Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,756 --> 00:00:04,696 >> Configuring and Applying Standard Access Control Lists. 2 00:00:05,056 --> 00:00:06,456 That title says it all. 3 00:00:06,656 --> 00:00:07,376 Let's get started. 4 00:00:08,286 --> 00:00:12,646 You might remember me saying in the previous Nugget that the only way to get access list 5 00:00:12,646 --> 00:00:15,046 down is by doing them again and again and again. 6 00:00:15,046 --> 00:00:15,966 It's like subnetting. 7 00:00:15,966 --> 00:00:20,936 So that's what I've done here, is created a scenario of standard access list in this case 8 00:00:20,936 --> 00:00:21,756 that we're going to work through. 9 00:00:22,306 --> 00:00:24,396 But before we dive right in, I want to go through 10 00:00:24,396 --> 00:00:27,146 and just familiarize our self with this whole network diagram. 11 00:00:27,146 --> 00:00:32,186 First off, left hand side, you can see we've got the 192.168.1 network. 12 00:00:32,186 --> 00:00:38,306 So we've got a computer on there, 192.168.1.50, default gateway is 1.1. 13 00:00:38,606 --> 00:00:39,856 And then we've got a WAN link. 14 00:00:39,856 --> 00:00:42,276 Now, we've gone to a slash 30 subnet mask in here. 15 00:00:42,276 --> 00:00:46,996 So again, using-- or practicing our subnettting skills, sometimes you're going to look at that 16 00:00:46,996 --> 00:00:50,836 and say, "Okay, well, what is that range, what IP addresses are in there"? 17 00:00:50,836 --> 00:00:55,526 Now, in this case, it's easy especially if you have experience looking at a slash 30 18 00:00:55,526 --> 00:00:58,106 because you know there's only two IPs and they're assigned 19 00:00:58,106 --> 00:00:59,786 on each side, but let's say, you didn't. 20 00:01:00,026 --> 00:01:04,766 What you would do is say, "Okay, well slash 30 as a decimal subnet mask, what is that?" 21 00:01:04,796 --> 00:01:05,826 Convert that back to decimal. 22 00:01:05,826 --> 00:01:11,846 So, that would be a 255.255.255.252. 23 00:01:11,946 --> 00:01:13,956 Now, so we might say, "Well, how did you know that?" 24 00:01:13,956 --> 00:01:15,176 Well, just 'cause I know. 25 00:01:15,346 --> 00:01:19,506 But when, you take 30, essentially that means there's 30 ones in the subnet mask. 26 00:01:19,826 --> 00:01:23,346 So that's eight one, eight ones, eight ones, six ones right there, 27 00:01:23,346 --> 00:01:26,136 so add them all up and there's your 30. 28 00:01:26,136 --> 00:01:28,576 So that will be where you get the 252, 29 00:01:28,576 --> 00:01:32,256 that's why putting you're six ones, that's six, like that. 30 00:01:32,256 --> 00:01:35,086 Now, the good news is that also gives you your increment. 31 00:01:35,236 --> 00:01:38,336 Remember, lowest network bit as a decimal is a 4. 32 00:01:38,376 --> 00:01:41,576 So I'm going to be able to reverse engineer my ranges. 33 00:01:41,576 --> 00:01:46,176 They would have had to start at 10.1.1.0, dot 4, dot 8, dot 12, you know, 34 00:01:46,176 --> 00:01:49,116 dah-dah-dah-dah down they go, so filling the end ranges. 35 00:01:49,436 --> 00:01:52,136 And now, I've-- whoa, not written that right. 36 00:01:52,406 --> 00:01:54,446 Now, I've reverse engineered what we've got here. 37 00:01:54,446 --> 00:01:58,746 We've got-- so this one is 10.1.1.0 through 3, can't use zero, 38 00:01:58,746 --> 00:02:00,516 it's a network; can't use 3, it's a broadcast. 39 00:02:00,516 --> 00:02:05,086 So 1 and 2 are the usable IP addresses from there, right? 40 00:02:05,406 --> 00:02:07,346 So that explains our WAN link. 41 00:02:07,346 --> 00:02:08,896 So our WAN links are being very efficient. 42 00:02:08,896 --> 00:02:12,826 We're actually using VLSM in this scenario, Variable Length Subnet Mask, 43 00:02:12,826 --> 00:02:14,426 changing the subnet mask based on the fit. 44 00:02:14,426 --> 00:02:15,316 So what's up this? 45 00:02:15,646 --> 00:02:21,506 While I put this on there, the slash 25 at both of these locations because you will run 46 00:02:21,506 --> 00:02:23,266 into that subnet mask in the real world. 47 00:02:23,266 --> 00:02:24,376 A lot of people use it. 48 00:02:24,376 --> 00:02:30,516 It is very efficient, but also because they really want to show you how wildcard mask work 49 00:02:30,516 --> 00:02:34,146 which is what ACLs really thrive on. 50 00:02:34,146 --> 00:02:37,886 So seeing this, you might say, "Okay, well, explain that to me, how do we do that?" 51 00:02:37,966 --> 00:02:45,166 Well, same thing, a slash 25 is really 255.255.255, that's, you know, 52 00:02:45,166 --> 00:02:48,606 8 plus 8 plus 8, that's 24 ones so far we've got. 53 00:02:48,606 --> 00:02:51,076 So 25 ones would be 128, right? 54 00:02:51,076 --> 00:02:57,836 So 1-- so you know, essentially, 1000000 is what that comes out to. 55 00:02:57,836 --> 00:03:04,146 So, this as a decimal number, that's our increment, is also 128, 56 00:03:04,146 --> 00:03:06,986 one of those nice weird ones where the subnet mask equals the increment. 57 00:03:07,206 --> 00:03:13,846 So looking at our network, that means we've got 192.168.2.0, is where it begins. 58 00:03:14,056 --> 00:03:15,306 Dot 2 dot 128. 59 00:03:15,446 --> 00:03:17,856 Now, what do you get if you add 128 to 128? 60 00:03:18,346 --> 00:03:26,046 256. So filling the end ranges, and there's our two ranges that we go, okay, 61 00:03:26,046 --> 00:03:31,406 so we really have broken a class c network into two subnetworks, 62 00:03:31,626 --> 00:03:34,636 one of them going from 0 to 127, that's this one. 63 00:03:34,716 --> 00:03:37,306 So default gateway is dot 1, he is dot 50. 64 00:03:37,626 --> 00:03:42,406 The second range going from 128 to 255, again, can't use the first one, can't use the last one. 65 00:03:42,406 --> 00:03:46,996 So you notice on this side, I kind of drew through it, the default gateway is dot 129, 66 00:03:46,996 --> 00:03:50,426 the first usable IP address from that range and this computer just happens 67 00:03:50,426 --> 00:03:53,016 to be another one in that range, dot 150, right? 68 00:03:53,396 --> 00:04:00,866 So, good, I mean, that's really good 'cause, you know to truly get access listed on their glory, 69 00:04:01,246 --> 00:04:04,006 you have to be one that understands the subnetting behind it. 70 00:04:04,006 --> 00:04:06,066 Okay. So that's what we've got so far. 71 00:04:06,066 --> 00:04:12,616 Now, what I've done is I've actually set up this little scenario in GNS3. 72 00:04:13,286 --> 00:04:16,616 Now, I do this series totally out of order. 73 00:04:16,616 --> 00:04:23,396 So I'm actually recording this access list Nugget before I've done routing. 74 00:04:23,396 --> 00:04:26,656 Why? 'Cause, I just wanted to record access list. 75 00:04:26,656 --> 00:04:30,656 So I don't know if I've shown you GNS3 yet, but if I haven't, this is GNS3. 