
235
00:12:05,856 --> 00:12:06,616
I do all this all the time.
236
00:12:06,616 --> 00:12:07,136
I know it's weird.
237
00:12:07,236 --> 00:12:08,686
But I hold up my arms to where I'm--
238
00:12:08,686 --> 00:12:12,366
I'm like you know, flying like
a-- like a guy who's flying.
239
00:12:12,546 --> 00:12:16,856
So my arms are straight out from my side
and I look at my right arm and I look at
240
00:12:16,856 --> 00:12:18,706
and say, "You are FastEthernet0/0."
241
00:12:18,706 --> 00:12:21,216
I look at to my left arm which
is-- which is whole lot to decide.
242
00:12:21,216 --> 00:12:23,126
And you're arem-- do this with me please.
243
00:12:23,126 --> 00:12:24,036
Put your arms up.
244
00:12:24,036 --> 00:12:25,156
It's going to feel weird.
245
00:12:25,156 --> 00:12:25,756
It's all right.
246
00:12:25,946 --> 00:12:26,716
Nobody's watching.
247
00:12:26,986 --> 00:12:29,366
On the left arm, that's FastEthernet0/0.
248
00:12:29,366 --> 00:12:31,466
So, this is-- let me, I got
to show you a picture.
249
00:12:31,466 --> 00:12:35,696
This is literally me with bigger arms right
now, standing out your, and me being the router,
250
00:12:35,696 --> 00:12:42,886
this is a FA0/0, this is 0/1 and I'm going to
say, okay so if apply it out on this interface.
251
00:12:42,886 --> 00:12:47,886
If I say Access-List 50 that means it's coming
out of me like out of my soul right here.
252
00:12:48,086 --> 00:12:49,316
Traffic is coming out.
253
00:12:49,316 --> 00:12:51,476
So, if it's coming out me
where is it coming from?
254
00:12:52,536 --> 00:12:53,446
Somewhere else.
255
00:12:53,446 --> 00:12:55,906
It probably came in my right
arm and decided to go out--
256
00:12:55,906 --> 00:12:59,866
out my left arm or maybe I have a
WAN link in my head, it's coming in--
257
00:12:59,866 --> 00:13:03,046
in there, you know, that's coming
in there but it's going out here
258
00:13:03,046 --> 00:13:05,936
because the routing table said it had
to go out there to get to the internet.
259
00:13:05,986 --> 00:13:09,286
So, again me being the router,
holding my arms out to my sides,
260
00:13:09,286 --> 00:13:11,446
I look and I go, okay so
it's going out that way.
261
00:13:11,916 --> 00:13:14,666
The-- you know, so if I were to say, "Okay well,
262
00:13:14,666 --> 00:13:16,816
I don't want to filter stuff
going to the internet.
263
00:13:16,906 --> 00:13:18,906
I want to filter coming from the internet."
264
00:13:18,906 --> 00:13:24,406
Again, holding my arms out, I'm looking them
go, okay, then it must be coming in my right arm
265
00:13:25,046 --> 00:13:26,966
or right arm depending on
which perspective you had.
266
00:13:27,106 --> 00:13:28,746
It's coming in my right arm.
267
00:13:28,746 --> 00:13:31,606
So that's-- so I'm applying
it in FastEthernet0/0.
268
00:13:31,766 --> 00:13:32,566
Be a router.
269
00:13:33,266 --> 00:13:35,636
It's the best thing that you
can be when you're trying to do.
270
00:13:35,636 --> 00:13:37,826
Now, I don't stick my arms
at all the way if I'm in a--
271
00:13:37,826 --> 00:13:39,856
in a data center something
could do-- what are you doing?
272
00:13:40,026 --> 00:13:41,236
But I still use my fingers.
273
00:13:41,236 --> 00:13:44,396
I mentally, I visually have to do it for myself.
274
00:13:44,436 --> 00:13:45,406
I point with my fingers.
