Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,756 --> 00:00:04,696
>> Configuring and Applying
Standard Access Control Lists.
2
00:00:05,056 --> 00:00:06,456
That title says it all.
3
00:00:06,656 --> 00:00:07,376
Let's get started.
4
00:00:08,286 --> 00:00:12,646
You might remember me saying in the previous
Nugget that the only way to get access list
5
00:00:12,646 --> 00:00:15,046
down is by doing them again and again and again.
6
00:00:15,046 --> 00:00:15,966
It's like subnetting.
7
00:00:15,966 --> 00:00:20,936
So that's what I've done here, is created a
scenario of standard access list in this case
8
00:00:20,936 --> 00:00:21,756
that we're going to work through.
9
00:00:22,306 --> 00:00:24,396
But before we dive right
in, I want to go through
10
00:00:24,396 --> 00:00:27,146
and just familiarize our self
with this whole network diagram.
11
00:00:27,146 --> 00:00:32,186
First off, left hand side, you can
see we've got the 192.168.1 network.
12
00:00:32,186 --> 00:00:38,306
So we've got a computer on there,
192.168.1.50, default gateway is 1.1.
13
00:00:38,606 --> 00:00:39,856
And then we've got a WAN link.
14
00:00:39,856 --> 00:00:42,276
Now, we've gone to a slash
30 subnet mask in here.
15
00:00:42,276 --> 00:00:46,996
So again, using-- or practicing our subnettting
skills, sometimes you're going to look at that
16
00:00:46,996 --> 00:00:50,836
and say, "Okay, well, what is that
range, what IP addresses are in there"?
17
00:00:50,836 --> 00:00:55,526
Now, in this case, it's easy especially if
you have experience looking at a slash 30
18
00:00:55,526 --> 00:00:58,106
because you know there's only
two IPs and they're assigned
19
00:00:58,106 --> 00:00:59,786
on each side, but let's say, you didn't.
20
00:01:00,026 --> 00:01:04,766
What you would do is say, "Okay, well slash
30 as a decimal subnet mask, what is that?"
21
00:01:04,796 --> 00:01:05,826
Convert that back to decimal.
22
00:01:05,826 --> 00:01:11,846
So, that would be a 255.255.255.252.
23
00:01:11,946 --> 00:01:13,956
Now, so we might say, "Well,
how did you know that?"
24
00:01:13,956 --> 00:01:15,176
Well, just 'cause I know.
25
00:01:15,346 --> 00:01:19,506
But when, you take 30, essentially that
means there's 30 ones in the subnet mask.
26
00:01:19,826 --> 00:01:23,346
So that's eight one, eight ones,
eight ones, six ones right there,
27
00:01:23,346 --> 00:01:26,136
so add them all up and there's your 30.
28
00:01:26,136 --> 00:01:28,576
So that will be where you get the 252,
29
00:01:28,576 --> 00:01:32,256
that's why putting you're six
ones, that's six, like that.
30
00:01:32,256 --> 00:01:35,086
Now, the good news is that
also gives you your increment.
31
00:01:35,236 --> 00:01:38,336
Remember, lowest network
bit as a decimal is a 4.
32
00:01:38,376 --> 00:01:41,576
So I'm going to be able to
reverse engineer my ranges.
33
00:01:41,576 --> 00:01:46,176
They would have had to start at
10.1.1.0, dot 4, dot 8, dot 12, you know,
34
00:01:46,176 --> 00:01:49,116
dah-dah-dah-dah down they go,
so filling the end ranges.
35
00:01:49,436 --> 00:01:52,136
And now, I've-- whoa, not written that right.
36
00:01:52,406 --> 00:01:54,446
Now, I've reverse engineered
what we've got here.
37
00:01:54,446 --> 00:01:58,746
We've got-- so this one is
10.1.1.0 through 3, can't use zero,
38
00:01:58,746 --> 00:02:00,516
it's a network; can't use 3, it's a broadcast.
39
00:02:00,516 --> 00:02:05,086
So 1 and 2 are the usable IP
addresses from there, right?
40
00:02:05,406 --> 00:02:07,346
So that explains our WAN link.
41
00:02:07,346 --> 00:02:08,896
So our WAN links are being very efficient.
42
00:02:08,896 --> 00:02:12,826
We're actually using VLSM in this
scenario, Variable Length Subnet Mask,
43
00:02:12,826 --> 00:02:14,426
changing the subnet mask based on the fit.
44
00:02:14,426 --> 00:02:15,316
So what's up this?
45
00:02:15,646 --> 00:02:21,506
While I put this on there, the slash 25 at
both of these locations because you will run
46
00:02:21,506 --> 00:02:23,266
into that subnet mask in the real world.
47
00:02:23,266 --> 00:02:24,376
A lot of people use it.
48
00:02:24,376 --> 00:02:30,516
It is very efficient, but also because they
really want to show you how wildcard mask work
49
00:02:30,516 --> 00:02:34,146
which is what ACLs really thrive on.
50
00:02:34,146 --> 00:02:37,886
So seeing this, you might say, "Okay, well,
explain that to me, how do we do that?"
51
00:02:37,966 --> 00:02:45,166
Well, same thing, a slash 25 is
really 255.255.255, that's, you know,
52
00:02:45,166 --> 00:02:48,606
8 plus 8 plus 8, that's 24
ones so far we've got.
53
00:02:48,606 --> 00:02:51,076
So 25 ones would be 128, right?
54
00:02:51,076 --> 00:02:57,836
So 1-- so you know, essentially,
1000000 is what that comes out to.
55
00:02:57,836 --> 00:03:04,146
So, this as a decimal number,
that's our increment, is also 128,
56
00:03:04,146 --> 00:03:06,986
one of those nice weird ones where
the subnet mask equals the increment.
57
00:03:07,206 --> 00:03:13,846
So looking at our network, that means
we've got 192.168.2.0, is where it begins.
58
00:03:14,056 --> 00:03:15,306
Dot 2 dot 128.
59
00:03:15,446 --> 00:03:17,856
Now, what do you get if you add 128 to 128?
60
00:03:18,346 --> 00:03:26,046
256. So filling the end ranges, and
there's our two ranges that we go, okay,
61
00:03:26,046 --> 00:03:31,406
so we really have broken a class
c network into two subnetworks,
62
00:03:31,626 --> 00:03:34,636
one of them going from 0
to 127, that's this one.
63
00:03:34,716 --> 00:03:37,306
So default gateway is dot 1, he is dot 50.
64
00:03:37,626 --> 00:03:42,406
The second range going from 128 to 255, again,
can't use the first one, can't use the last one.
65
00:03:42,406 --> 00:03:46,996
So you notice on this side, I kind of drew
through it, the default gateway is dot 129,
66
00:03:46,996 --> 00:03:50,426
the first usable IP address from that
range and this computer just happens
67
00:03:50,426 --> 00:03:53,016
to be another one in that range, dot 150, right?
68
00:03:53,396 --> 00:04:00,866
So, good, I mean, that's really good 'cause, you
know to truly get access listed on their glory,
69
00:04:01,246 --> 00:04:04,006
you have to be one that understands
the subnetting behind it.
70
00:04:04,006 --> 00:04:06,066
Okay. So that's what we've got so far.
71
00:04:06,066 --> 00:04:12,616
Now, what I've done is I've actually
set up this little scenario in GNS3.
72
00:04:13,286 --> 00:04:16,616
Now, I do this series totally out of order.
73
00:04:16,616 --> 00:04:23,396
So I'm actually recording this access
list Nugget before I've done routing.
74
00:04:23,396 --> 00:04:26,656
Why? 'Cause, I just wanted
to record access list.
75
00:04:26,656 --> 00:04:30,656
So I don't know if I've shown you GNS3
yet, but if I haven't, this is GNS3.
76
00:04:30,656 --> 00:04:36,606
A CBT Nugget, actually Keith Barker just
released a total series on how to use GNS3.
77
00:04:36,606 --> 00:04:39,926
It is a free emulator for Cisco.
78
00:04:40,206 --> 00:04:44,756
So just in case I did mention this--
mentioned this earlier, I won't dive into it
79
00:04:44,756 --> 00:04:47,646
in all its glory, but this is
the topology that we've set up.
80
00:04:47,646 --> 00:04:51,516
These are essentially running
the real Cisco IOS.
81
00:04:51,516 --> 00:04:58,926
I'm using a 2691 platform, if I could keep
that little thing there, 2691 platform.
82
00:04:58,926 --> 00:05:03,936
I've just found that to be really
stable with the 12.4 IOS on there.
83
00:05:03,936 --> 00:05:07,306
So, we have this environment running.
84
00:05:07,306 --> 00:05:12,556
The last piece I'll add on the set of
it all is I've gone in and set up--
85
00:05:12,556 --> 00:05:14,926
I'll do a show IP interphase brief on router 1.
86
00:05:14,926 --> 00:05:15,876
I can see the interphases.
87
00:05:15,876 --> 00:05:19,956
So again, router 1 is this
guy, upper left corner.
88
00:05:19,956 --> 00:05:24,926
We can bring-- my terminal back,
bring the terminal so we can see
89
00:05:24,926 --> 00:05:30,826
and I see a FastEthernet0/0
192.168.1.1 that matches.
90
00:05:30,826 --> 00:05:34,866
Serial0/0 10.1.1.6 that matches
and I'm able to verify that.
91
00:05:35,056 --> 00:05:37,976
But I've also set up RIP, this
is just a base config on there.
92
00:05:37,976 --> 00:05:44,696
I'm going to do a show IP route and you can
see that router 1 knows how to reach all
93
00:05:44,696 --> 00:05:47,296
of the networks in our little
mini-enterprise here.
94
00:05:47,396 --> 00:05:57,576
So he is able to reach, you know, 192.168.2.128.
95
00:05:57,576 --> 00:06:11,586
So I can ping-- or that network, so
I can ping 192.168.2.129, excuse me.
96
00:06:11,586 --> 00:06:13,146
So this represents the network.
97
00:06:13,146 --> 00:06:15,656
I'm pinging the default gateway.
98
00:06:15,656 --> 00:06:18,896
that's this guy on that network
receiving successful.
99
00:06:18,896 --> 00:06:22,536
So as a foundation, we have
full IP connectivity.
100
00:06:22,536 --> 00:06:27,796
Okay, if you're watching closely, you just
saw the whole scenario for number 1 changed.
101
00:06:27,796 --> 00:06:34,296
And that just because I started getting
into it, I'm like, ah, this is just too--
102
00:06:34,296 --> 00:06:39,386
we can do it, it was just the old
one I had up there just a second ago,
103
00:06:39,476 --> 00:06:43,446
was too complex for example number
1, so I changed it a little bit.
104
00:06:43,446 --> 00:06:44,766
So let's get into it.
105
00:06:44,766 --> 00:06:48,526
Before we configure an access
list, recall your mind,
106
00:06:48,586 --> 00:06:52,496
there are two distinct phases
of access list setup.
107
00:06:52,496 --> 00:06:54,246
Number one is configuration.