76 00:04:30,656 --> 00:04:36,606 A CBT Nugget, actually Keith Barker just released a total series on how to use GNS3. 77 00:04:36,606 --> 00:04:39,926 It is a free emulator for Cisco. 78 00:04:40,206 --> 00:04:44,756 So just in case I did mention this-- mentioned this earlier, I won't dive into it 79 00:04:44,756 --> 00:04:47,646 in all its glory, but this is the topology that we've set up. 80 00:04:47,646 --> 00:04:51,516 These are essentially running the real Cisco IOS. 81 00:04:51,516 --> 00:04:58,926 I'm using a 2691 platform, if I could keep that little thing there, 2691 platform. 82 00:04:58,926 --> 00:05:03,936 I've just found that to be really stable with the 12.4 IOS on there. 83 00:05:03,936 --> 00:05:07,306 So, we have this environment running. 84 00:05:07,306 --> 00:05:12,556 The last piece I'll add on the set of it all is I've gone in and set up-- 85 00:05:12,556 --> 00:05:14,926 I'll do a show IP interphase brief on router 1. 86 00:05:14,926 --> 00:05:15,876 I can see the interphases. 87 00:05:15,876 --> 00:05:19,956 So again, router 1 is this guy, upper left corner. 88 00:05:19,956 --> 00:05:24,926 We can bring-- my terminal back, bring the terminal so we can see 89 00:05:24,926 --> 00:05:30,826 and I see a FastEthernet0/0 192.168.1.1 that matches. 90 00:05:30,826 --> 00:05:34,866 Serial0/0 10.1.1.6 that matches and I'm able to verify that. 91 00:05:35,056 --> 00:05:37,976 But I've also set up RIP, this is just a base config on there. 92 00:05:37,976 --> 00:05:44,696 I'm going to do a show IP route and you can see that router 1 knows how to reach all 93 00:05:44,696 --> 00:05:47,296 of the networks in our little mini-enterprise here. 94 00:05:47,396 --> 00:05:57,576 So he is able to reach, you know, 192.168.2.128. 95 00:05:57,576 --> 00:06:11,586 So I can ping-- or that network, so I can ping 192.168.2.129, excuse me. 96 00:06:11,586 --> 00:06:13,146 So this represents the network. 97 00:06:13,146 --> 00:06:15,656 I'm pinging the default gateway. 98 00:06:15,656 --> 00:06:18,896 that's this guy on that network receiving successful. 99 00:06:18,896 --> 00:06:22,536 So as a foundation, we have full IP connectivity. 100 00:06:22,536 --> 00:06:27,796 Okay, if you're watching closely, you just saw the whole scenario for number 1 changed. 101 00:06:27,796 --> 00:06:34,296 And that just because I started getting into it, I'm like, ah, this is just too-- 102 00:06:34,296 --> 00:06:39,386 we can do it, it was just the old one I had up there just a second ago, 103 00:06:39,476 --> 00:06:43,446 was too complex for example number 1, so I changed it a little bit. 104 00:06:43,446 --> 00:06:44,766 So let's get into it. 105 00:06:44,766 --> 00:06:48,526 Before we configure an access list, recall your mind, 106 00:06:48,586 --> 00:06:52,496 there are two distinct phases of access list setup. 107 00:06:52,496 --> 00:06:54,246 Number one is configuration. 108 00:06:54,286 --> 00:07:00,066 We need to go on the device and set the access list up. 109 00:07:00,066 --> 00:07:06,196 This is done from global configuration mode and we put 110 00:07:06,196 --> 00:07:09,416 in our list of permit and deny statements. 111 00:07:09,416 --> 00:07:10,316 We can do that all day. 112 00:07:10,316 --> 00:07:17,956 We could create a thousand access lists and it will never do a thing until we hit step 2, 113 00:07:18,056 --> 00:07:21,696 which is application, and this is where the action really have it. 114 00:07:21,696 --> 00:07:27,036 I mean, if you're thinking about-- I don't know why this came into my head, but you know, 115 00:07:27,036 --> 00:07:35,196 when you were a kid and you built those little matchbox race cars, you can build them all day, 116 00:07:35,586 --> 00:07:41,816 but until you put them on the ramp, and say go, they're not-- 117 00:07:41,816 --> 00:07:47,806 they're just going to sit there and look pretty and that's all these accesses do 118 00:07:47,806 --> 00:07:51,826 and the application is were all the action happens. 119 00:07:51,986 --> 00:07:59,846 We're going to apply it in terms of security; but keep in mind, we can apply this in terms 120 00:08:00,196 --> 00:08:02,706 of quality of service, in terms of VPN. 121 00:08:03,006 --> 00:08:05,706 This is just a list, a way of matching stuff. 122 00:08:05,706 --> 00:08:10,186 So how we apply it says what that matching will then do to all of that stuff. 123 00:08:10,186 --> 00:08:18,816 So, we are set from a goal of saying, I want to block 10.1.1.1, that is router 3 right here, 124 00:08:18,816 --> 00:08:36,236 from reaching 10.1.1.6, that is router 1 right there and 192.168.1.0/24, so this whole network. 125 00:08:36,236 --> 00:08:38,236 So I'm saying, I want to block him from coming over here 126 00:08:38,236 --> 00:08:41,176 and reaching him or him or those networks. 127 00:08:41,176 --> 00:08:48,536 So I mean, envision with me, we're going to build a wall here 128 00:08:48,636 --> 00:08:51,146 to block that guy from coming over here. 129 00:08:51,296 --> 00:08:55,236 Now, I know you're probably like, "Okay, it makes sense, I don't really need the picture," 130 00:08:55,276 --> 00:08:58,836 but you do, because even though we first go in and configure the access list, you know, 131 00:08:58,836 --> 00:09:02,426 you're in global config mode and you do it. 132 00:09:02,426 --> 00:09:04,766 You have to already be thinking ahead. 133 00:09:04,766 --> 00:09:10,026 It's like a game of chess, you got to be two steps ahead thinking, "Okay, 134 00:09:10,026 --> 00:09:13,916 I'm going to set this up, but where am I going to apply this?" 135 00:09:13,916 --> 00:09:16,676 Now, let's think about a standard access list. 136 00:09:16,676 --> 00:09:20,246 Standard access list filters only on IP source information, right? 137 00:09:20,246 --> 00:09:21,416 Think this through with me. 138 00:09:21,416 --> 00:09:23,086 IP source address information. 139 00:09:23,086 --> 00:09:26,456 So based on who you are, so for instance, this guy says, "Hello, 140 00:09:26,456 --> 00:09:28,336 I'm 10.1.1.1," that is all we can filter on. 141 00:09:28,366 --> 00:09:30,016 I can say, "Okay, 10.1.1.1, you are denied." 142 00:09:30,046 --> 00:09:30,526 [laughs] And he goes, "Thanks." 143 00:09:30,556 --> 00:09:31,126 What do you say to that? 144 00:09:31,156 --> 00:09:31,876 I mean, well, denied from what? 145 00:09:31,906 --> 00:09:34,156 Well, it depends where we put this access list and this is where we got to be careful. 146 00:09:34,186 --> 00:09:35,356 You might say, "Well, we want to catch it right here, 147 00:09:35,386 --> 00:09:37,426 I want to block 10.1.1.1 from reaching those networks. 148 00:09:37,456 --> 00:09:39,316 So let's block 'em right here as soon as he tries to get it in router 2." 