275
00:13:45,406 --> 00:13:47,636
I go, "Okay, so I'm going out
this direction so it's can be in".
276
00:13:48,046 --> 00:13:50,396
The reason-- you might say,
"Okay Jeremy, I get it.
277
00:13:50,726 --> 00:13:52,786
Stop now. Why are you emphasizing it?"
278
00:13:52,926 --> 00:13:55,626
'Cause this is the fastest way
to take down and entire network.
279
00:13:57,856 --> 00:14:00,596
What I just told you was that at the bottom
280
00:14:00,596 --> 00:14:03,776
of every single Access-List
is an implicit deny, right?
281
00:14:03,956 --> 00:14:05,686
Deny everything.
282
00:14:06,386 --> 00:14:12,016
So if I am applying that in the wrong direction,
you know, and maybe I meant to, you know,
283
00:14:12,016 --> 00:14:14,626
say "Permit this, permit, deny
that, permit this", you know.
284
00:14:14,626 --> 00:14:17,936
And so I'm saying these people are
allowed to surf the internet right?
285
00:14:18,656 --> 00:14:24,476
So if I said, this people from my organization,
and all those happy people exist over here.
286
00:14:24,696 --> 00:14:27,546
They need to surf the internet so I
would say, "Okay, well they are allowed
287
00:14:27,776 --> 00:14:30,856
to go out the internet connection."
288
00:14:31,456 --> 00:14:33,126
You know, so this would be applied outbound.
289
00:14:33,296 --> 00:14:35,546
What if I mistakenly apply to inbound?
290
00:14:36,096 --> 00:14:39,926
Well, all of these are private IP addresses.
291
00:14:40,346 --> 00:14:42,106
They don't exist on the internet.
292
00:14:42,716 --> 00:14:46,556
So by applying this Access-List on the inbound--
293
00:14:46,556 --> 00:14:49,846
oops, I did the wrong direction by
applying it inbound right there,
294
00:14:50,656 --> 00:14:52,996
none of these will come in from the internet.
295
00:14:53,696 --> 00:14:58,396
So, essentially, in all internet traffic,
you will say, "No, you're not this.
296
00:14:58,396 --> 00:14:59,066
No you're not this.
297
00:14:59,066 --> 00:15:00,396
No, no, no, no, no, no.
298
00:15:00,506 --> 00:15:03,696
Denied." You pretty much took down
the entire internet connection
299
00:15:03,696 --> 00:15:05,726
for the company by applying to wrong direction.
300
00:15:05,906 --> 00:15:10,006
You may had have the greatest Access-List
in the world, but just by that one command,
301
00:15:10,816 --> 00:15:14,536
you can savor your connection
and I can tell you, I've done it.
302
00:15:14,536 --> 00:15:19,226
I've done it more times that I'm
ashamed to tell you right now.
303
00:15:19,406 --> 00:15:23,456
Because sometimes you just keep going and
like, oh, oh, apply and here's the worst thing.
304
00:15:23,546 --> 00:15:27,206
The worst thing of it all, is you're managing--
let's say, you're managing this router
305
00:15:27,426 --> 00:15:32,206
and you happen to be sitting at home at you
know, 1:00 in the afternoon, that's a worst.
306
00:15:32,206 --> 00:15:35,556
Or maybe 1:00 in the morning and you apply
the Access-List in the wrong direction
307
00:15:35,666 --> 00:15:37,756
and you savor you connection to the router.
308
00:15:38,006 --> 00:15:39,276
You're telling that session dies.
309
00:15:39,276 --> 00:15:43,456
You're SSH doesn't [inaudible] because you just
cut of your access to that rather remotely.
310
00:15:44,496 --> 00:15:45,856
I've been there.
311
00:15:45,856 --> 00:15:50,536
I know what it feels like to be calling people
at 2:00 in the morning saying, "I'm sorry.