108
00:06:54,286 --> 00:07:00,066
We need to go on the device
and set the access list up.
109
00:07:00,066 --> 00:07:06,196
This is done from global
configuration mode and we put
110
00:07:06,196 --> 00:07:09,416
in our list of permit and deny statements.
111
00:07:09,416 --> 00:07:10,316
We can do that all day.
112
00:07:10,316 --> 00:07:17,956
We could create a thousand access lists and
it will never do a thing until we hit step 2,
113
00:07:18,056 --> 00:07:21,696
which is application, and this is
where the action really have it.
114
00:07:21,696 --> 00:07:27,036
I mean, if you're thinking about-- I don't
know why this came into my head, but you know,
115
00:07:27,036 --> 00:07:35,196
when you were a kid and you built those little
matchbox race cars, you can build them all day,
116
00:07:35,586 --> 00:07:41,816
but until you put them on the
ramp, and say go, they're not--
117
00:07:41,816 --> 00:07:47,806
they're just going to sit there and look
pretty and that's all these accesses do
118
00:07:47,806 --> 00:07:51,826
and the application is were
all the action happens.
119
00:07:51,986 --> 00:07:59,846
We're going to apply it in terms of security;
but keep in mind, we can apply this in terms
120
00:08:00,196 --> 00:08:02,706
of quality of service, in terms of VPN.
121
00:08:03,006 --> 00:08:05,706
This is just a list, a way of matching stuff.
122
00:08:05,706 --> 00:08:10,186
So how we apply it says what that
matching will then do to all of that stuff.
123
00:08:10,186 --> 00:08:18,816
So, we are set from a goal of saying, I want
to block 10.1.1.1, that is router 3 right here,
124
00:08:18,816 --> 00:08:36,236
from reaching 10.1.1.6, that is router 1 right
there and 192.168.1.0/24, so this whole network.
125
00:08:36,236 --> 00:08:38,236
So I'm saying, I want to block
him from coming over here
126
00:08:38,236 --> 00:08:41,176
and reaching him or him or those networks.
127
00:08:41,176 --> 00:08:48,536
So I mean, envision with me,
we're going to build a wall here
128
00:08:48,636 --> 00:08:51,146
to block that guy from coming over here.
129
00:08:51,296 --> 00:08:55,236
Now, I know you're probably like, "Okay, it
makes sense, I don't really need the picture,"
130
00:08:55,276 --> 00:08:58,836
but you do, because even though we first go
in and configure the access list, you know,
131
00:08:58,836 --> 00:09:02,426
you're in global config mode and you do it.
132
00:09:02,426 --> 00:09:04,766
You have to already be thinking ahead.
133
00:09:04,766 --> 00:09:10,026
It's like a game of chess, you got to
be two steps ahead thinking, "Okay,
134
00:09:10,026 --> 00:09:13,916
I'm going to set this up, but
where am I going to apply this?"
135
00:09:13,916 --> 00:09:16,676
Now, let's think about a standard access list.
136
00:09:16,676 --> 00:09:20,246
Standard access list filters only
on IP source information, right?
137
00:09:20,246 --> 00:09:21,416
Think this through with me.
138
00:09:21,416 --> 00:09:23,086
IP source address information.
139
00:09:23,086 --> 00:09:26,456
So based on who you are, so for
instance, this guy says, "Hello,
140
00:09:26,456 --> 00:09:28,336
I'm 10.1.1.1," that is all we can filter on.
141
00:09:28,366 --> 00:09:30,016
I can say, "Okay, 10.1.1.1, you are denied."
142
00:09:30,046 --> 00:09:30,526
[laughs] And he goes, "Thanks."
143
00:09:30,556 --> 00:09:31,126
What do you say to that?
144
00:09:31,156 --> 00:09:31,876
I mean, well, denied from what?
145
00:09:31,906 --> 00:09:34,156
Well, it depends where we put this access
list and this is where we got to be careful.
146
00:09:34,186 --> 00:09:35,356
You might say, "Well, we
want to catch it right here,
147
00:09:35,386 --> 00:09:37,426
I want to block 10.1.1.1
from reaching those networks.
148
00:09:37,456 --> 00:09:39,316
So let's block 'em right here as soon
as he tries to get it in router 2."
149
00:09:39,346 --> 00:09:40,546
And you're already thinking
in terms of direction.
150
00:09:40,576 --> 00:09:42,616
So as he's coming in, because we are going
to have to apply this in the direction
151
00:09:42,646 --> 00:09:43,636
to router 2, I want to block him, right?
152
00:09:43,666 --> 00:09:43,966
Well, careful.
153
00:09:43,996 --> 00:09:46,366
If I do that, I can just say
10.1.1.1, you are denied from coming
154
00:09:46,396 --> 00:09:47,536
in to router 2, what have I blocked him from?
155
00:09:47,566 --> 00:09:49,456
He can't reach this, he can't reach this,
he can't reach this, he can't reach this.
156
00:09:49,486 --> 00:09:50,416
I mean, yes, did I accomplish my goal?
157
00:09:50,446 --> 00:09:51,136
Yes, but with the sledgehammer.
158
00:09:51,166 --> 00:09:52,606
It's like saying, "Oh, let's just
take him out from everything,"
159
00:09:52,636 --> 00:09:53,566
and that's not what the scenario said.
160
00:09:53,596 --> 00:09:55,636
Scenario didn't tell us to block it from
here and here and here and all that.
161
00:09:55,666 --> 00:09:56,476
It just said block it over here.
162
00:09:56,506 --> 00:09:58,696
So, okay, what that tells me is since we are
only able to match based on the source, right,
163
00:09:58,726 --> 00:10:01,786
are you following me here, since I can only say
10.1.1.1 is denied, then I got to go as close
164
00:10:01,816 --> 00:10:02,806
to the destination as I possibly can.
165
00:10:02,836 --> 00:10:05,266
I'm probably going to go-- matter of fact, I'm
probably going to create this right on router 1
166
00:10:05,296 --> 00:10:07,276
and I'm going to apply it, you know, as they're
coming in this interphase because that--
167
00:10:07,306 --> 00:10:09,016
you know, then I can say you're denied
and not deny them from too much,
168
00:10:09,046 --> 00:10:09,976
that accomplishes my objectives right?
169
00:10:10,416 --> 00:10:13,846
I can say you're denied because
now you won't be able
170
00:10:13,846 --> 00:10:15,846
to reach this nor will you
be able to reach this.
171
00:10:16,156 --> 00:10:20,226
But, you know, that accesses doesn't exist until
we get there so we can everything in between.
172
00:10:20,226 --> 00:10:21,736
So let's-- let's do this.
173
00:10:21,736 --> 00:10:23,766
I'm going to bring up router 1.
174
00:10:23,766 --> 00:10:25,796
No, I'm going to going to bring up router 3.
175
00:10:25,796 --> 00:10:28,736
And 'm just going to, I want
to before we do anything we got
176
00:10:28,736 --> 00:10:30,186
to know what-- what we've come from.
177
00:10:30,186 --> 00:10:31,676
I'm going to make sure that I can ping to this.
178
00:10:31,676 --> 00:10:33,316
As a matter of fact I'm going to telnet to that.
179
00:10:33,316 --> 00:10:34,946
I'll make sure I can ping this IP Address.
180
00:10:34,946 --> 00:10:38,076
Just make sure everything is working 'cause
if you don't know what you have beforehand,
181
00:10:38,076 --> 00:10:40,106
you don't know if you accomplish anything.
182
00:10:40,416 --> 00:10:43,026
So let's-- let's go here, I'm on router 3.
183
00:10:43,536 --> 00:10:46,976
Enable as to show IP Interface
brief, just orient ourself.
184
00:10:46,976 --> 00:10:48,436
I see there's my FAST ethernet.
185
00:10:48,436 --> 00:10:49,126
Life is good.
186
00:10:49,126 --> 00:10:50,026
Okay, there's my zero.
187
00:10:50,026 --> 00:10:50,816
So I'm going to ping.
188
00:10:50,816 --> 00:10:53,476
Let's do a ping to 10.1.1.6.
189
00:10:53,576 --> 00:10:54,156
We are good.
190
00:10:54,156 --> 00:10:54,906
We are humming along.
191
00:10:54,906 --> 00:10:57,976
Ping 192.168.1.50.
192
00:10:57,976 --> 00:11:02,436
So I am okay, that's not as good.
193
00:11:02,636 --> 00:11:04,656
I'm glad we tested this.
194
00:11:04,656 --> 00:11:06,256
So anyhow let's do a show IP route.
195
00:11:06,256 --> 00:11:09,856
I want to make sure that I
can get there 10.1.1 so--
196
00:11:09,856 --> 00:11:12,716
it says I know to reach the 10.1.1.1 network.
197
00:11:12,716 --> 00:11:14,506
So let's go over to router 1.
198
00:11:15,226 --> 00:11:17,846
I bet you I forgot to configure that PC.
199
00:11:17,846 --> 00:11:19,296
Well, let's find out.
200
00:11:19,296 --> 00:11:20,786
Show IP interface brief.
201
00:11:20,786 --> 00:11:23,236
I just want to make sure
the interface is up, okay?
202
00:11:23,236 --> 00:11:29,096
So let's try from here ping 192.168.1.50.
203
00:11:29,306 --> 00:11:33,856
Oh, Jeremy you forgot something completely.
204
00:11:34,276 --> 00:11:39,206
You know what all these PCs, so
these PCs they're not really PC's.
205
00:11:39,376 --> 00:11:43,256
They're actually routers
that I made to look like PCs.
206
00:11:43,256 --> 00:11:47,666
And I completely forgot to give them a
default gateway and they're not running RIP.
207
00:11:47,666 --> 00:11:48,656
They don't know how to get out.
208
00:11:48,836 --> 00:11:50,846
So here hang with me.
209
00:11:50,846 --> 00:11:52,046
Let's-- let's do this on the first one.
210
00:11:52,046 --> 00:11:53,446
That's good troubleshooting technique.
211
00:11:53,446 --> 00:11:58,006
So I'm going to open my little
PC one, show IP interface brief.
212
00:11:58,296 --> 00:12:03,216
It's got an IP address but when I do a show
IP route, it's like, "I don't anything."
213
00:12:03,216 --> 00:12:04,986
I mean I don't have a default gateway.
214
00:12:04,986 --> 00:12:06,436
I don't-- I don't have anything.
215
00:12:06,436 --> 00:12:07,296
So watch this.
216
00:12:07,296 --> 00:12:11,626
Let me-- let me show you to reduce
a Cisco router to like a nothing.
217
00:12:11,626 --> 00:12:15,116
Like this is like insulting
to a Cisco router to do this.
218
00:12:15,116 --> 00:12:16,936
I'm going to do no IP routing.
219
00:12:18,226 --> 00:12:19,556
I pretty much said yes.
220
00:12:19,556 --> 00:12:22,176
You are router but you cannot route.
221
00:12:22,176 --> 00:12:24,746
You're not really routing because I'm
just going to make you like a host.