149 00:09:39,346 --> 00:09:40,546 And you're already thinking in terms of direction. 150 00:09:40,576 --> 00:09:42,616 So as he's coming in, because we are going to have to apply this in the direction 151 00:09:42,646 --> 00:09:43,636 to router 2, I want to block him, right? 152 00:09:43,666 --> 00:09:43,966 Well, careful. 153 00:09:43,996 --> 00:09:46,366 If I do that, I can just say 10.1.1.1, you are denied from coming 154 00:09:46,396 --> 00:09:47,536 in to router 2, what have I blocked him from? 155 00:09:47,566 --> 00:09:49,456 He can't reach this, he can't reach this, he can't reach this, he can't reach this. 156 00:09:49,486 --> 00:09:50,416 I mean, yes, did I accomplish my goal? 157 00:09:50,446 --> 00:09:51,136 Yes, but with the sledgehammer. 158 00:09:51,166 --> 00:09:52,606 It's like saying, "Oh, let's just take him out from everything," 159 00:09:52,636 --> 00:09:53,566 and that's not what the scenario said. 160 00:09:53,596 --> 00:09:55,636 Scenario didn't tell us to block it from here and here and here and all that. 161 00:09:55,666 --> 00:09:56,476 It just said block it over here. 162 00:09:56,506 --> 00:09:58,696 So, okay, what that tells me is since we are only able to match based on the source, right, 163 00:09:58,726 --> 00:10:01,786 are you following me here, since I can only say 10.1.1.1 is denied, then I got to go as close 164 00:10:01,816 --> 00:10:02,806 to the destination as I possibly can. 165 00:10:02,836 --> 00:10:05,266 I'm probably going to go-- matter of fact, I'm probably going to create this right on router 1 166 00:10:05,296 --> 00:10:07,276 and I'm going to apply it, you know, as they're coming in this interphase because that-- 167 00:10:07,306 --> 00:10:09,016 you know, then I can say you're denied and not deny them from too much, 168 00:10:09,046 --> 00:10:09,976 that accomplishes my objectives right? 169 00:10:10,416 --> 00:10:13,846 I can say you're denied because now you won't be able 170 00:10:13,846 --> 00:10:15,846 to reach this nor will you be able to reach this. 171 00:10:16,156 --> 00:10:20,226 But, you know, that accesses doesn't exist until we get there so we can everything in between. 172 00:10:20,226 --> 00:10:21,736 So let's-- let's do this. 173 00:10:21,736 --> 00:10:23,766 I'm going to bring up router 1. 174 00:10:23,766 --> 00:10:25,796 No, I'm going to going to bring up router 3. 175 00:10:25,796 --> 00:10:28,736 And 'm just going to, I want to before we do anything we got 176 00:10:28,736 --> 00:10:30,186 to know what-- what we've come from. 177 00:10:30,186 --> 00:10:31,676 I'm going to make sure that I can ping to this. 178 00:10:31,676 --> 00:10:33,316 As a matter of fact I'm going to telnet to that. 179 00:10:33,316 --> 00:10:34,946 I'll make sure I can ping this IP Address. 180 00:10:34,946 --> 00:10:38,076 Just make sure everything is working 'cause if you don't know what you have beforehand, 181 00:10:38,076 --> 00:10:40,106 you don't know if you accomplish anything. 182 00:10:40,416 --> 00:10:43,026 So let's-- let's go here, I'm on router 3. 183 00:10:43,536 --> 00:10:46,976 Enable as to show IP Interface brief, just orient ourself. 184 00:10:46,976 --> 00:10:48,436 I see there's my FAST ethernet. 185 00:10:48,436 --> 00:10:49,126 Life is good. 186 00:10:49,126 --> 00:10:50,026 Okay, there's my zero. 187 00:10:50,026 --> 00:10:50,816 So I'm going to ping. 188 00:10:50,816 --> 00:10:53,476 Let's do a ping to 10.1.1.6. 189 00:10:53,576 --> 00:10:54,156 We are good. 190 00:10:54,156 --> 00:10:54,906 We are humming along. 191 00:10:54,906 --> 00:10:57,976 Ping 192.168.1.50. 192 00:10:57,976 --> 00:11:02,436 So I am okay, that's not as good. 193 00:11:02,636 --> 00:11:04,656 I'm glad we tested this. 194 00:11:04,656 --> 00:11:06,256 So anyhow let's do a show IP route. 195 00:11:06,256 --> 00:11:09,856 I want to make sure that I can get there 10.1.1 so-- 196 00:11:09,856 --> 00:11:12,716 it says I know to reach the 10.1.1.1 network. 197 00:11:12,716 --> 00:11:14,506 So let's go over to router 1. 198 00:11:15,226 --> 00:11:17,846 I bet you I forgot to configure that PC. 199 00:11:17,846 --> 00:11:19,296 Well, let's find out. 200 00:11:19,296 --> 00:11:20,786 Show IP interface brief. 201 00:11:20,786 --> 00:11:23,236 I just want to make sure the interface is up, okay? 202 00:11:23,236 --> 00:11:29,096 So let's try from here ping 192.168.1.50. 203 00:11:29,306 --> 00:11:33,856 Oh, Jeremy you forgot something completely. 204 00:11:34,276 --> 00:11:39,206 You know what all these PCs, so these PCs they're not really PC's. 205 00:11:39,376 --> 00:11:43,256 They're actually routers that I made to look like PCs. 206 00:11:43,256 --> 00:11:47,666 And I completely forgot to give them a default gateway and they're not running RIP. 207 00:11:47,666 --> 00:11:48,656 They don't know how to get out. 208 00:11:48,836 --> 00:11:50,846 So here hang with me. 209 00:11:50,846 --> 00:11:52,046 Let's-- let's do this on the first one. 210 00:11:52,046 --> 00:11:53,446 That's good troubleshooting technique. 211 00:11:53,446 --> 00:11:58,006 So I'm going to open my little PC one, show IP interface brief. 212 00:11:58,296 --> 00:12:03,216 It's got an IP address but when I do a show IP route, it's like, "I don't anything." 213 00:12:03,216 --> 00:12:04,986 I mean I don't have a default gateway. 214 00:12:04,986 --> 00:12:06,436 I don't-- I don't have anything. 215 00:12:06,436 --> 00:12:07,296 So watch this. 216 00:12:07,296 --> 00:12:11,626 Let me-- let me show you to reduce a Cisco router to like a nothing. 217 00:12:11,626 --> 00:12:15,116 Like this is like insulting to a Cisco router to do this. 218 00:12:15,116 --> 00:12:16,936 I'm going to do no IP routing. 219 00:12:18,226 --> 00:12:19,556 I pretty much said yes. 220 00:12:19,556 --> 00:12:22,176 You are router but you cannot route. 221 00:12:22,176 --> 00:12:24,746 You're not really routing because I'm just going to make you like a host. 222 00:12:24,746 --> 00:12:30,676 I'm going to do IP default gateway and we'll do 192.168.1.1. 223 00:12:30,676 --> 00:12:31,176 There we go. 224 00:12:31,176 --> 00:12:32,776 So now I'll do a show IP Route. 225 00:12:32,776 --> 00:12:34,996 Notice it totally changes. 226 00:12:34,996 --> 00:12:39,026 It's like, you know, I used to be able to do all this but now I am a nothing. 227 00:12:39,336 --> 00:12:40,456 I can't get anywhere. 228 00:12:40,456 --> 00:12:43,166 All I know is my default gateway is this. 229 00:12:43,166 --> 00:12:46,576 So I've reduced this router to essentially a PC. 230 00:12:46,576 --> 00:12:49,136 So I'm going to save that in the config files 'cause they're actually going 231 00:12:49,136 --> 00:12:53,496 to make these GNS3 config files available to you so you are able to try this out 232 00:12:53,496 --> 00:12:55,746 and like I said practice makes perfect on this. 233 00:12:55,746 --> 00:12:57,886 So let me get in here and do the same. 234 00:12:57,886 --> 00:12:58,386 Let me pause. 