312
00:15:50,536 --> 00:15:52,146
I need to be late into the building.
313
00:15:52,596 --> 00:15:53,356
Yes I know.
314
00:15:53,356 --> 00:15:56,606
I know what time it is but you're
company will be off-line in the morning.
315
00:15:56,606 --> 00:15:57,766
Yes, yes. I'm sorry.
316
00:15:58,376 --> 00:15:59,526
That's sad day."
317
00:15:59,716 --> 00:16:02,916
You know, all are smiling
aside that is a sad day.
318
00:16:03,086 --> 00:16:08,836
So, that's why it's hugely emphasized
how important the direction is.
319
00:16:09,256 --> 00:16:12,426
There are multiple types of
Access-List that you can create.
320
00:16:12,706 --> 00:16:17,866
However, boil it down to two that
you will use on a regular daily,
321
00:16:17,866 --> 00:16:19,806
almost daily basis depending on what you do.
322
00:16:20,386 --> 00:16:24,496
They are Standard Access-List
and Extended Access-List.
323
00:16:25,496 --> 00:16:32,326
Standard Access-List is used
to match things based on only;
324
00:16:32,366 --> 00:16:35,296
we should put little, only the source address.
325
00:16:35,926 --> 00:16:41,556
Because of that, they have lower
processor utilization and you know,
326
00:16:41,556 --> 00:16:46,416
the effect that they have depends on how you
apply them and that goes for any Access-List.
327
00:16:46,416 --> 00:16:48,716
So let me expand a little bit on that.
328
00:16:48,716 --> 00:16:51,096
When I say a Standard Access,
that's only matches on the source.
329
00:16:51,096 --> 00:16:54,026
Let's again say that we're
applying it in terms of security.
330
00:16:54,276 --> 00:16:58,176
I've go a router here that has a
connection to two different PCs.
331
00:16:58,456 --> 00:17:04,946
Top PC is 10.1.1.50, bottom is 10.1.1.51 okay?
332
00:17:04,946 --> 00:17:09,626
Standard Access-List can filter
only on the source address.
333
00:17:09,826 --> 00:17:14,606
So, I can say, 10.1.1.50 is permitted.
334
00:17:15,176 --> 00:17:18,866
10.1.1.51 is denied.
335
00:17:19,596 --> 00:17:22,736
So I can't, you know, when you
said, well denied from what?
336
00:17:22,736 --> 00:17:23,746
Denied how?
337
00:17:23,986 --> 00:17:25,886
Well, again it depends on where you apply.
338
00:17:25,886 --> 00:17:27,746
So let me-- let me give a
couple of more connections.
339
00:17:27,746 --> 00:17:31,936
Let's say, we got a WAN link there,
maybe this connects to a branch office,
340
00:17:32,286 --> 00:17:34,676
Texas, you know, or whatever you know.
341
00:17:34,676 --> 00:17:35,976
So, you've got a bigger network here.
342
00:17:35,976 --> 00:17:40,496
So let's say, I want 10.1.1.50 to
be permitted to access the internet;
343
00:17:40,496 --> 00:17:45,016
10.1.1.51 to be denied for accessing the net.
344
00:17:45,166 --> 00:17:49,386
So what I can do is apply
that outbound right here.
345
00:17:50,776 --> 00:17:53,916
So as this guy, tries to go
out to access the internet,
346
00:17:54,156 --> 00:17:56,006
he will be filter and says, "Oh you're allowed.
347
00:17:56,006 --> 00:17:56,716
Okay great."
348
00:17:56,826 --> 00:17:57,596
You can go through.
349
00:17:58,126 --> 00:18:00,846
This guy, as he comes in,
it will say, "Oops, sorry.
350
00:18:00,956 --> 00:18:03,146
Denied." You are not going to be access that.
351
00:18:03,146 --> 00:18:06,866
Now, let me just-- I'm getting a
little ahead of myself but that's okay.