222
00:12:24,746 --> 00:12:30,676
I'm going to do IP default
gateway and we'll do 192.168.1.1.
223
00:12:30,676 --> 00:12:31,176
There we go.
224
00:12:31,176 --> 00:12:32,776
So now I'll do a show IP Route.
225
00:12:32,776 --> 00:12:34,996
Notice it totally changes.
226
00:12:34,996 --> 00:12:39,026
It's like, you know, I used to be able
to do all this but now I am a nothing.
227
00:12:39,336 --> 00:12:40,456
I can't get anywhere.
228
00:12:40,456 --> 00:12:43,166
All I know is my default gateway is this.
229
00:12:43,166 --> 00:12:46,576
So I've reduced this router to essentially a PC.
230
00:12:46,576 --> 00:12:49,136
So I'm going to save that in the config
files 'cause they're actually going
231
00:12:49,136 --> 00:12:53,496
to make these GNS3 config files available
to you so you are able to try this out
232
00:12:53,496 --> 00:12:55,746
and like I said practice makes perfect on this.
233
00:12:55,746 --> 00:12:57,886
So let me get in here and do the same.
234
00:12:57,886 --> 00:12:58,386
Let me pause.
235
00:12:58,386 --> 00:13:00,916
I'm going to just going to do
the same thing for PC 2 and PC 3.
236
00:13:01,876 --> 00:13:02,626
All right, that's done.
237
00:13:02,626 --> 00:13:07,286
So now it's your-- let's go back to
router 3 and I'll just hit the up arrow.
238
00:13:07,286 --> 00:13:11,626
Fail-- Failed before but
should-- should work now.
239
00:13:11,776 --> 00:13:13,386
Okay, it worried me for a second.
240
00:13:13,386 --> 00:13:13,886
Okay, there we go.
241
00:13:13,886 --> 00:13:17,546
So we've got-- we've got router
3 now able to fully ping.
242
00:13:17,546 --> 00:13:20,316
So this verifies router 3 is able to get here.
243
00:13:20,316 --> 00:13:21,596
He's able to get all the way to PC.
244
00:13:21,596 --> 00:13:24,656
Let's-- let's just do one more test
'cause I'd like to check this out as well.
245
00:13:24,656 --> 00:13:27,516
I'm going to even telnet 10.1.1.6.
246
00:13:27,516 --> 00:13:29,536
It comes up and says you are there.
247
00:13:29,536 --> 00:13:34,526
So I am telneting from-- I just telneted
from router 3 all the way to router 1
248
00:13:34,526 --> 00:13:37,486
and shows we connected and we are good.
249
00:13:37,836 --> 00:13:41,046
So-- so we have verified IP connectivity.
250
00:13:41,046 --> 00:13:42,496
Now let's get into the access list.
251
00:13:42,906 --> 00:13:46,686
This access list based on
all the chicken scratch
252
00:13:46,686 --> 00:13:50,006
on the screen, I'm going to create on router 1.
253
00:13:50,386 --> 00:13:53,096
So let me just wipe off all that.
254
00:13:53,096 --> 00:13:57,806
Okay, I'm going to create over here on
router 1 so that I block those coming over.
255
00:13:57,806 --> 00:14:01,406
So I'm going to first on
router 1 and not router 3.
256
00:14:01,516 --> 00:14:02,486
Let's go router 1.
257
00:14:02,836 --> 00:14:06,766
Go into global configuration mode and type
258
00:14:07,066 --> 00:14:11,356
in the command access list
followed by question mark.
259
00:14:11,356 --> 00:14:15,576
And by the way if haven't gotten used to
using your question mark now is the time.
260
00:14:15,636 --> 00:14:17,896
Question mark through the
access list is almost critical.
261
00:14:18,376 --> 00:14:21,946
O you can see right away the Cisco router
is like, "Well okay, you said access list.
262
00:14:21,946 --> 00:14:24,336
What kind of access list
would you like to create?"
263
00:14:24,576 --> 00:14:26,456
Now you see in this list
there's a whole bunch of them.
264
00:14:26,456 --> 00:14:28,856
But most of them they're like,
"Okay, I'm not going to use,
265
00:14:28,856 --> 00:14:34,326
I'm not going to create an AppleTalk access
list, IPX access list, DECnet [phonetic]."
266
00:14:34,326 --> 00:14:39,766
I mean these are protocols we just haven't seen
for decades or I would say at least a decade
267
00:14:39,986 --> 00:14:42,296
because TCP/IP has replaced them all.
268
00:14:42,566 --> 00:14:46,476
The main one that we care about is
right up here, standard and extended,
269
00:14:46,476 --> 00:14:48,156
just what I was mentioning in the last nugget.
270
00:14:48,156 --> 00:14:54,436
So-- so based on the number I typed in the
router knows what kind of access list I create.
271
00:14:54,436 --> 00:14:59,116
So if type for instance access list 5 and
start configuring my options from there,
272
00:14:59,466 --> 00:15:03,446
the router knows I'm creating a standard access
list and it will give me one set of options
273
00:15:03,446 --> 00:15:07,726
versus if I put 105 it knows I'm
creating an extended access list.
274
00:15:07,726 --> 00:15:11,326
This is going to give me a
totally different set of options.
275
00:15:11,326 --> 00:15:13,076
So in here we're going to focus on standard.
276
00:15:13,076 --> 00:15:16,156
So do access list let's just
start with one, right?
277
00:15:16,366 --> 00:15:21,686
Now a list and I'm creating my-- my access list
can contain as many statements as you want.
278
00:15:21,686 --> 00:15:25,256
So I have a list one but it
could contain many of them.
279
00:15:25,256 --> 00:15:29,996
Also, also notice so you'd say, okay, so I
can create 99 access lists per router, right?
280
00:15:30,266 --> 00:15:34,206
Well yes that was in the original
version of the IOS, that's the limit.
281
00:15:34,206 --> 00:15:37,376
But I've never seen a router
with a hundred access list on it
282
00:15:37,376 --> 00:15:38,936
but I'm sure they exist out there.
283
00:15:39,316 --> 00:15:43,526
And because of that you can see that
Cisco has come up with an expanded range.
284
00:15:43,526 --> 00:15:49,306
So they say if run out of number 1 through 99
there's 600, 700 more that you are able to use.
285
00:15:49,436 --> 00:15:52,496
Same thing right here expanded
range for the IP extended.
286
00:15:52,746 --> 00:15:56,106
But all of that being said I'm
also going to show you this later.
287
00:15:56,106 --> 00:15:58,446
You can also use named access list.
288
00:15:58,446 --> 00:16:02,636
So instead of using a number I can say
access list denied Bob or something like that
289
00:16:02,786 --> 00:16:04,746
and create as many of those as I want.
290
00:16:05,056 --> 00:16:09,136
So I hit the question mark and it's saying okay,
you are now configuring your first statement
291
00:16:09,136 --> 00:16:11,606
in access list one, your first line entry.
292
00:16:11,666 --> 00:16:15,876
So I'm going to say, "Okay, well-- well what
I wanted to do is I wanted to deny somebody.
293
00:16:15,976 --> 00:16:20,616
And I hit the question mark and it says
okay, well-- well, who do you want to deny?
294
00:16:20,616 --> 00:16:23,356
Do you want to deny oh, anybody?
295
00:16:23,636 --> 00:16:30,656
Do you deny just a single host or is there a
specific address that you want to match here?
296
00:16:30,656 --> 00:16:34,096
And so I'm looking here I'm like,
"Okay, well-- well, actually--
297
00:16:34,566 --> 00:16:36,596
" there's actually a couple
of ways I could go about it.
298
00:16:36,596 --> 00:16:38,616
I'll-- I'll do one way first.
299
00:16:38,886 --> 00:16:42,276
I'm going to deny 10.1.1.1.
300
00:16:42,276 --> 00:16:44,496
Now that's just-- it's just that's one host.
301
00:16:44,496 --> 00:16:46,946
I mean that's my whole focus
right now is that one host.
302
00:16:46,946 --> 00:16:51,056
So-- so I'm going to take the easy route
and I'll show you why in a little bit.
303
00:16:51,056 --> 00:16:56,726
I'm going to type in deny host, a single
host address and they are 10.1.1.1.
304
00:16:56,726 --> 00:16:59,336
You see how this question mark is so critical?
305
00:16:59,336 --> 00:17:01,256
So now it says, "Okay, well of you want,
306
00:17:01,256 --> 00:17:05,256
I can also create sys log messages
anytime this host is denied so you know
307
00:17:05,256 --> 00:17:07,826
that they're being denied or
you just press the enter key.
308
00:17:08,056 --> 00:17:11,216
Now say most of the time unless you're
really interested if that host is denied
309
00:17:11,336 --> 00:17:13,546
or not there's other ways of verifying that.
310
00:17:13,856 --> 00:17:17,356
I'll just press the enter key 'cause the more
logs you put on there, the more it's going
311
00:17:17,356 --> 00:17:20,836
to start filling up all your
memory buffers and sys log servers
312
00:17:20,836 --> 00:17:25,096
with all these entry saying this guy's
denied, this guy has been permitted so, ta-da!
313
00:17:25,376 --> 00:17:27,736
We've created our first line in our access list.
314
00:17:28,326 --> 00:17:32,896
So I'm going to type in the command from
Privileged mode, show IP access list
315
00:17:32,896 --> 00:17:35,516
and it's like, "Hey you've
now created list number one.
316
00:17:35,856 --> 00:17:41,806
Inside of there is denied 10.1.1.1 and now
the Cisco writer added to this to front.
317
00:17:41,806 --> 00:17:42,566
What's that?
318
00:17:42,766 --> 00:17:44,506
It's sequence 10.
319
00:17:45,326 --> 00:17:50,016
You're going to find out that the Cisco
router allows us to squeeze entries in.
320
00:17:50,016 --> 00:17:53,936
So for instance the next line that I add
by default unless I change it is going
321
00:17:53,936 --> 00:17:57,126
to be sequence 20, sequence 30, sequence 40.
322
00:17:57,126 --> 00:17:59,506
The more lines I add they
add the sequence number
323
00:17:59,506 --> 00:18:04,026
so what I can do is come in
and-- and squeeze things in.
324
00:18:04,026 --> 00:18:07,686
So I create 10, denied this person 20,
permit that person 30, denied that person.
325
00:18:07,686 --> 00:18:10,746
Now suddenly like, "Oh I forgot
I wanted to put one here."
326
00:18:11,016 --> 00:18:15,576
Now in the old days when I first got
into Cisco there was no sequence numbers.
327
00:18:15,576 --> 00:18:19,726
If you had to squeeze something in you had to
delete the whole access list and recreate it.
328
00:18:20,486 --> 00:18:21,426
Yeah, seriously!
329
00:18:21,616 --> 00:18:22,616
It was painful.
330
00:18:22,816 --> 00:18:27,186
But now I can just say, "Well, I want to squeeze
in sequence number 15 and put a line kind of in
331
00:18:27,186 --> 00:18:29,996
between those so I can change
the order of the events.