235 00:12:58,386 --> 00:13:00,916 I'm going to just going to do the same thing for PC 2 and PC 3. 236 00:13:01,876 --> 00:13:02,626 All right, that's done. 237 00:13:02,626 --> 00:13:07,286 So now it's your-- let's go back to router 3 and I'll just hit the up arrow. 238 00:13:07,286 --> 00:13:11,626 Fail-- Failed before but should-- should work now. 239 00:13:11,776 --> 00:13:13,386 Okay, it worried me for a second. 240 00:13:13,386 --> 00:13:13,886 Okay, there we go. 241 00:13:13,886 --> 00:13:17,546 So we've got-- we've got router 3 now able to fully ping. 242 00:13:17,546 --> 00:13:20,316 So this verifies router 3 is able to get here. 243 00:13:20,316 --> 00:13:21,596 He's able to get all the way to PC. 244 00:13:21,596 --> 00:13:24,656 Let's-- let's just do one more test 'cause I'd like to check this out as well. 245 00:13:24,656 --> 00:13:27,516 I'm going to even telnet 10.1.1.6. 246 00:13:27,516 --> 00:13:29,536 It comes up and says you are there. 247 00:13:29,536 --> 00:13:34,526 So I am telneting from-- I just telneted from router 3 all the way to router 1 248 00:13:34,526 --> 00:13:37,486 and shows we connected and we are good. 249 00:13:37,836 --> 00:13:41,046 So-- so we have verified IP connectivity. 250 00:13:41,046 --> 00:13:42,496 Now let's get into the access list. 251 00:13:42,906 --> 00:13:46,686 This access list based on all the chicken scratch 252 00:13:46,686 --> 00:13:50,006 on the screen, I'm going to create on router 1. 253 00:13:50,386 --> 00:13:53,096 So let me just wipe off all that. 254 00:13:53,096 --> 00:13:57,806 Okay, I'm going to create over here on router 1 so that I block those coming over. 255 00:13:57,806 --> 00:14:01,406 So I'm going to first on router 1 and not router 3. 256 00:14:01,516 --> 00:14:02,486 Let's go router 1. 257 00:14:02,836 --> 00:14:06,766 Go into global configuration mode and type 258 00:14:07,066 --> 00:14:11,356 in the command access list followed by question mark. 259 00:14:11,356 --> 00:14:15,576 And by the way if haven't gotten used to using your question mark now is the time. 260 00:14:15,636 --> 00:14:17,896 Question mark through the access list is almost critical. 261 00:14:18,376 --> 00:14:21,946 O you can see right away the Cisco router is like, "Well okay, you said access list. 262 00:14:21,946 --> 00:14:24,336 What kind of access list would you like to create?" 263 00:14:24,576 --> 00:14:26,456 Now you see in this list there's a whole bunch of them. 264 00:14:26,456 --> 00:14:28,856 But most of them they're like, "Okay, I'm not going to use, 265 00:14:28,856 --> 00:14:34,326 I'm not going to create an AppleTalk access list, IPX access list, DECnet [phonetic]." 266 00:14:34,326 --> 00:14:39,766 I mean these are protocols we just haven't seen for decades or I would say at least a decade 267 00:14:39,986 --> 00:14:42,296 because TCP/IP has replaced them all. 268 00:14:42,566 --> 00:14:46,476 The main one that we care about is right up here, standard and extended, 269 00:14:46,476 --> 00:14:48,156 just what I was mentioning in the last nugget. 270 00:14:48,156 --> 00:14:54,436 So-- so based on the number I typed in the router knows what kind of access list I create. 271 00:14:54,436 --> 00:14:59,116 So if type for instance access list 5 and start configuring my options from there, 272 00:14:59,466 --> 00:15:03,446 the router knows I'm creating a standard access list and it will give me one set of options 273 00:15:03,446 --> 00:15:07,726 versus if I put 105 it knows I'm creating an extended access list. 274 00:15:07,726 --> 00:15:11,326 This is going to give me a totally different set of options. 275 00:15:11,326 --> 00:15:13,076 So in here we're going to focus on standard. 276 00:15:13,076 --> 00:15:16,156 So do access list let's just start with one, right? 277 00:15:16,366 --> 00:15:21,686 Now a list and I'm creating my-- my access list can contain as many statements as you want. 278 00:15:21,686 --> 00:15:25,256 So I have a list one but it could contain many of them. 279 00:15:25,256 --> 00:15:29,996 Also, also notice so you'd say, okay, so I can create 99 access lists per router, right? 280 00:15:30,266 --> 00:15:34,206 Well yes that was in the original version of the IOS, that's the limit. 281 00:15:34,206 --> 00:15:37,376 But I've never seen a router with a hundred access list on it 282 00:15:37,376 --> 00:15:38,936 but I'm sure they exist out there. 283 00:15:39,316 --> 00:15:43,526 And because of that you can see that Cisco has come up with an expanded range. 284 00:15:43,526 --> 00:15:49,306 So they say if run out of number 1 through 99 there's 600, 700 more that you are able to use. 285 00:15:49,436 --> 00:15:52,496 Same thing right here expanded range for the IP extended. 286 00:15:52,746 --> 00:15:56,106 But all of that being said I'm also going to show you this later. 287 00:15:56,106 --> 00:15:58,446 You can also use named access list. 288 00:15:58,446 --> 00:16:02,636 So instead of using a number I can say access list denied Bob or something like that 289 00:16:02,786 --> 00:16:04,746 and create as many of those as I want. 290 00:16:05,056 --> 00:16:09,136 So I hit the question mark and it's saying okay, you are now configuring your first statement 291 00:16:09,136 --> 00:16:11,606 in access list one, your first line entry. 292 00:16:11,666 --> 00:16:15,876 So I'm going to say, "Okay, well-- well what I wanted to do is I wanted to deny somebody. 293 00:16:15,976 --> 00:16:20,616 And I hit the question mark and it says okay, well-- well, who do you want to deny? 294 00:16:20,616 --> 00:16:23,356 Do you want to deny oh, anybody? 295 00:16:23,636 --> 00:16:30,656 Do you deny just a single host or is there a specific address that you want to match here? 296 00:16:30,656 --> 00:16:34,096 And so I'm looking here I'm like, "Okay, well-- well, actually-- 297 00:16:34,566 --> 00:16:36,596 " there's actually a couple of ways I could go about it. 298 00:16:36,596 --> 00:16:38,616 I'll-- I'll do one way first. 299 00:16:38,886 --> 00:16:42,276 I'm going to deny 10.1.1.1. 300 00:16:42,276 --> 00:16:44,496 Now that's just-- it's just that's one host. 301 00:16:44,496 --> 00:16:46,946 I mean that's my whole focus right now is that one host. 302 00:16:46,946 --> 00:16:51,056 So-- so I'm going to take the easy route and I'll show you why in a little bit. 303 00:16:51,056 --> 00:16:56,726 I'm going to type in deny host, a single host address and they are 10.1.1.1. 304 00:16:56,726 --> 00:16:59,336 You see how this question mark is so critical? 