352
00:18:06,866 --> 00:18:09,726
Some of your might look at this and say, "Well,
353
00:18:09,726 --> 00:18:14,406
could I have applied this Access-List
instead of outbound right here?
354
00:18:14,406 --> 00:18:16,186
Could have I applied it inbound right here?"
355
00:18:17,656 --> 00:18:20,466
Yes, you can do almost anything
and the Cisco Router.
356
00:18:20,676 --> 00:18:26,166
However, would not have the desired result,
because what would happen is this guy
357
00:18:26,166 --> 00:18:28,936
as he tried to get into that interface,
it would say, "you're permitted",
358
00:18:28,936 --> 00:18:32,336
so he's in now he can go wherever he wants
to, right here, right here, right here.
359
00:18:32,596 --> 00:18:37,086
This guy when he tries to get in, maybe I only
wanted to filter him from internet access right?
360
00:18:37,306 --> 00:18:39,356
But as soon as he tries to get
in, what's the access will say?
361
00:18:40,286 --> 00:18:45,856
Deny, 10.1.1.51 is denied so he
can even get to the branch office.
362
00:18:45,856 --> 00:18:47,996
He can't go out whatever that link goes to.
363
00:18:47,996 --> 00:18:52,606
Surely he can't go out to the internet, but
we may have cut them off from too much stuff.
364
00:18:52,606 --> 00:18:57,936
So, when I say, affect depends on application,
you can see, just based on the one router
365
00:18:58,116 --> 00:19:01,676
that I have in this picture, where
you apply it makes the difference.
366
00:19:01,976 --> 00:19:03,696
Extended Access-List.
367
00:19:03,696 --> 00:19:06,406
Now-- but let me also mention one more thing.
368
00:19:06,406 --> 00:19:12,116
Standard Access-List can be use but
are not often used for security.
369
00:19:12,676 --> 00:19:18,066
The reason why is they catch too much and most
people say, okay, well I want to deny them
370
00:19:18,066 --> 00:19:21,786
if he goes there but not there and if
he uses this port or things like that,
371
00:19:22,056 --> 00:19:26,516
Standard Access-Lists are usually used for
other applications like, quality of service.
372
00:19:26,516 --> 00:19:30,856
I could say, this whole in that work gets the
priority over that one, anywhere that they go.
373
00:19:31,106 --> 00:19:33,046
That's easy to match with
the Standard Access-List.
374
00:19:33,326 --> 00:19:38,356
I could say, you know, for instance, this
whole network is allowed to be netted.
375
00:19:38,356 --> 00:19:41,846
Network address translation, that's
another common use of Standard Access-List.
376
00:19:41,846 --> 00:19:44,246
So, it can be used for security
but it's too often.
377
00:19:44,246 --> 00:19:48,126
Extended is where the security
is most often used.
378
00:19:48,496 --> 00:19:55,586
This one matches based on source and destination
address or IP address as well as the protocol
379
00:19:55,796 --> 00:19:57,956
and the source and destination port numbers.
380
00:19:58,436 --> 00:19:59,646
So, let me define this.
381
00:20:00,046 --> 00:20:03,076
So the source and destination IP address
is who you are and where you're going.
382
00:20:03,136 --> 00:20:08,686
So what I can do is apply in the Extended
here that says, I want to permit this guy
383
00:20:09,096 --> 00:20:14,526
if he is accessing the website of
DNS server or whatever 4.2.2.2.
384
00:20:14,606 --> 00:20:16,026
Otherwise I want to deny it.
385
00:20:16,026 --> 00:20:18,136
I can't do that with the Standard Access-List.
386
00:20:18,136 --> 00:20:20,836
The standard just says, "This
is you and you are permitted."
387
00:20:20,836 --> 00:20:24,556
I can say from what or from where
whereas an extended, I can't.
388
00:20:24,556 --> 00:20:26,236
So source and destination IP address.