332
00:18:29,996 --> 00:18:32,136
So let's-- let's continue one from there.
333
00:18:32,136 --> 00:18:33,356
So is this guy ready?
334
00:18:33,356 --> 00:18:34,686
Can I just apply this?
335
00:18:35,226 --> 00:18:42,546
No! That would run into one of the
most common, devastating events
336
00:18:42,546 --> 00:18:43,966
that you could do with access list.
337
00:18:44,556 --> 00:18:45,856
Here's access list one, right?
338
00:18:45,856 --> 00:18:47,766
We've-- we've created our
first-- our first list.
339
00:18:47,906 --> 00:18:53,186
And we have said sequence 10
is denied 10.1.1.1, right?
340
00:18:53,186 --> 00:18:54,696
And that's the only thing that's in there.
341
00:18:55,036 --> 00:18:56,506
Now think back to last nugget.
342
00:18:57,456 --> 00:19:01,426
What is at the bottom of every access list?
343
00:19:01,656 --> 00:19:05,876
And the last thing that I said you
won't see it there but it's there.
344
00:19:06,016 --> 00:19:06,706
Anyone remember?
345
00:19:07,146 --> 00:19:08,796
Yeah, you, yeah, okay you in the red shirt.
346
00:19:09,776 --> 00:19:10,566
Deny everything.
347
00:19:10,716 --> 00:19:11,356
You got it.
348
00:19:11,596 --> 00:19:12,706
Deny everything.
349
00:19:15,496 --> 00:19:18,526
So if-- in this-- let me make a statement.
350
00:19:18,526 --> 00:19:20,496
This is-- this is a key statement to remember.
351
00:19:20,746 --> 00:19:26,006
If you have an access list that just
has deny entries, it is an access list
352
00:19:26,006 --> 00:19:28,696
that will completely cutoff all
network connectivity if you apply it.
353
00:19:29,106 --> 00:19:32,056
You must have at least one
permit statement in there
354
00:19:32,236 --> 00:19:34,156
or else you might as well unplug the cable.
355
00:19:34,296 --> 00:19:38,916
I mean if I were to take this and now apply it
to this interface, inbound, it would say, "Okay,
356
00:19:38,986 --> 00:19:41,826
I'm going to deny this person and then
I'm going to deny everybody else."
357
00:19:42,076 --> 00:19:43,716
And you might as well shut the interface
358
00:19:43,716 --> 00:19:47,306
down 'cause that's exactly what
you've done and that's so easy.
359
00:19:47,306 --> 00:19:51,526
I mean in a quick move without thinking
it through sometimes you're like "Oh man,
360
00:19:51,526 --> 00:19:55,776
we're under attack because a new
SQL Slammer virus, worm came out.
361
00:19:55,776 --> 00:20:00,176
Let's-- let's go out and deny this-- this source
IP Address from China or wherever it's coming
362
00:20:00,176 --> 00:20:05,226
in from that this attack originated
and so you quickly say, "Oh deny this"
363
00:20:05,226 --> 00:20:09,676
and then you go apply it and well, I would
say you're safe, you've protected yourself
364
00:20:09,676 --> 00:20:11,886
because you completely cut
off the internet connection
365
00:20:12,186 --> 00:20:13,976
which is probably not what your intentions were.
366
00:20:14,476 --> 00:20:17,596
So what we need to do is add in a permit.
367
00:20:17,596 --> 00:20:22,966
So, let's think this through, what-- if I'm
denying this one then what am I permitting?
368
00:20:24,016 --> 00:20:25,556
Everything else, right?
369
00:20:25,556 --> 00:20:28,776
I mean this shouldn't be
impacted, this just said deny that
370
00:20:28,776 --> 00:20:31,266
and that alone so I want to permit everybody.
371
00:20:31,666 --> 00:20:33,056
Okay, let's go back there.
372
00:20:33,836 --> 00:20:36,056
There was actually-- did you see
the key word in there for that?
373
00:20:36,056 --> 00:20:37,446
So, let's add line number 2.
374
00:20:37,446 --> 00:20:41,656
So I'm going to say access list one and
now we're going to say, okay, permit,
375
00:20:43,536 --> 00:20:46,146
anyone have a guess what key word?
376
00:20:46,686 --> 00:20:49,426
Any, any source host, right?
377
00:20:49,966 --> 00:20:50,646
So check this out now.
378
00:20:51,126 --> 00:20:59,766
I'll do a show IP access list and right there
I can see access list 1 now has two statements.
379
00:20:59,766 --> 00:21:00,816
You see how this is building.
380
00:21:01,266 --> 00:21:04,856
Statement 10, says, deny that person
and statement 20 is permit anybody else.
381
00:21:04,856 --> 00:21:07,036
Now-- now you might think, "Okay.
382
00:21:07,036 --> 00:21:09,616
Well so-- what about the
implicit deny at the end?"
383
00:21:10,466 --> 00:21:14,946
Well, now that we put a permit all
before it, we will never get there.
384
00:21:15,336 --> 00:21:20,096
Remember the rules of an access list is
as a router, so as packets are coming in,
385
00:21:20,376 --> 00:21:21,726
the router is going to now filter and say,
386
00:21:21,726 --> 00:21:23,746
"Are you this person, 'cause
if you are you're denied.
387
00:21:23,996 --> 00:21:26,766
Okay, if you're not this person,
you hit this permit all statement."
388
00:21:26,936 --> 00:21:31,886
Now as soon as it gets the first match in an
access list, it stops processing, you know?
389
00:21:31,886 --> 00:21:36,156
So for instance 10.1.1 did come in
there, it's not like he goes, okay,
390
00:21:36,156 --> 00:21:39,966
well I'm going to deny you, but-- no actually
I'm not going to deny 'cause I see right next
391
00:21:39,966 --> 00:21:42,636
to me is a permit everybody and
you're kind of like everybody, right?
392
00:21:42,636 --> 00:21:43,766
So let list-- no, no, no.
393
00:21:43,886 --> 00:21:46,496
As soon as you get you're
first match, it says check.
394
00:21:46,626 --> 00:21:48,996
I'm not looking at anymore of the access list.
395
00:21:49,186 --> 00:21:51,766
So the good news is by putting in a permit all,
396
00:21:51,766 --> 00:21:55,686
I have really reversed the
whole mindset of an access list.
397
00:21:55,686 --> 00:21:59,576
I've now said, deny what I say to
deny, but permit everything else.
398
00:22:00,476 --> 00:22:03,246
Sometimes, you'll hear people call us.
399
00:22:03,246 --> 00:22:04,056
I've heard this said once.
400
00:22:04,056 --> 00:22:06,626
I thought it was a great way to describe that.
401
00:22:07,096 --> 00:22:13,276
This is like fishnet security, where
you're allowing all the water to go through
402
00:22:13,276 --> 00:22:15,346
and you're trying to catch the
big old fish, you know, what,
403
00:22:15,346 --> 00:22:17,906
you know, which in this case 10.1.1.1.
404
00:22:17,906 --> 00:22:23,436
Everything else can go through those giant
gaping holes in the access list, whereas,
405
00:22:23,586 --> 00:22:30,506
leaving the denial is like iron wall
security and you've got a little drill
406
00:22:30,626 --> 00:22:34,446
and you say [noise] you know, I'm allowing
this, you know, port 80 through [noise].
407
00:22:34,446 --> 00:22:39,136
I'm allowing 10.1.1.1 through or
whatever, whatever you're allowing through,
408
00:22:39,406 --> 00:22:44,676
you just kind of poke these little holes
and go through, which is better, this one.
409
00:22:44,976 --> 00:22:46,236
Well, I'm sorry, backup.
410
00:22:46,236 --> 00:22:48,276
Let me use the universal, it depends.
411
00:22:48,466 --> 00:22:51,626
It depends on, you're what you're trying
to accomplish, but most of the time,
412
00:22:51,626 --> 00:22:53,596
if you're talking about like internet security,
413
00:22:53,956 --> 00:22:59,676
the iron wall just saying exactly what is
allowed in is usually the best way to go, okay.
414
00:23:00,066 --> 00:23:03,356
So we've got this access list created, right?
415
00:23:03,356 --> 00:23:06,686
We're in global config mode, we're
going back to those two things.
416
00:23:06,926 --> 00:23:10,606
Step 1, the config is done already.
417
00:23:10,966 --> 00:23:12,896
But now we have to go to the application.
418
00:23:13,876 --> 00:23:18,136
Now in this case I need to go into
the interface where I want to apply it
419
00:23:18,246 --> 00:23:20,396
and in this case it's serial 0/0.
420
00:23:20,396 --> 00:23:23,526
Now, I said right here assume
all ethernet ports are FAST here,
421
00:23:23,526 --> 00:23:27,136
so this is FAST ethernet,
0/0 could I apply it here?
422
00:23:27,906 --> 00:23:30,206
Yes, but it would miss one of the objectives.
423
00:23:30,206 --> 00:23:35,376
So let's-- let's apply it here first.
424
00:23:35,376 --> 00:23:41,816
So I'm going to go on router 1 and I'm going
to say, "Okay, I want access 1 to take effect,
425
00:23:41,816 --> 00:23:46,546
global conifg mode, interface 00/0" and I'm
going to use the command, here is the command.
426
00:23:46,546 --> 00:23:49,966
It is IP access group.
427
00:23:51,116 --> 00:23:52,686
Well, why Cisco do that?
428
00:23:52,686 --> 00:23:55,296
'Cause they had to have a different way.
429
00:23:55,476 --> 00:23:59,676
So IP access group is how we apply
an access list to an interface.
430
00:23:59,746 --> 00:24:01,986
It's not IP access list, it's IP access group.
431
00:24:02,476 --> 00:24:07,046
I hit the question mark and it's says,
"Okay, what number of access list would you
432
00:24:07,046 --> 00:24:09,796
like to apply or even what name
if you've used the name one.
433
00:24:09,796 --> 00:24:11,556
I'll show you how to do that in a moment.
434
00:24:11,556 --> 00:24:15,716
So, I would say I want to use
number 1 that's the one I created.
435
00:24:15,716 --> 00:24:17,686
Now it's going to ask me that key question.
436
00:24:17,686 --> 00:24:22,776
Remember I said last time you got to
get this one right, inbound or outbound.
437
00:24:23,356 --> 00:24:25,466
Okay? How do I determine that direction?
438
00:24:25,936 --> 00:24:26,766
Be the router.
439
00:24:27,066 --> 00:24:28,376
I am router 1.
440
00:24:28,576 --> 00:24:34,246
My right arm, you know, again, if I'm
a human being my right arm is 00/0,
441
00:24:34,466 --> 00:24:36,896
my left arm is FAST ethernet 0/0.
442
00:24:36,896 --> 00:24:38,646
So I'm holding him right here and I go, okay.
443
00:24:39,036 --> 00:24:41,716
Direction wise, I'm applying right here.
444
00:24:41,716 --> 00:24:49,096
Am I filtering traffic in as it's coming into me
from my right arm in the 00/0 or I'm applying it
445
00:24:49,096 --> 00:24:51,506
out to where it's going out this interface?