305 00:16:59,336 --> 00:17:01,256 So now it says, "Okay, well of you want, 306 00:17:01,256 --> 00:17:05,256 I can also create sys log messages anytime this host is denied so you know 307 00:17:05,256 --> 00:17:07,826 that they're being denied or you just press the enter key. 308 00:17:08,056 --> 00:17:11,216 Now say most of the time unless you're really interested if that host is denied 309 00:17:11,336 --> 00:17:13,546 or not there's other ways of verifying that. 310 00:17:13,856 --> 00:17:17,356 I'll just press the enter key 'cause the more logs you put on there, the more it's going 311 00:17:17,356 --> 00:17:20,836 to start filling up all your memory buffers and sys log servers 312 00:17:20,836 --> 00:17:25,096 with all these entry saying this guy's denied, this guy has been permitted so, ta-da! 313 00:17:25,376 --> 00:17:27,736 We've created our first line in our access list. 314 00:17:28,326 --> 00:17:32,896 So I'm going to type in the command from Privileged mode, show IP access list 315 00:17:32,896 --> 00:17:35,516 and it's like, "Hey you've now created list number one. 316 00:17:35,856 --> 00:17:41,806 Inside of there is denied 10.1.1.1 and now the Cisco writer added to this to front. 317 00:17:41,806 --> 00:17:42,566 What's that? 318 00:17:42,766 --> 00:17:44,506 It's sequence 10. 319 00:17:45,326 --> 00:17:50,016 You're going to find out that the Cisco router allows us to squeeze entries in. 320 00:17:50,016 --> 00:17:53,936 So for instance the next line that I add by default unless I change it is going 321 00:17:53,936 --> 00:17:57,126 to be sequence 20, sequence 30, sequence 40. 322 00:17:57,126 --> 00:17:59,506 The more lines I add they add the sequence number 323 00:17:59,506 --> 00:18:04,026 so what I can do is come in and-- and squeeze things in. 324 00:18:04,026 --> 00:18:07,686 So I create 10, denied this person 20, permit that person 30, denied that person. 325 00:18:07,686 --> 00:18:10,746 Now suddenly like, "Oh I forgot I wanted to put one here." 326 00:18:11,016 --> 00:18:15,576 Now in the old days when I first got into Cisco there was no sequence numbers. 327 00:18:15,576 --> 00:18:19,726 If you had to squeeze something in you had to delete the whole access list and recreate it. 328 00:18:20,486 --> 00:18:21,426 Yeah, seriously! 329 00:18:21,616 --> 00:18:22,616 It was painful. 330 00:18:22,816 --> 00:18:27,186 But now I can just say, "Well, I want to squeeze in sequence number 15 and put a line kind of in 331 00:18:27,186 --> 00:18:29,996 between those so I can change the order of the events. 332 00:18:29,996 --> 00:18:32,136 So let's-- let's continue one from there. 333 00:18:32,136 --> 00:18:33,356 So is this guy ready? 334 00:18:33,356 --> 00:18:34,686 Can I just apply this? 335 00:18:35,226 --> 00:18:42,546 No! That would run into one of the most common, devastating events 336 00:18:42,546 --> 00:18:43,966 that you could do with access list. 337 00:18:44,556 --> 00:18:45,856 Here's access list one, right? 338 00:18:45,856 --> 00:18:47,766 We've-- we've created our first-- our first list. 339 00:18:47,906 --> 00:18:53,186 And we have said sequence 10 is denied 10.1.1.1, right? 340 00:18:53,186 --> 00:18:54,696 And that's the only thing that's in there. 341 00:18:55,036 --> 00:18:56,506 Now think back to last nugget. 342 00:18:57,456 --> 00:19:01,426 What is at the bottom of every access list? 343 00:19:01,656 --> 00:19:05,876 And the last thing that I said you won't see it there but it's there. 344 00:19:06,016 --> 00:19:06,706 Anyone remember? 345 00:19:07,146 --> 00:19:08,796 Yeah, you, yeah, okay you in the red shirt. 346 00:19:09,776 --> 00:19:10,566 Deny everything. 347 00:19:10,716 --> 00:19:11,356 You got it. 348 00:19:11,596 --> 00:19:12,706 Deny everything. 349 00:19:15,496 --> 00:19:18,526 So if-- in this-- let me make a statement. 350 00:19:18,526 --> 00:19:20,496 This is-- this is a key statement to remember. 351 00:19:20,746 --> 00:19:26,006 If you have an access list that just has deny entries, it is an access list 352 00:19:26,006 --> 00:19:28,696 that will completely cutoff all network connectivity if you apply it. 353 00:19:29,106 --> 00:19:32,056 You must have at least one permit statement in there 354 00:19:32,236 --> 00:19:34,156 or else you might as well unplug the cable. 355 00:19:34,296 --> 00:19:38,916 I mean if I were to take this and now apply it to this interface, inbound, it would say, "Okay, 356 00:19:38,986 --> 00:19:41,826 I'm going to deny this person and then I'm going to deny everybody else." 357 00:19:42,076 --> 00:19:43,716 And you might as well shut the interface 358 00:19:43,716 --> 00:19:47,306 down 'cause that's exactly what you've done and that's so easy. 359 00:19:47,306 --> 00:19:51,526 I mean in a quick move without thinking it through sometimes you're like "Oh man, 360 00:19:51,526 --> 00:19:55,776 we're under attack because a new SQL Slammer virus, worm came out. 361 00:19:55,776 --> 00:20:00,176 Let's-- let's go out and deny this-- this source IP Address from China or wherever it's coming 362 00:20:00,176 --> 00:20:05,226 in from that this attack originated and so you quickly say, "Oh deny this" 363 00:20:05,226 --> 00:20:09,676 and then you go apply it and well, I would say you're safe, you've protected yourself 364 00:20:09,676 --> 00:20:11,886 because you completely cut off the internet connection 365 00:20:12,186 --> 00:20:13,976 which is probably not what your intentions were. 366 00:20:14,476 --> 00:20:17,596 So what we need to do is add in a permit. 367 00:20:17,596 --> 00:20:22,966 So, let's think this through, what-- if I'm denying this one then what am I permitting? 368 00:20:24,016 --> 00:20:25,556 Everything else, right? 369 00:20:25,556 --> 00:20:28,776 I mean this shouldn't be impacted, this just said deny that 370 00:20:28,776 --> 00:20:31,266 and that alone so I want to permit everybody. 371 00:20:31,666 --> 00:20:33,056 Okay, let's go back there. 372 00:20:33,836 --> 00:20:36,056 There was actually-- did you see the key word in there for that? 373 00:20:36,056 --> 00:20:37,446 So, let's add line number 2. 374 00:20:37,446 --> 00:20:41,656 So I'm going to say access list one and now we're going to say, okay, permit, 375 00:20:43,536 --> 00:20:46,146 anyone have a guess what key word? 376 00:20:46,686 --> 00:20:49,426 Any, any source host, right? 377 00:20:49,966 --> 00:20:50,646 So check this out now. 378 00:20:51,126 --> 00:20:59,766 I'll do a show IP access list and right there I can see access list 1 now has two statements. 379 00:20:59,766 --> 00:21:00,816 You see how this is building. 380 00:21:01,266 --> 00:21:04,856 Statement 10, says, deny that person and statement 20 is permit anybody else. 381 00:21:04,856 --> 00:21:07,036 Now-- now you might think, "Okay. 382 00:21:07,036 --> 00:21:09,616 Well so-- what about the implicit deny at the end?" 383 00:21:10,466 --> 00:21:14,946 Well, now that we put a permit all before it, we will never get there. 