389
00:20:26,536 --> 00:20:30,946
Protocol. Protocol meaning
the sub-protocols of TCP/IP.
390
00:20:31,166 --> 00:20:36,156
When you first learned TCP/IP, you quickly
realize there's more to it than meets that I.
391
00:20:36,156 --> 00:20:37,456
There is TCP.
392
00:20:37,666 --> 00:20:39,586
There is UDP.
393
00:20:39,586 --> 00:20:43,416
There is ICMP which is use for
things like pings and all that.
394
00:20:43,416 --> 00:20:45,076
TCP and UDP we've talked about.
395
00:20:45,076 --> 00:20:46,856
I think we even mentioned this one.
396
00:20:46,856 --> 00:20:50,326
There is ESP which is use for VPNs.
397
00:20:50,326 --> 00:20:52,256
And we're getting to things like OSPF.
398
00:20:52,256 --> 00:20:57,436
I mean these are all protocols that exist
inside of this TCP/IP protocol suite
399
00:20:57,716 --> 00:21:01,046
and technically at layer 4 of the OSM model.
400
00:21:01,186 --> 00:21:04,416
We can match anyone of those
using extended Access-List.
401
00:21:04,416 --> 00:21:11,236
So I can say maybe I want to allow TCP Port 80,
and we'll talk about port numbers a little bit.
402
00:21:11,416 --> 00:21:13,066
But deny UDP Port 80.
403
00:21:13,246 --> 00:21:19,196
I can separate those but allow pings
which is "Echo request" from ICPM.
404
00:21:19,196 --> 00:21:21,996
So there're all kinds of things I can
do with the protocol and then source
405
00:21:21,996 --> 00:21:25,626
and destination port numbers, that's
the actual, you know, so I can say TCP.
406
00:21:25,686 --> 00:21:30,416
I want to allow all of TCP or maybe I
just wanted to do Port 80 which is HTTP,
407
00:21:30,586 --> 00:21:31,816
that's what that port lines up to.
408
00:21:31,956 --> 00:21:35,776
Or maybe I want to only allow
Port 25 which is SMTP.
409
00:21:37,056 --> 00:21:38,836
That's e-mail services.
410
00:21:38,836 --> 00:21:43,386
Now, this guy does cause for Higher Processor
Utilization because he's examining more
411
00:21:43,386 --> 00:21:45,576
so it's going to cause a
little more on that side.
412
00:21:45,906 --> 00:21:49,066
And this one is where that fear
of Access-Lists comes from.
413
00:21:49,066 --> 00:21:52,316
That syntax of it takes a little
time to learn and get use to.
414
00:21:52,316 --> 00:21:56,196
So give yourself some grace when you're learning
this that it may take you a couple of times,
415
00:21:56,196 --> 00:21:58,106
okay, it's one of those like subnetting.
416
00:21:58,106 --> 00:21:59,496
First time you see like, what?
417
00:21:59,496 --> 00:22:01,956
You know, and then as you see
it more and more like, "Okay,
418
00:22:01,956 --> 00:22:03,086
I'm starting to piece this together."
419
00:22:03,766 --> 00:22:08,416
Last one is something called
a Reflexive Access-Lists.
420
00:22:08,596 --> 00:22:10,166
We may talk about this one.
421
00:22:10,166 --> 00:22:14,966
What this does is allow return
traffic for internal request.
422
00:22:16,036 --> 00:22:17,576
Here's what that means.
423
00:22:18,406 --> 00:22:23,666
Sometimes when people first think and
learn about Access-List, they go crazy.
424
00:22:23,666 --> 00:22:24,926
What did I just do?
425
00:22:25,396 --> 00:22:26,706
Here we go.
426
00:22:26,706 --> 00:22:31,476
They go a little bit crazy because they are
like, "Okay, you know, I want to come in here
427
00:22:31,476 --> 00:22:36,476
and I want to make sure that my network
is secure so I am going to deny everything
428
00:22:36,476 --> 00:22:38,856
from the internet 'cause there're
all kinds of mean people out here.