446
00:24:52,336 --> 00:24:56,746
If you think that through, it's in because
router 3 and everything else is going
447
00:24:56,746 --> 00:25:00,756
to be coming in my arm in the interface
to me, the router sitting in the middle
448
00:25:01,326 --> 00:25:03,026
and that's where I want to do filtering.
449
00:25:03,026 --> 00:25:05,316
So I'm going to say, apply that inbound.
450
00:25:06,176 --> 00:25:07,746
All right.
451
00:25:07,746 --> 00:25:12,266
Let's do-- I want you to show IP, you
can actually type in show access list.
452
00:25:12,506 --> 00:25:17,076
But the reason I like show IP access
list, they're the same exact command is
453
00:25:17,076 --> 00:25:21,006
because I can hit the tab key after three
letters and it fills in all inwards.
454
00:25:21,006 --> 00:25:25,346
If I do show IP or show access, I actually have
to type in the dash and the L and it works,
455
00:25:25,346 --> 00:25:26,826
but it same-- same exact command.
456
00:25:26,826 --> 00:25:28,146
Now, ooh-- ooh, check it out.
457
00:25:28,446 --> 00:25:33,366
We've got deny 10.1.1.1, it's
there, but it hasn't done anything
458
00:25:33,366 --> 00:25:38,116
yet because I can see below the
permit any is getting three matches.
459
00:25:38,276 --> 00:25:42,546
So there's already three packets that have
come in and said, "I want to come in,"
460
00:25:42,546 --> 00:25:44,636
and the access list says, "Okay, come on in."
461
00:25:44,636 --> 00:25:46,636
And then they're going to say,
well, "Jeremy you're talking.
462
00:25:46,636 --> 00:25:47,936
What's going on?
463
00:25:47,936 --> 00:25:49,086
What is there matches coming in?"
464
00:25:49,326 --> 00:25:54,306
Well, I remember I said at the beginning I set
up RIP, a routing protocol which is saying,
465
00:25:54,306 --> 00:25:55,586
"Hey, I know about these networks."
466
00:25:55,586 --> 00:25:57,336
So it's sending its little
updates behind the scene.
467
00:25:57,336 --> 00:26:00,386
So chances, I hit the up arrow,
it's now up to six matches.
468
00:26:00,386 --> 00:26:03,796
So RIP is talking and chatting and sending
its route updates, doing its thing,
469
00:26:04,006 --> 00:26:04,926
that's the matching that I'm gaining.
470
00:26:04,926 --> 00:26:05,986
Okay. Let's test it.
471
00:26:06,166 --> 00:26:15,336
Let's go ever to router 3-- who is this guy over
here, right, router 3, and now we test it before
472
00:26:15,336 --> 00:26:18,976
that I was able to ping I could
telnet to this guy so let's try now.
473
00:26:19,516 --> 00:26:23,936
Ping 10.1.1.1.6.
474
00:26:24,316 --> 00:26:27,146
Denied! A matter of fact
you can see right here Us.
475
00:26:27,516 --> 00:26:32,756
That means unreachable as in a
protocol called ICMP has come
476
00:26:32,756 --> 00:26:34,766
in and said, you are being blocked.
477
00:26:34,766 --> 00:26:38,666
Usually when you see a U that means either the
router has no idea what you're talking about.
478
00:26:38,666 --> 00:26:43,556
It' doesn't have a route to that
destination or an access list is blocking you
479
00:26:43,556 --> 00:26:46,066
and sending back messages
saying, "You are being denied."
480
00:26:46,306 --> 00:26:52,416
Now, when you get into the-- if you decide to
go security as your specialty and get in there,
481
00:26:52,576 --> 00:26:55,916
one of the things that you'll
learn is a way to turn this off.
482
00:26:55,916 --> 00:27:00,626
Because as a hacker, if I'm trying
to hack in somewhere and I do a ping
483
00:27:00,626 --> 00:27:06,316
and I see Us coming back to me, that tells
me something, that tells me they are alive.
484
00:27:06,676 --> 00:27:12,366
I can get there, but they have purposely put
an access list on there that this is blocking.
485
00:27:12,736 --> 00:27:17,046
There is a command that you can do to turn
off what called ICMP unreachable messages.
486
00:27:17,046 --> 00:27:19,316
So that way, it just says, dot.
487
00:27:19,316 --> 00:27:23,826
It's as if you would have ping'd just an IP
address that doesn't exist, dot, dot, dot,
488
00:27:23,826 --> 00:27:25,746
and you know, you can't tell
that you're being blocked.
489
00:27:25,746 --> 00:27:28,556
So that's, that's in the security
series so I'll leave that to them.
490
00:27:28,936 --> 00:27:30,636
So, let's do some more testing.
491
00:27:30,636 --> 00:27:31,416
I'm going to try and telnet.
492
00:27:31,786 --> 00:27:37,006
We just did up here right, telnet
10.1.1.6, telnet to 10.1.1.6.
493
00:27:37,686 --> 00:27:41,366
Denied destination immediately comes
back unreachable gateway host that.
494
00:27:41,366 --> 00:27:42,876
It's-- I'm being block from that.
495
00:27:42,876 --> 00:27:45,616
Okay. So that verifies that I can't get here.
496
00:27:45,956 --> 00:27:47,576
Now what about-- what about this guy?
497
00:27:48,036 --> 00:27:49,106
I could ping him before.
498
00:27:49,106 --> 00:27:53,716
So let's do a ping 192.168.1.50.
499
00:27:53,716 --> 00:27:54,346
Successful!
500
00:27:54,646 --> 00:28:01,486
So now, let's go up here to router 1 and
hit up arrow and do the same command.
501
00:28:01,486 --> 00:28:02,246
Check it out.
502
00:28:02,876 --> 00:28:04,086
Now, we can see it in action.
503
00:28:04,596 --> 00:28:09,336
We're denying 10.1.1.1, 25 matches
from all of the pings in the telnet
504
00:28:09,336 --> 00:28:12,306
and everything else I'm trying to do
to reach that, it's actually saying,
505
00:28:12,306 --> 00:28:14,026
I'm blocking, I'm blocking, I'm blocking.
506
00:28:14,026 --> 00:28:15,046
Okay. Awesome!
507
00:28:15,186 --> 00:28:16,646
That is excellent.
508
00:28:16,986 --> 00:28:18,836
Now, let me do this.
509
00:28:19,156 --> 00:28:27,596
Wipe. I want to go back to the question I
said, "Couldn't-- could I apply it right here?"
510
00:28:27,596 --> 00:28:31,826
Yes! Yes, yes I could apply
that same accesses right here.
511
00:28:31,826 --> 00:28:33,056
As a matter of fact, let's do that.
512
00:28:33,456 --> 00:28:40,166
I'll go into interface 00/0 and I'm
going to do no, IP access group 1
513
00:28:40,166 --> 00:28:42,256
and so I'm taking it off of the serial port.
514
00:28:42,446 --> 00:28:46,636
So I mean immediately upon doing that,
I should be able to hit the up arrow.
515
00:28:46,636 --> 00:28:48,336
Now pings are going through successfully.
516
00:28:48,336 --> 00:28:50,486
You can see access list and action right there.
517
00:28:50,666 --> 00:28:54,566
But now, let's say I went into
FAST ethernet 00/0 and I said,
518
00:28:54,566 --> 00:28:55,886
okay, well I want to apply it here.
519
00:28:55,886 --> 00:28:59,236
First of, let me ask you, what
direction would you apply it?
520
00:28:59,826 --> 00:29:01,346
Ken, be the router.
521
00:29:01,346 --> 00:29:03,026
This is FAST ethernet 0/0.
522
00:29:03,226 --> 00:29:03,996
This is 00/0.
523
00:29:04,036 --> 00:29:08,266
I've got access to those one that says,
deny this guy, holding my arms out.
524
00:29:08,436 --> 00:29:15,246
If I apply it right here, I want to apply
it outbound like as it's going out router 1.
525
00:29:15,476 --> 00:29:18,186
Because if I apply it inbound,
what would that mean?
526
00:29:18,186 --> 00:29:22,456
It would assume that 10.1.1.1 is over here
somewhere, you know, trying to come in.
527
00:29:22,456 --> 00:29:23,506
That's not the truth.
528
00:29:23,506 --> 00:29:24,786
That's not where it's at.
529
00:29:25,066 --> 00:29:28,876
So it's going to applied outbound there and
let's do it because I just want to show you.
530
00:29:30,076 --> 00:29:36,556
I'm going to under FAST ethernet
0/0, just let just hit the up arrow.
531
00:29:36,556 --> 00:29:38,496
IP add-- oh, wait, stop the train.
532
00:29:38,816 --> 00:29:39,696
We're moving too fast.
533
00:29:39,886 --> 00:29:41,936
I just caused an internet outage.
534
00:29:41,936 --> 00:29:47,226
So, IP access group 1 outbound so I've applied
it in the out direction on FAST ethernet 0.
535
00:29:47,496 --> 00:29:49,516
Now, can I go to router 3 and test?
536
00:29:49,516 --> 00:29:52,026
Yes I can, if I find them.
537
00:29:52,606 --> 00:29:57,206
Router 3, I'm going to hit the up arrow and
ping them again, and okay, that's good right?
538
00:29:57,766 --> 00:29:59,966
It means I'm blocked from getting to this guy.
539
00:29:59,966 --> 00:30:01,976
I just tested that but what's missing?
540
00:30:02,056 --> 00:30:07,696
If it's applied outbound right here, then
getting here which is one of the objectives,
541
00:30:07,966 --> 00:30:11,936
block information, that's-- it's not going
to be there 'cause I removed it from this
542
00:30:11,936 --> 00:30:13,796
so he's going to have no problem reaching this.
543
00:30:13,796 --> 00:30:17,036
It's just when he tries to go out right
here, it's where it's going to be blocked
544
00:30:17,036 --> 00:30:20,926
so let's just verify Ping 10.1.1.6.
545
00:30:20,926 --> 00:30:28,006
Good. So again, verifying that this was indeed
the correct place to put that access list.
546
00:30:28,006 --> 00:30:30,286
All right, let's look at number 2.
547
00:30:30,546 --> 00:30:42,676
Use a standard access list to block access
to the 192.1681.0/24 from 192.1682.128/25.
548
00:30:42,676 --> 00:30:45,096
Now, again, why it's so critical
to draw this out?
549
00:30:45,096 --> 00:30:46,666
It's just so you can visualize what's going on.
550
00:30:46,666 --> 00:30:50,166
So it's -- what it's saying here is
not to block the specific IP address.
551
00:30:50,166 --> 00:30:51,956
It's saying block this whole network.
552
00:30:52,556 --> 00:30:57,566
So 192.1682.128/25 so, that's
identifying the whole memory--
553
00:30:57,566 --> 00:31:02,676
the 128 is the network ID so I'm saying
the whole network is being blocked
554
00:31:02,676 --> 00:31:05,976
from accessing this whole network, so
again, big sweeping statements there.