384 00:21:15,336 --> 00:21:20,096 Remember the rules of an access list is as a router, so as packets are coming in, 385 00:21:20,376 --> 00:21:21,726 the router is going to now filter and say, 386 00:21:21,726 --> 00:21:23,746 "Are you this person, 'cause if you are you're denied. 387 00:21:23,996 --> 00:21:26,766 Okay, if you're not this person, you hit this permit all statement." 388 00:21:26,936 --> 00:21:31,886 Now as soon as it gets the first match in an access list, it stops processing, you know? 389 00:21:31,886 --> 00:21:36,156 So for instance 10.1.1 did come in there, it's not like he goes, okay, 390 00:21:36,156 --> 00:21:39,966 well I'm going to deny you, but-- no actually I'm not going to deny 'cause I see right next 391 00:21:39,966 --> 00:21:42,636 to me is a permit everybody and you're kind of like everybody, right? 392 00:21:42,636 --> 00:21:43,766 So let list-- no, no, no. 393 00:21:43,886 --> 00:21:46,496 As soon as you get you're first match, it says check. 394 00:21:46,626 --> 00:21:48,996 I'm not looking at anymore of the access list. 395 00:21:49,186 --> 00:21:51,766 So the good news is by putting in a permit all, 396 00:21:51,766 --> 00:21:55,686 I have really reversed the whole mindset of an access list. 397 00:21:55,686 --> 00:21:59,576 I've now said, deny what I say to deny, but permit everything else. 398 00:22:00,476 --> 00:22:03,246 Sometimes, you'll hear people call us. 399 00:22:03,246 --> 00:22:04,056 I've heard this said once. 400 00:22:04,056 --> 00:22:06,626 I thought it was a great way to describe that. 401 00:22:07,096 --> 00:22:13,276 This is like fishnet security, where you're allowing all the water to go through 402 00:22:13,276 --> 00:22:15,346 and you're trying to catch the big old fish, you know, what, 403 00:22:15,346 --> 00:22:17,906 you know, which in this case 10.1.1.1. 404 00:22:17,906 --> 00:22:23,436 Everything else can go through those giant gaping holes in the access list, whereas, 405 00:22:23,586 --> 00:22:30,506 leaving the denial is like iron wall security and you've got a little drill 406 00:22:30,626 --> 00:22:34,446 and you say [noise] you know, I'm allowing this, you know, port 80 through [noise]. 407 00:22:34,446 --> 00:22:39,136 I'm allowing 10.1.1.1 through or whatever, whatever you're allowing through, 408 00:22:39,406 --> 00:22:44,676 you just kind of poke these little holes and go through, which is better, this one. 409 00:22:44,976 --> 00:22:46,236 Well, I'm sorry, backup. 410 00:22:46,236 --> 00:22:48,276 Let me use the universal, it depends. 411 00:22:48,466 --> 00:22:51,626 It depends on, you're what you're trying to accomplish, but most of the time, 412 00:22:51,626 --> 00:22:53,596 if you're talking about like internet security, 413 00:22:53,956 --> 00:22:59,676 the iron wall just saying exactly what is allowed in is usually the best way to go, okay. 414 00:23:00,066 --> 00:23:03,356 So we've got this access list created, right? 415 00:23:03,356 --> 00:23:06,686 We're in global config mode, we're going back to those two things. 416 00:23:06,926 --> 00:23:10,606 Step 1, the config is done already. 417 00:23:10,966 --> 00:23:12,896 But now we have to go to the application. 418 00:23:13,876 --> 00:23:18,136 Now in this case I need to go into the interface where I want to apply it 419 00:23:18,246 --> 00:23:20,396 and in this case it's serial 0/0. 420 00:23:20,396 --> 00:23:23,526 Now, I said right here assume all ethernet ports are FAST here, 421 00:23:23,526 --> 00:23:27,136 so this is FAST ethernet, 0/0 could I apply it here? 422 00:23:27,906 --> 00:23:30,206 Yes, but it would miss one of the objectives. 423 00:23:30,206 --> 00:23:35,376 So let's-- let's apply it here first. 424 00:23:35,376 --> 00:23:41,816 So I'm going to go on router 1 and I'm going to say, "Okay, I want access 1 to take effect, 425 00:23:41,816 --> 00:23:46,546 global conifg mode, interface 00/0" and I'm going to use the command, here is the command. 426 00:23:46,546 --> 00:23:49,966 It is IP access group. 427 00:23:51,116 --> 00:23:52,686 Well, why Cisco do that? 428 00:23:52,686 --> 00:23:55,296 'Cause they had to have a different way. 429 00:23:55,476 --> 00:23:59,676 So IP access group is how we apply an access list to an interface. 430 00:23:59,746 --> 00:24:01,986 It's not IP access list, it's IP access group. 431 00:24:02,476 --> 00:24:07,046 I hit the question mark and it's says, "Okay, what number of access list would you 432 00:24:07,046 --> 00:24:09,796 like to apply or even what name if you've used the name one. 433 00:24:09,796 --> 00:24:11,556 I'll show you how to do that in a moment. 434 00:24:11,556 --> 00:24:15,716 So, I would say I want to use number 1 that's the one I created. 435 00:24:15,716 --> 00:24:17,686 Now it's going to ask me that key question. 436 00:24:17,686 --> 00:24:22,776 Remember I said last time you got to get this one right, inbound or outbound. 437 00:24:23,356 --> 00:24:25,466 Okay? How do I determine that direction? 438 00:24:25,936 --> 00:24:26,766 Be the router. 439 00:24:27,066 --> 00:24:28,376 I am router 1. 440 00:24:28,576 --> 00:24:34,246 My right arm, you know, again, if I'm a human being my right arm is 00/0, 441 00:24:34,466 --> 00:24:36,896 my left arm is FAST ethernet 0/0. 442 00:24:36,896 --> 00:24:38,646 So I'm holding him right here and I go, okay. 443 00:24:39,036 --> 00:24:41,716 Direction wise, I'm applying right here. 444 00:24:41,716 --> 00:24:49,096 Am I filtering traffic in as it's coming into me from my right arm in the 00/0 or I'm applying it 445 00:24:49,096 --> 00:24:51,506 out to where it's going out this interface? 446 00:24:52,336 --> 00:24:56,746 If you think that through, it's in because router 3 and everything else is going 447 00:24:56,746 --> 00:25:00,756 to be coming in my arm in the interface to me, the router sitting in the middle 448 00:25:01,326 --> 00:25:03,026 and that's where I want to do filtering. 449 00:25:03,026 --> 00:25:05,316 So I'm going to say, apply that inbound. 450 00:25:06,176 --> 00:25:07,746 All right. 451 00:25:07,746 --> 00:25:12,266 Let's do-- I want you to show IP, you can actually type in show access list. 452 00:25:12,506 --> 00:25:17,076 But the reason I like show IP access list, they're the same exact command is 453 00:25:17,076 --> 00:25:21,006 because I can hit the tab key after three letters and it fills in all inwards. 454 00:25:21,006 --> 00:25:25,346 If I do show IP or show access, I actually have to type in the dash and the L and it works, 455 00:25:25,346 --> 00:25:26,826 but it same-- same exact command. 