429
00:22:38,856 --> 00:22:41,286
We want to block them all and you
know, I keep them out of my network."
430
00:22:41,696 --> 00:22:47,876
Well that's great but what happens when
your internal computer comes in and says,
431
00:22:47,876 --> 00:22:53,966
well I want to get to Google or I want to get to
Microsoft.com to do some researcher Cisco.com.
432
00:22:53,966 --> 00:22:58,856
And Cisco tries to send website
information back to you well, they can't.
433
00:22:58,856 --> 00:23:04,066
So yes, you know, it's kind of like perfect
security, you would never have anybody be able
434
00:23:04,066 --> 00:23:05,886
to do anything and now you are secure.
435
00:23:05,886 --> 00:23:06,426
That is true.
436
00:23:06,426 --> 00:23:08,016
But we have to allow some usability.
437
00:23:08,016 --> 00:23:13,996
So when you bring that up, you're like oh, well
is there a way that I can watched it somehow
438
00:23:14,306 --> 00:23:19,336
and when it-- they rather see something being
requested then I allow just what was requested
439
00:23:19,336 --> 00:23:19,926
to come back.
440
00:23:20,236 --> 00:23:20,706
The answer is yeah.
441
00:23:20,926 --> 00:23:23,026
That's exactly what it reflects
of Access-List does.
442
00:23:23,026 --> 00:23:25,446
Some people call it TCP Established
Access-Lists.
443
00:23:25,446 --> 00:23:27,946
So that's, I mean your router has eyes.
444
00:23:27,946 --> 00:23:31,616
And as traffic goes out, it's
always watching and says, "Okay,
445
00:23:31,616 --> 00:23:34,226
I see what destination you're going to.
446
00:23:34,226 --> 00:23:35,366
What port you're going on.
447
00:23:35,366 --> 00:23:36,676
What sequence number you're using."
448
00:23:36,886 --> 00:23:40,996
So when that side and only that
site, only responding to the request
449
00:23:40,996 --> 00:23:44,786
that I saw comes back, I will
allow it to come through.
450
00:23:45,076 --> 00:23:49,896
But once we're done, once we tear down that
connection and when you close your browser
451
00:23:49,896 --> 00:23:51,476
or whatever, we kill the TCP session,
452
00:23:52,006 --> 00:23:55,076
now that website will be denied
from ever coming in uninvited.
453
00:23:55,596 --> 00:23:58,306
So here we go again, you're ready?
454
00:23:58,826 --> 00:24:00,246
Fuzzy bunny.
455
00:24:00,996 --> 00:24:02,006
I'm just kidding.
456
00:24:02,156 --> 00:24:04,966
And so, do Access-List feel a little better?
457
00:24:05,326 --> 00:24:06,266
Probably not!
458
00:24:06,266 --> 00:24:08,816
Honestly, at this point, if I were
you, you know, you might say, okay,
459
00:24:08,816 --> 00:24:10,286
well, I kind of see what you're doing.
460
00:24:10,286 --> 00:24:15,516
And I get the concepts but
Access-Lists are really learned by doing.
461
00:24:15,516 --> 00:24:20,546
And that's what I planned on using the next two
nuggets to do is go through Access-List with,
462
00:24:20,546 --> 00:24:23,146
I mean just like we did subnetting
example, after example.
463
00:24:23,146 --> 00:24:24,536
Okay, get it, example again.
464
00:24:24,646 --> 00:24:25,206
Okay, get that?
465
00:24:25,206 --> 00:24:26,136
Okay, example again.
466
00:24:26,136 --> 00:24:30,456
So we just keep seeing it and seeing it until
we are absolutely 100 percent sure we've got it.
467
00:24:30,656 --> 00:24:34,386
For now, I hope this been informative for
you and I'd like to thank you for viewing.
43603
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.