555
00:31:06,436 --> 00:31:09,876
Okay, so let's do that.
556
00:31:09,876 --> 00:31:14,336
First off I'm going to go to--
okay, before I even do that,
557
00:31:14,466 --> 00:31:15,886
let's figure out where we're at, right.
558
00:31:15,996 --> 00:31:19,796
Again, standard access list
only blocks based on IP source.
559
00:31:20,286 --> 00:31:24,976
So I can't really say what something is
denied from other than where I apply it to.
560
00:31:24,976 --> 00:31:29,056
So if I create an access list, I'm going
to apply it here as things are coming
561
00:31:29,056 --> 00:31:31,426
into that interface then I had cut off too much.
562
00:31:31,426 --> 00:31:35,436
So again, I'm back over on the Router 1 and
I'm saying, "Well, I want-- I need to block--
563
00:31:35,656 --> 00:31:37,306
no longer am I blocking access to this.
564
00:31:37,306 --> 00:31:39,136
I need to block access to this subnet.
565
00:31:39,416 --> 00:31:43,946
So I need to catch things as they're
trying to leave this interface."
566
00:31:44,326 --> 00:31:48,566
Again, with standard access list, it's
as close to the destination as possible
567
00:31:48,566 --> 00:31:52,626
because the close you move to the source, the
more chance you're going to block too much
568
00:31:52,626 --> 00:31:54,736
since you can't really say
what they're denied from.
569
00:31:55,076 --> 00:31:58,766
You just say they are denied and that's
just based on the source, so, okay.
570
00:31:58,766 --> 00:32:03,476
So I'm going to be right here as they're
going out, right, that that interface,
571
00:32:03,476 --> 00:32:09,576
I need to block them so I'm back over
on router 1 and I'm going to go in--
572
00:32:09,576 --> 00:32:14,076
first off remove this one from
being applied, exit back out.
573
00:32:14,266 --> 00:32:16,906
So let's-- a matter of fact,
let's just kill the whole thing.
574
00:32:17,126 --> 00:32:20,816
I'm going to do a no IP-- a no access list 1.
575
00:32:21,526 --> 00:32:22,396
And it's gone.
576
00:32:22,396 --> 00:32:25,476
So that actually deleted the whole access list.
577
00:32:25,476 --> 00:32:28,806
I'll do a show IP access list
and you can see nothing there.
578
00:32:28,806 --> 00:32:30,146
They're all gone.
579
00:32:30,146 --> 00:32:37,196
So let's go and create-- so I'm going to create
access list just-- we can use 1 but just--
580
00:32:37,196 --> 00:32:39,276
because I want to be different, let's use 2.
581
00:32:39,536 --> 00:32:42,506
So access list 2-- now who are we denying?
582
00:32:42,796 --> 00:32:48,976
We are denying this whole subnet,
192.168.2.128 with that weird subnet mask.
583
00:32:48,976 --> 00:32:58,256
So again, we're looking at that range,
192.168.2.128 through 255, okay?
584
00:32:58,546 --> 00:33:02,456
So I want to block that whole
subnet so I'm going to say, "Okay."
585
00:33:02,456 --> 00:33:04,016
So 2, I'm going to deny.
586
00:33:04,016 --> 00:33:05,536
That's my goal is to block them.
587
00:33:05,736 --> 00:33:08,846
And it says, "Okay, what address do
you want to match or do you want to do,
588
00:33:08,846 --> 00:33:10,636
you know, any address or specific host?"
589
00:33:10,906 --> 00:33:15,866
Well, I can't use any because that'll
block everybody and that's not the goal.
590
00:33:16,276 --> 00:33:23,396
I could use host but that means I'm going
to have to type in host 192.168.2.128
591
00:33:23,516 --> 00:33:27,246
and then hit the up arrow, 129.2.130, 2.131.
592
00:33:27,246 --> 00:33:28,366
Come on, is this sufficient?
593
00:33:28,366 --> 00:33:30,376
Can we say-- can I hear a no?
594
00:33:30,376 --> 00:33:31,706
No, it is not sufficient.
595
00:33:31,706 --> 00:33:36,926
So that means we're creating this slides,
show-- a giant access list, show IP Access.
596
00:33:36,926 --> 00:33:37,566
You see all this.
597
00:33:37,866 --> 00:33:42,556
It's just crazy but someone going to
say, "No, no, no," clear access list 2.
598
00:33:43,076 --> 00:33:44,176
So let's blow it away.
599
00:33:44,176 --> 00:33:46,186
So we could do that but not efficient.
600
00:33:46,186 --> 00:33:53,196
So instead, I'm going to say, "I want
to block the network 192.168.2.128
601
00:33:53,436 --> 00:33:58,496
but enter stage left the wildcard mask, okay.
602
00:33:58,696 --> 00:34:05,966
Wildcard mask allows you to say these
are the bits that I care about."
603
00:34:06,306 --> 00:34:10,136
Now, nobody is really certain to
why Cisco decide to go this way
604
00:34:10,136 --> 00:34:13,176
like you would think it be nice and
logical to be able to say, "Okay,
605
00:34:13,176 --> 00:34:17,346
we'll block that network like that."
606
00:34:17,656 --> 00:34:20,616
But a wildcard mask doesn't do that.
607
00:34:20,616 --> 00:34:26,966
Think of-- I mean, if it's-- okay, if you've
got a rebellious teenager and you're like "Man,
608
00:34:26,966 --> 00:34:28,996
they're wild," what do you think?
609
00:34:28,996 --> 00:34:29,276
You're like?
610
00:34:29,276 --> 00:34:32,216
"Okay, they are doing the
opposite of what I want them to do.
611
00:34:32,216 --> 00:34:36,616
They're doing the opposite of what would be
acceptable and normal to this family," right?
612
00:34:36,876 --> 00:34:41,006
So think of the wildcard mask,
it's the rebel, it's the opposite.
613
00:34:41,006 --> 00:34:44,476
So it's going to be the backwards
mask, essentially.
614
00:34:44,476 --> 00:34:50,746
So we see the mask is 255.255.255.128.
615
00:34:51,266 --> 00:34:57,006
The wildcard mask is exactly the opposite, flip
it, as in, if we're to look at this in binary,
616
00:34:57,006 --> 00:35:01,466
you know, 111111111, all the way
down to, you know, 0.1.00000,
617
00:35:01,466 --> 00:35:03,486
so that's the normal subnet mask in all binary.
618
00:35:03,646 --> 00:35:04,546
wildcard mask flips.
619
00:35:04,596 --> 00:35:08,296
So wherever you see a 1, put a
0, wherever you see a 0, put a 1.
620
00:35:08,396 --> 00:35:17,326
So the wildcard mask could
be 0000000.000.000.011111.
621
00:35:17,326 --> 00:35:21,496
So, you know, and take that all in binary
and then flip it as exactly the opposite
622
00:35:21,706 --> 00:35:22,866
and there, you have the wildcard mask.
623
00:35:22,866 --> 00:35:24,466
They are the weirdest looking things ever.
624
00:35:24,656 --> 00:35:30,266
So the question is what is that-- what
is that binary number as a decimal?
625
00:35:30,506 --> 00:35:36,986
Well, that's where you pull out your
mathematical mind and add 1,2,4,6,8,16--
626
00:35:37,856 --> 00:35:42,166
did I count that right-- 32, 64, right.
627
00:35:42,366 --> 00:35:44,566
That didn't feel right but,
you know how what I mean.
628
00:35:44,596 --> 00:35:49,566
You add all the binary digits up to 64
together, you know, in one big math problem.
629
00:35:49,746 --> 00:35:52,176
And that will give if you add them all up, 127.
630
00:35:52,946 --> 00:35:59,376
So the wildcard mask, instead of being nice and
easy as a subnet mask, I go in there and I say,
631
00:35:59,376 --> 00:36:04,176
"Actually, it's going to be 0.0.0.127.
632
00:36:04,836 --> 00:36:08,646
Creepy! That's it.
633
00:36:08,646 --> 00:36:13,166
That's the accurate way of identifying,
"I want to block that whole network."
634
00:36:13,166 --> 00:36:17,146
Now, I've got a shortcut for you, doing
it all binary, it's kind of painful.
635
00:36:17,366 --> 00:36:20,696
So what I usually do if I'm, like,
"Okay, what's the wildcard mask?"
636
00:36:21,026 --> 00:36:27,926
I take all 255 and subtract my subnet
mask that I want to kind of convert it
637
00:36:27,926 --> 00:36:35,176
over to a wildcard mask, and that will give me,
I mean, obviously, easy math there and I go 127,
638
00:36:35,316 --> 00:36:38,546
you know-- so that-- that is the
wildcard mask for this subnet mask,
639
00:36:38,546 --> 00:36:42,686
you know, /25 or 255.255.255.128.
640
00:36:42,686 --> 00:36:43,356
That's the opposite.
641
00:36:43,356 --> 00:36:48,296
So again, nice and bizarre, that's probably
the most difficult thing of access list.
642
00:36:48,296 --> 00:36:51,536
Next to figuring out which direction
to apply them is going, "Okay,
643
00:36:51,536 --> 00:36:54,216
what's up with this wildcard mask?
644
00:36:54,406 --> 00:36:54,986
Why would I use?"
645
00:36:54,986 --> 00:36:56,046
So let me ask you this.
646
00:36:56,046 --> 00:36:57,806
What would the wildcard mask be for this?
647
00:36:58,086 --> 00:37:04,076
If I were to generate a wildcard mask
for 192.168.1.0/24, what would it be?
648
00:37:04,076 --> 00:37:10,216
It'll be-- we'd say, Okay, deny or permit
192.1681.0 with wildcard mask of 000255.
649
00:37:10,846 --> 00:37:13,786
That's the flip opposite of a /24.
650
00:37:14,196 --> 00:37:19,136
and the way to think about is if you like
looking at things in terms of decimal,
651
00:37:19,296 --> 00:37:25,466
wherever you see a zero, that tells the
router, "Look at this, evaluate this.
652
00:37:25,466 --> 00:37:30,576
This access list is either permitting or denying
so when this packet comes in, look at this.
653
00:37:30,836 --> 00:37:32,716
Look at the 192."
654
00:37:32,716 --> 00:37:37,636
And then it goes, "Okay a zero -- that means
look at this, look at this, well 192.168.
655
00:37:37,636 --> 00:37:39,426
Oh a 1, look at this.
656
00:37:39,426 --> 00:37:43,686
You make sure that you're watching this
and then this last one is I don't care.
657
00:37:43,686 --> 00:37:49,856
Essentially, the 255 are all ones
says, "I don't really care what's
658
00:37:49,856 --> 00:37:51,226
in that last octet, and that's good."
659
00:37:51,226 --> 00:37:58,926
So if I have an access list, that' saying it
deny 192.1681.0, you know, this guys 192.1681.50
660
00:37:58,926 --> 00:38:01,646
and it's going to come in and say "Okay,
you're 192, I look at that, I look at that ,
661
00:38:01,646 --> 00:38:07,116
look at that" and it's like .50, I don't
really care about that, you know, whatever.