456 00:25:26,826 --> 00:25:28,146 Now, ooh-- ooh, check it out. 457 00:25:28,446 --> 00:25:33,366 We've got deny 10.1.1.1, it's there, but it hasn't done anything 458 00:25:33,366 --> 00:25:38,116 yet because I can see below the permit any is getting three matches. 459 00:25:38,276 --> 00:25:42,546 So there's already three packets that have come in and said, "I want to come in," 460 00:25:42,546 --> 00:25:44,636 and the access list says, "Okay, come on in." 461 00:25:44,636 --> 00:25:46,636 And then they're going to say, well, "Jeremy you're talking. 462 00:25:46,636 --> 00:25:47,936 What's going on? 463 00:25:47,936 --> 00:25:49,086 What is there matches coming in?" 464 00:25:49,326 --> 00:25:54,306 Well, I remember I said at the beginning I set up RIP, a routing protocol which is saying, 465 00:25:54,306 --> 00:25:55,586 "Hey, I know about these networks." 466 00:25:55,586 --> 00:25:57,336 So it's sending its little updates behind the scene. 467 00:25:57,336 --> 00:26:00,386 So chances, I hit the up arrow, it's now up to six matches. 468 00:26:00,386 --> 00:26:03,796 So RIP is talking and chatting and sending its route updates, doing its thing, 469 00:26:04,006 --> 00:26:04,926 that's the matching that I'm gaining. 470 00:26:04,926 --> 00:26:05,986 Okay. Let's test it. 471 00:26:06,166 --> 00:26:15,336 Let's go ever to router 3-- who is this guy over here, right, router 3, and now we test it before 472 00:26:15,336 --> 00:26:18,976 that I was able to ping I could telnet to this guy so let's try now. 473 00:26:19,516 --> 00:26:23,936 Ping 10.1.1.1.6. 474 00:26:24,316 --> 00:26:27,146 Denied! A matter of fact you can see right here Us. 475 00:26:27,516 --> 00:26:32,756 That means unreachable as in a protocol called ICMP has come 476 00:26:32,756 --> 00:26:34,766 in and said, you are being blocked. 477 00:26:34,766 --> 00:26:38,666 Usually when you see a U that means either the router has no idea what you're talking about. 478 00:26:38,666 --> 00:26:43,556 It' doesn't have a route to that destination or an access list is blocking you 479 00:26:43,556 --> 00:26:46,066 and sending back messages saying, "You are being denied." 480 00:26:46,306 --> 00:26:52,416 Now, when you get into the-- if you decide to go security as your specialty and get in there, 481 00:26:52,576 --> 00:26:55,916 one of the things that you'll learn is a way to turn this off. 482 00:26:55,916 --> 00:27:00,626 Because as a hacker, if I'm trying to hack in somewhere and I do a ping 483 00:27:00,626 --> 00:27:06,316 and I see Us coming back to me, that tells me something, that tells me they are alive. 484 00:27:06,676 --> 00:27:12,366 I can get there, but they have purposely put an access list on there that this is blocking. 485 00:27:12,736 --> 00:27:17,046 There is a command that you can do to turn off what called ICMP unreachable messages. 486 00:27:17,046 --> 00:27:19,316 So that way, it just says, dot. 487 00:27:19,316 --> 00:27:23,826 It's as if you would have ping'd just an IP address that doesn't exist, dot, dot, dot, 488 00:27:23,826 --> 00:27:25,746 and you know, you can't tell that you're being blocked. 489 00:27:25,746 --> 00:27:28,556 So that's, that's in the security series so I'll leave that to them. 490 00:27:28,936 --> 00:27:30,636 So, let's do some more testing. 491 00:27:30,636 --> 00:27:31,416 I'm going to try and telnet. 492 00:27:31,786 --> 00:27:37,006 We just did up here right, telnet 10.1.1.6, telnet to 10.1.1.6. 493 00:27:37,686 --> 00:27:41,366 Denied destination immediately comes back unreachable gateway host that. 494 00:27:41,366 --> 00:27:42,876 It's-- I'm being block from that. 495 00:27:42,876 --> 00:27:45,616 Okay. So that verifies that I can't get here. 496 00:27:45,956 --> 00:27:47,576 Now what about-- what about this guy? 497 00:27:48,036 --> 00:27:49,106 I could ping him before. 498 00:27:49,106 --> 00:27:53,716 So let's do a ping 192.168.1.50. 499 00:27:53,716 --> 00:27:54,346 Successful! 500 00:27:54,646 --> 00:28:01,486 So now, let's go up here to router 1 and hit up arrow and do the same command. 501 00:28:01,486 --> 00:28:02,246 Check it out. 502 00:28:02,876 --> 00:28:04,086 Now, we can see it in action. 503 00:28:04,596 --> 00:28:09,336 We're denying 10.1.1.1, 25 matches from all of the pings in the telnet 504 00:28:09,336 --> 00:28:12,306 and everything else I'm trying to do to reach that, it's actually saying, 505 00:28:12,306 --> 00:28:14,026 I'm blocking, I'm blocking, I'm blocking. 506 00:28:14,026 --> 00:28:15,046 Okay. Awesome! 507 00:28:15,186 --> 00:28:16,646 That is excellent. 508 00:28:16,986 --> 00:28:18,836 Now, let me do this. 509 00:28:19,156 --> 00:28:27,596 Wipe. I want to go back to the question I said, "Couldn't-- could I apply it right here?" 510 00:28:27,596 --> 00:28:31,826 Yes! Yes, yes I could apply that same accesses right here. 511 00:28:31,826 --> 00:28:33,056 As a matter of fact, let's do that. 512 00:28:33,456 --> 00:28:40,166 I'll go into interface 00/0 and I'm going to do no, IP access group 1 513 00:28:40,166 --> 00:28:42,256 and so I'm taking it off of the serial port. 514 00:28:42,446 --> 00:28:46,636 So I mean immediately upon doing that, I should be able to hit the up arrow. 515 00:28:46,636 --> 00:28:48,336 Now pings are going through successfully. 516 00:28:48,336 --> 00:28:50,486 You can see access list and action right there. 517 00:28:50,666 --> 00:28:54,566 But now, let's say I went into FAST ethernet 00/0 and I said, 518 00:28:54,566 --> 00:28:55,886 okay, well I want to apply it here. 519 00:28:55,886 --> 00:28:59,236 First of, let me ask you, what direction would you apply it? 520 00:28:59,826 --> 00:29:01,346 Ken, be the router. 521 00:29:01,346 --> 00:29:03,026 This is FAST ethernet 0/0. 522 00:29:03,226 --> 00:29:03,996 This is 00/0. 523 00:29:04,036 --> 00:29:08,266 I've got access to those one that says, deny this guy, holding my arms out. 524 00:29:08,436 --> 00:29:15,246 If I apply it right here, I want to apply it outbound like as it's going out router 1. 525 00:29:15,476 --> 00:29:18,186 Because if I apply it inbound, what would that mean? 526 00:29:18,186 --> 00:29:22,456 It would assume that 10.1.1.1 is over here somewhere, you know, trying to come in. 527 00:29:22,456 --> 00:29:23,506 That's not the truth. 528 00:29:23,506 --> 00:29:24,786 That's not where it's at. 529 00:29:25,066 --> 00:29:28,876 So it's going to applied outbound there and let's do it because I just want to show you. 530 00:29:30,076 --> 00:29:36,556 I'm going to under FAST ethernet 0/0, just let just hit the up arrow. 531 00:29:36,556 --> 00:29:38,496 IP add-- oh, wait, stop the train. 532 00:29:38,816 --> 00:29:39,696 We're moving too fast. 533 00:29:39,886 --> 00:29:41,936 I just caused an internet outage. 534 00:29:41,936 --> 00:29:47,226 So, IP access group 1 outbound so I've applied it in the out direction on FAST ethernet 0. 