662
00:38:07,116 --> 00:38:09,866
So you will be denied because
you start with this.
663
00:38:10,056 --> 00:38:13,156
So it's really like what do
you matching on with this.
664
00:38:13,466 --> 00:38:16,206
You could-- you won't do this but you could.
665
00:38:16,736 --> 00:38:21,816
You could do something like I want to
create an access list center that says,
666
00:38:21,956 --> 00:38:34,076
"I want to match 192.053.0 with
a wildcard mask of 0.255.0255."
667
00:38:35,006 --> 00:38:39,606
And what that says is you know, let's just say
we said deny and then we put that information.
668
00:38:39,726 --> 00:38:44,336
Let' say, "Okay, I'm going to deny any IP
address that has 192 in the first octet.
669
00:38:44,956 --> 00:38:48,656
I don't care what's in the second
octet but they also have to have 53
670
00:38:48,656 --> 00:38:51,736
in the third octet, right 'cause that's a match.
671
00:38:51,736 --> 00:38:53,286
This one, I don't care what's
in the last octet."
672
00:38:53,696 --> 00:38:58,776
So you can actually deny things
based on, you know, just one octet,
673
00:38:58,776 --> 00:39:01,056
I mean if-- okay, let me ask you this.
674
00:39:01,356 --> 00:39:04,236
What do you think-- let's
say I want a wildcard mask
675
00:39:04,336 --> 00:39:07,936
that would deny everything all
the time, what would it look like?
676
00:39:08,566 --> 00:39:09,626
I would say deny.
677
00:39:09,626 --> 00:39:11,106
On the IP address, I would just put 000.
678
00:39:11,106 --> 00:39:13,336
It doesn't matter what you put there
'cause it's not really caring about.
679
00:39:13,336 --> 00:39:21,306
Wildcard mask 255.255.2550 or so not 0--
255.255.255-- I've said that too often.
680
00:39:21,306 --> 00:39:27,926
255.255.255.255 it's very much saying deny,
I don't care, I don't care, you're denied.
681
00:39:28,076 --> 00:39:29,486
It doesn't matter what IP address you have.
682
00:39:29,766 --> 00:39:30,896
You could also go the other way.
683
00:39:30,896 --> 00:39:32,686
For instance, let me show you this.
684
00:39:32,686 --> 00:39:34,786
Remember when we did that access list?
685
00:39:35,016 --> 00:39:40,236
Let me just use access list 50 as an example.
686
00:39:40,366 --> 00:39:45,686
And I did permit and like in that
first example, we said host, you know,
687
00:39:45,686 --> 00:39:48,176
10.1.1.1 right, a different way of doing.
688
00:39:48,176 --> 00:39:49,316
So there's a couple of ways you can do it.
689
00:39:49,316 --> 00:39:54,136
A different way of doing it is I could've said
permit 10.1.1.1 but now, it's going to ask me
690
00:39:54,136 --> 00:39:56,676
for a wildcard mask so I would put 0000.
691
00:39:56,676 --> 00:39:58,226
Now, watch this.
692
00:39:58,626 --> 00:40:00,826
I'll do a show IP access list.
693
00:40:02,756 --> 00:40:03,816
Access list 50.
694
00:40:03,816 --> 00:40:07,576
It's automatically dropped that
because it assumes the host command.
695
00:40:07,696 --> 00:40:08,916
I could've done the same thing.
696
00:40:08,916 --> 00:40:17,486
I could type in access list 51 permit host
10.1.1.1, hit the Enter key, show access list.
697
00:40:18,696 --> 00:40:20,136
Look they're one and the same.
698
00:40:20,136 --> 00:40:24,706
One, I used the wildcard mask of all zeros,
one, I used the host command to type it in there
699
00:40:24,706 --> 00:40:28,806
and it ends up being the
same thing, the same result.
700
00:40:30,156 --> 00:40:39,106
So back to the example, we were using access
list 2 up here and I said, deny 192.168.2.128
701
00:40:39,106 --> 00:40:41,616
with a wildcard bits 000127, right.
702
00:40:41,616 --> 00:40:44,206
So that's the opposite of the subnet mask.
703
00:40:44,206 --> 00:40:47,196
Okay, that's great and I'm
going to want to come back--
704
00:40:47,196 --> 00:40:49,326
good grief if we got these things at mess now.
705
00:40:49,326 --> 00:40:51,636
I'm going to come back in here and
I'm going to apply that algorithm.
706
00:40:51,636 --> 00:40:56,766
But before I do, remember an access list with
only a deny command will deny everything 'cause
707
00:40:56,766 --> 00:41:03,596
of the implicit so I need to go in
there and do access list 2 permit any.
708
00:41:04,226 --> 00:41:05,546
And let's get rid of the other one.
709
00:41:05,596 --> 00:41:09,456
No access list, my little demo
access list 50 and 51, they're gone.
710
00:41:10,316 --> 00:41:14,786
So to show IP access list, and now I've
got few of that-- I have access list.
711
00:41:14,786 --> 00:41:19,176
So I've got deny 192.1682, okay, that
looks good and permit everything else.
712
00:41:19,176 --> 00:41:20,586
So now, I need to apply it.
713
00:41:20,866 --> 00:41:26,156
And since this said, "Only-- you know, I
just get rid of all this chicken scratch.
714
00:41:26,696 --> 00:41:32,996
Only deny access to this one
network, that's my focus.
715
00:41:33,216 --> 00:41:35,506
I'm going to go into the router.
716
00:41:35,506 --> 00:41:40,336
I'm going to say, "Okay, show IP and
interface brief and I'm going to look, I mean--
717
00:41:40,336 --> 00:41:42,726
Well, that's the network
I want to block access to.
718
00:41:42,976 --> 00:41:48,076
I don't want 192.1682.128
to get there so I'll go
719
00:41:48,076 --> 00:41:52,516
in the FAST ethernet 0/0 IP access group 2
'cause that's the accesses I created right here,
720
00:41:53,236 --> 00:41:54,776
number 2, right?
721
00:41:55,236 --> 00:41:56,676
And then out.
722
00:41:57,396 --> 00:42:06,646
So as this network tries to go out FAST
ethernet 0/0, I'm going to deny them.
723
00:42:07,206 --> 00:42:08,096
So let's give it a try.
724
00:42:08,096 --> 00:42:11,966
I'm going to shoot over to Router
3 first, just to make sure.
725
00:42:12,286 --> 00:42:18,306
I'm going to do a Ping 192.168.1.50
and it works.
726
00:42:18,456 --> 00:42:20,556
Now, don't be surprised.
727
00:42:20,556 --> 00:42:22,536
You're like, "Oh, I thought--
didn't we deny that network?"
728
00:42:22,536 --> 00:42:24,716
Yes, but Router 3 is not that network.
729
00:42:24,716 --> 00:42:29,816
Router 3 came from this IP address, 10.1.1.1.
730
00:42:29,906 --> 00:42:31,176
That's the IP address I Ping'd from.
731
00:42:31,176 --> 00:42:33,216
So the access list came in there.
732
00:42:33,216 --> 00:42:34,526
As a matter of fact, let's verify it.
733
00:42:34,746 --> 00:42:38,526
The access list said, "Well
10.1.1.1 come on in."
734
00:42:38,526 --> 00:42:42,966
So I'll do a show IP access,
you know, I've seen matches.
735
00:42:42,966 --> 00:42:44,756
You know, those Pings are, you know, come on in.
736
00:42:44,756 --> 00:42:48,596
you can feel free to come in but,
now let me show you something else.
737
00:42:48,596 --> 00:42:56,806
Let me first-- I'll do the PC, I'm going
to PC3 up there which is right here, okay?
738
00:42:57,506 --> 00:43:01,466
So PC 3 is right here so
I'm going to do a Ping--
739
00:43:01,466 --> 00:43:07,616
let's do Ping 192.168.1.50
which is that host over there.
740
00:43:08,036 --> 00:43:11,186
Hit the Enter key and sure enough,
I'm getting unreachable messages back.
741
00:43:11,186 --> 00:43:14,276
And those used are sure indicator
that you've done it right.
742
00:43:14,276 --> 00:43:18,576
But if you want to feel that warm and fuzzy
feeling, you can do a show access list.
743
00:43:18,576 --> 00:43:24,726
And now, I can I'm getting denied
packets from that access list.
744
00:43:24,966 --> 00:43:29,236
The other thing I wanted to show you is I
said Router 3 is not coming from this network.
745
00:43:29,236 --> 00:43:30,356
It's coming from this, right?
746
00:43:30,706 --> 00:43:31,956
Well, watch this.
747
00:43:32,066 --> 00:43:35,036
If I want to, I can make
it come from that network.
748
00:43:35,346 --> 00:43:35,826
Let's see how.
749
00:43:36,166 --> 00:43:41,836
I'm going to go to Router 3 and I'm going to
type in ping, you know that one works fine.
750
00:43:41,836 --> 00:43:44,826
It's coming from another one so I'm going to
hit the question mark after the ping command.
751
00:43:45,046 --> 00:43:50,266
I'm going to say, "I'm actually
coming from the source IP address.
752
00:43:50,576 --> 00:43:57,286
And I can either type in my IP address
or I type in 192.1682.129 or I can type
753
00:43:57,286 --> 00:43:59,006
in the source, FAST ethernet 0/0.
754
00:43:59,296 --> 00:44:04,096
And sure enough, now, take a look at this,
it says, I'm sending five pings to that guy
755
00:44:04,426 --> 00:44:12,756
with a source address of
192.168.1.129, which is right there,
756
00:44:12,756 --> 00:44:15,496
and you can see sure enough those
are all denied by the access-list.
757
00:44:15,496 --> 00:44:16,236
That's pretty cool.
758
00:44:16,266 --> 00:44:17,926
Okay. Last example, and first
off, at this point,
759
00:44:17,926 --> 00:44:22,766
you should feel a little more
warm and fuzzy about doing this.
760
00:44:22,766 --> 00:44:26,636
So you might just want to pause and write
this up on paper or try it on a router
761
00:44:26,636 --> 00:44:29,566
if you have one and see if
you can figure that out.
762
00:44:29,756 --> 00:44:37,426
But I'd like to use this last example to
illustrate an example of using named access-list
763
00:44:37,536 --> 00:44:39,736
which I love far more than the number ones.
764
00:44:39,766 --> 00:44:45,606
So it says, "Create a standard
access-list to block 192.168.2.50,
765
00:44:45,906 --> 00:44:48,626
to this one, from reaching 10.1.1.
766
00:44:48,626 --> 00:44:49,356
That's this one.
767
00:44:49,356 --> 00:44:51,126
So, block them from getting there.
768
00:44:51,606 --> 00:44:54,346
So looking at that, I can think, "Okay.
769
00:44:54,346 --> 00:44:57,746
Well, I could either apply
it outbound right here.
770
00:44:57,746 --> 00:45:03,156
Can anyone say this guy is blocked from getting
here or I could apply it inbound right here.
771
00:45:04,266 --> 00:45:10,556
Now, basically, regardless of which one you
choose the results is going to be the same.
772
00:45:10,666 --> 00:45:16,766
I'm not going to be able to reach this, but also
by saying block to this WAN IP address I'm going
773
00:45:16,766 --> 00:45:20,096
to be automatically be denied from
reaching that network too, why?
774
00:45:20,096 --> 00:45:22,736
Because standard access-list
can't say what you're denied from.
775
00:45:22,986 --> 00:45:24,386
They just say, "You're denied."
776
00:45:24,386 --> 00:45:31,246
So, when I say deny 192.168.2.50 and apply
either out, excuse me, out right here
777
00:45:31,556 --> 00:45:35,956
or in right here then access-list
is going to say, "You are denied.
778
00:45:35,956 --> 00:45:37,666
You are denied from getting any further."
779
00:45:37,936 --> 00:45:45,896
So, honestly, I would think it might be a
little more efficient to apply it out right here
780
00:45:45,896 --> 00:45:49,576
because otherwise you have to cross
the whole WAN link just to find
781
00:45:49,576 --> 00:45:51,476
out on the other side that you're denied.
782
00:45:51,476 --> 00:45:53,706
It's like a bad trip to Disney Land, right?
783
00:45:53,706 --> 00:45:57,506
You got to drive all the way to California
just to find out Disney Land is closed
784
00:45:57,506 --> 00:45:58,726
for the day or something like that.
785
00:45:58,726 --> 00:46:02,006
So you don't want to have this
packets drive further than necessary.
786
00:46:02,226 --> 00:46:06,596
So in this case since the result is the same I'm
thinking applying it outbound right here would
787
00:46:06,596 --> 00:46:08,136
be the best way to go.
788
00:46:08,136 --> 00:46:09,046
So, let's do this.
789
00:46:09,046 --> 00:46:11,326
I'm going to get into router 2.
790
00:46:11,686 --> 00:46:14,146
I haven't even been on this one yet.
791
00:46:14,616 --> 00:46:18,616
And let's go into global config mode.
792
00:46:18,616 --> 00:46:23,146
So now let me show you, so, so far we've been
using number access-list which is done by typing
793
00:46:23,146 --> 00:46:27,836
in access-list and a number, whatever
number we want to, to pick what kind.
794
00:46:28,166 --> 00:46:32,706
But the better way, I believe it's a lot cleaner
795
00:46:32,706 --> 00:46:37,136
or it just makes more sense
is to type in IP access-list.
796
00:46:37,876 --> 00:46:42,846
Okay. Same thing that we're after in access-list
just putting the IP and the keyboard in front
797
00:46:42,846 --> 00:46:46,206
of it tells it I'm going to
create a named access-list.
798
00:46:46,356 --> 00:46:50,796
So notice, instead of asking me for a number to
identify what kind it is it's just asking me,
799
00:46:50,796 --> 00:46:53,556
it's just like, "Hey, why don't
you just identify what it is?
800
00:46:53,556 --> 00:46:56,326
Is it a standard or is it
an extended access-list?
801
00:46:56,596 --> 00:46:58,226
Now, all these other commands is like, "Okay.
802
00:46:58,226 --> 00:46:59,676
Do you want to renumber it?
803
00:46:59,676 --> 00:47:01,416
Do you want to set up logging or a log update?"
804
00:47:01,416 --> 00:47:03,536
But really the main command is standard access--
805
00:47:03,536 --> 00:47:06,416
well, right now we are creating
standard access-list.
806
00:47:06,416 --> 00:47:07,396
So I'll type that.
807
00:47:07,396 --> 00:47:11,616
Well, you can even use this command to
modify one of the numbered or now I'm going
808
00:47:11,616 --> 00:47:13,366
to give you the option to type a named.
809
00:47:13,546 --> 00:47:19,066
So I'm going to say, BLOCK PC 2 ACL.
810
00:47:19,066 --> 00:47:20,616
I put little underscores in between.
811
00:47:20,616 --> 00:47:21,646
You can't put spaces.
812
00:47:21,966 --> 00:47:25,086
But do you see how that makes more
sense when I do a show access-list?
813
00:47:25,086 --> 00:47:30,206
If I see, BLOCK PC 2 ACL-- it's going to bug me.
814
00:47:30,206 --> 00:47:36,416
Hang on. I want BLOCK PC 2
not-- no underscore there.
815
00:47:36,416 --> 00:47:41,246
So BLOCK PC 2 ACL, now when I do
the show command I can see exact--
816
00:47:41,246 --> 00:47:43,266
just by looking at the name
I know what it is rather
817
00:47:43,266 --> 00:47:45,636
than being like, "Oh, what was number 73 again?"
818
00:47:45,676 --> 00:47:48,126
You know, you have to have some
kind of reference for that.
819
00:47:48,126 --> 00:47:49,476
So I'm going to say, "Okay.
820
00:47:49,476 --> 00:47:55,826
I want to block 192.168.2.50."
821
00:47:55,826 --> 00:47:58,116
So the way this works is it's just
as if I had type IP access-list now--
822
00:47:58,116 --> 00:48:01,976
or access-list, you know, whatever I
want, now I can say, permits or deny
823
00:48:02,236 --> 00:48:03,756
or I can even use the sequence number.
824
00:48:04,086 --> 00:48:08,556
Now, you saw that by default so far when we type
825
00:48:08,556 --> 00:48:11,676
and create an access-list it creates
sequence numbers of 10, right?
826
00:48:11,676 --> 00:48:13,726
The first command we type in is a sequence 10.
827
00:48:13,886 --> 00:48:14,966
Next one sequence 20.
828
00:48:14,966 --> 00:48:15,986
Next one sequence 30.
829
00:48:16,336 --> 00:48:19,226
Now, if you want to you can type
in your own sequence number.
830
00:48:19,226 --> 00:48:21,056
So I can say, sequence 100.
831
00:48:21,346 --> 00:48:25,316
You know, and then type in permit or deny, or
anything like that, or if I just type in permit
832
00:48:25,316 --> 00:48:28,816
or deny without typing any sequence
number it will automatically use
833
00:48:28,816 --> 00:48:30,166
that increment of 10 for me.
834
00:48:30,286 --> 00:48:31,696
So I'm good with that.
835
00:48:31,696 --> 00:48:33,106
So let's just say, deny.
836
00:48:33,106 --> 00:48:43,506
I want to deny 192.168.2.50, wild card
bit, 0.0.0.0, and then, you know, again,
837
00:48:43,506 --> 00:48:46,146
I've got now an access statement
or accesses that were just to deny.
838
00:48:46,146 --> 00:48:49,376
So I'm going to say, "Permit any."
839
00:48:49,976 --> 00:48:59,666
Okay. So I'm going to go back and do a show
access-list and now I can see I've got accesses.
840
00:48:59,666 --> 00:49:03,316
Don't you love the name better BLOCK PC 2 ACL?
841
00:49:03,316 --> 00:49:07,376
Same syntax as before or
sequence 10 deny that host.
842
00:49:07,376 --> 00:49:09,186
Sequence 20 permit everything else.
843
00:49:09,456 --> 00:49:17,406
So now I can go into interphase
serial 0/1 on that side.
844
00:49:17,806 --> 00:49:22,466
Network diagrams are essential
for this and do IP access-group
845
00:49:22,956 --> 00:49:25,946
and now I'll just type in
the name BLOCK PC 2 ACL.
846
00:49:26,136 --> 00:49:30,096
By the way, keep in mind,
oops, this is case sensitive.
847
00:49:30,506 --> 00:49:33,846
So if you use lower, uppercase
you got to keep it consistent.
848
00:49:33,846 --> 00:49:38,616
I always type them in all uppercase because
it's easy for me to see in a show run
849
00:49:38,616 --> 00:49:43,506
and then I'll hit question mark,
outbound, playing it out 0.00/1 interface.
850
00:49:43,856 --> 00:49:46,076
Good! So now I'm going to test it.
851
00:49:46,076 --> 00:49:47,276
I'm going to be sure that it works.
852
00:49:47,566 --> 00:49:54,306
Let's go to PC 2 and I'm
going to ping 192.168.2.
853
00:49:54,306 --> 00:49:58,206
Well, actually, the goal was
to block it from 10.1.1.1.
854
00:49:58,206 --> 00:50:00,566
So let's start there and make
sure we achieved our goal.
855
00:50:00,906 --> 00:50:04,866
And sure enough I'm getting those
unreachables show access-list.
856
00:50:05,356 --> 00:50:11,456
I can see that I'm denying that host so
it is working, but also just as a bonus
857
00:50:11,456 --> 00:50:14,146
because there's-- with the standard
there's no way of stopping it.
858
00:50:14,426 --> 00:50:18,656
I'm completely denying access to
everything beyond that WAN interface as well
859
00:50:18,656 --> 00:50:20,546
because it's just saying, "You are denied."
860
00:50:20,776 --> 00:50:25,196
With the access-lists, as
I said, the more and more
861
00:50:25,196 --> 00:50:27,436
and more you do the better and better they feel.
862
00:50:27,846 --> 00:50:33,146
What I would like you to do is first off, if
you have your own router or something like that,
863
00:50:33,416 --> 00:50:36,626
use that to practice the syntax
to come up with those scenarios.
864
00:50:36,626 --> 00:50:38,326
As a matter of fact you could
just run through the scenarios.
865
00:50:38,326 --> 00:50:40,016
You know, just bring up the slide.
866
00:50:40,016 --> 00:50:44,106
I've been using this entire time, pause it,
and now see if you can do those three examples
867
00:50:44,106 --> 00:50:47,396
on your own without actually
watching me walk me through that.
868
00:50:47,646 --> 00:50:51,366
Then I would start going through in
and coming up with your own scenarios.
869
00:50:51,366 --> 00:50:54,916
You know, come up with I want to
deny this from this and try it out.
870
00:50:54,916 --> 00:50:58,376
I'm going to make that GNS
3 typology available to you.
871
00:50:58,376 --> 00:51:01,766
So if you have GNS 3, if you've
played with that maybe you check out,
872
00:51:01,766 --> 00:51:06,996
I think CBT Nuggets has some free GNS 3 videos
that you can download if you don't have access
873
00:51:06,996 --> 00:51:11,236
to whole thing that, well at least show
you how to get started with it and so on.
874
00:51:11,236 --> 00:51:14,706
It's again free emulator
software that you can use.
875
00:51:14,706 --> 00:51:16,856
You know, import that typology
and start practicing
876
00:51:16,856 --> 00:51:18,896
with the environment that
I've created right there.
877
00:51:19,416 --> 00:51:23,216
So once you're feeling pretty good about
standard access-lists go ahead and jump
878
00:51:23,216 --> 00:51:26,316
into the next one which is
going to be the extended world.
879
00:51:27,036 --> 00:51:30,336
I hope this been informative for you
and I'd like to thank you for viewing.
83833
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.