535 00:29:47,496 --> 00:29:49,516 Now, can I go to router 3 and test? 536 00:29:49,516 --> 00:29:52,026 Yes I can, if I find them. 537 00:29:52,606 --> 00:29:57,206 Router 3, I'm going to hit the up arrow and ping them again, and okay, that's good right? 538 00:29:57,766 --> 00:29:59,966 It means I'm blocked from getting to this guy. 539 00:29:59,966 --> 00:30:01,976 I just tested that but what's missing? 540 00:30:02,056 --> 00:30:07,696 If it's applied outbound right here, then getting here which is one of the objectives, 541 00:30:07,966 --> 00:30:11,936 block information, that's-- it's not going to be there 'cause I removed it from this 542 00:30:11,936 --> 00:30:13,796 so he's going to have no problem reaching this. 543 00:30:13,796 --> 00:30:17,036 It's just when he tries to go out right here, it's where it's going to be blocked 544 00:30:17,036 --> 00:30:20,926 so let's just verify Ping 10.1.1.6. 545 00:30:20,926 --> 00:30:28,006 Good. So again, verifying that this was indeed the correct place to put that access list. 546 00:30:28,006 --> 00:30:30,286 All right, let's look at number 2. 547 00:30:30,546 --> 00:30:42,676 Use a standard access list to block access to the 192.1681.0/24 from 192.1682.128/25. 548 00:30:42,676 --> 00:30:45,096 Now, again, why it's so critical to draw this out? 549 00:30:45,096 --> 00:30:46,666 It's just so you can visualize what's going on. 550 00:30:46,666 --> 00:30:50,166 So it's -- what it's saying here is not to block the specific IP address. 551 00:30:50,166 --> 00:30:51,956 It's saying block this whole network. 552 00:30:52,556 --> 00:30:57,566 So 192.1682.128/25 so, that's identifying the whole memory-- 553 00:30:57,566 --> 00:31:02,676 the 128 is the network ID so I'm saying the whole network is being blocked 554 00:31:02,676 --> 00:31:05,976 from accessing this whole network, so again, big sweeping statements there. 555 00:31:06,436 --> 00:31:09,876 Okay, so let's do that. 556 00:31:09,876 --> 00:31:14,336 First off I'm going to go to-- okay, before I even do that, 557 00:31:14,466 --> 00:31:15,886 let's figure out where we're at, right. 558 00:31:15,996 --> 00:31:19,796 Again, standard access list only blocks based on IP source. 559 00:31:20,286 --> 00:31:24,976 So I can't really say what something is denied from other than where I apply it to. 560 00:31:24,976 --> 00:31:29,056 So if I create an access list, I'm going to apply it here as things are coming 561 00:31:29,056 --> 00:31:31,426 into that interface then I had cut off too much. 562 00:31:31,426 --> 00:31:35,436 So again, I'm back over on the Router 1 and I'm saying, "Well, I want-- I need to block-- 563 00:31:35,656 --> 00:31:37,306 no longer am I blocking access to this. 564 00:31:37,306 --> 00:31:39,136 I need to block access to this subnet. 565 00:31:39,416 --> 00:31:43,946 So I need to catch things as they're trying to leave this interface." 566 00:31:44,326 --> 00:31:48,566 Again, with standard access list, it's as close to the destination as possible 567 00:31:48,566 --> 00:31:52,626 because the close you move to the source, the more chance you're going to block too much 568 00:31:52,626 --> 00:31:54,736 since you can't really say what they're denied from. 569 00:31:55,076 --> 00:31:58,766 You just say they are denied and that's just based on the source, so, okay. 570 00:31:58,766 --> 00:32:03,476 So I'm going to be right here as they're going out, right, that that interface, 571 00:32:03,476 --> 00:32:09,576 I need to block them so I'm back over on router 1 and I'm going to go in-- 572 00:32:09,576 --> 00:32:14,076 first off remove this one from being applied, exit back out. 573 00:32:14,266 --> 00:32:16,906 So let's-- a matter of fact, let's just kill the whole thing. 574 00:32:17,126 --> 00:32:20,816 I'm going to do a no IP-- a no access list 1. 575 00:32:21,526 --> 00:32:22,396 And it's gone. 576 00:32:22,396 --> 00:32:25,476 So that actually deleted the whole access list. 577 00:32:25,476 --> 00:32:28,806 I'll do a show IP access list and you can see nothing there. 578 00:32:28,806 --> 00:32:30,146 They're all gone. 579 00:32:30,146 --> 00:32:37,196 So let's go and create-- so I'm going to create access list just-- we can use 1 but just-- 580 00:32:37,196 --> 00:32:39,276 because I want to be different, let's use 2. 581 00:32:39,536 --> 00:32:42,506 So access list 2-- now who are we denying? 582 00:32:42,796 --> 00:32:48,976 We are denying this whole subnet, 192.168.2.128 with that weird subnet mask. 583 00:32:48,976 --> 00:32:58,256 So again, we're looking at that range, 192.168.2.128 through 255, okay? 584 00:32:58,546 --> 00:33:02,456 So I want to block that whole subnet so I'm going to say, "Okay." 585 00:33:02,456 --> 00:33:04,016 So 2, I'm going to deny. 586 00:33:04,016 --> 00:33:05,536 That's my goal is to block them. 587 00:33:05,736 --> 00:33:08,846 And it says, "Okay, what address do you want to match or do you want to do, 588 00:33:08,846 --> 00:33:10,636 you know, any address or specific host?" 589 00:33:10,906 --> 00:33:15,866 Well, I can't use any because that'll block everybody and that's not the goal. 590 00:33:16,276 --> 00:33:23,396 I could use host but that means I'm going to have to type in host 192.168.2.128 591 00:33:23,516 --> 00:33:27,246 and then hit the up arrow, 129.2.130, 2.131. 592 00:33:27,246 --> 00:33:28,366 Come on, is this sufficient? 593 00:33:28,366 --> 00:33:30,376 Can we say-- can I hear a no? 594 00:33:30,376 --> 00:33:31,706 No, it is not sufficient. 595 00:33:31,706 --> 00:33:36,926 So that means we're creating this slides, show-- a giant access list, show IP Access. 596 00:33:36,926 --> 00:33:37,566 You see all this. 597 00:33:37,866 --> 00:33:42,556 It's just crazy but someone going to say, "No, no, no," clear access list 2. 598 00:33:43,076 --> 00:33:44,176 So let's blow it away. 599 00:33:44,176 --> 00:33:46,186 So we could do that but not efficient. 600 00:33:46,186 --> 00:33:53,196 So instead, I'm going to say, "I want to block the network 192.168.2.128 601 00:33:53,436 --> 00:33:58,496 but enter stage left the wildcard mask, okay. 602 00:33:58,696 --> 00:34:05,966 Wildcard mask allows you to say these are the bits that I care about." 603 00:34:06,306 --> 00:34:10,136 Now, nobody is really certain to why Cisco decide to go this way 604 00:34:10,136 --> 00:34:13,176 like you would think it be nice and logical to be able to say, "Okay, 605 00:34:13,176 --> 00:34:17,346 we'll block that network like that." 606 00:34:17,656 --> 00:34:20,616 But a wildcard mask doesn't do that. 607 00:34:20,616 --> 00:34:26,966 Think of-- I mean, if it's-- okay, if you've got a rebellious teenager and you're like "Man, 608 00:34:26,966 --> 00:34:28,996 they're wild," what do you think? 609 00:34:28,996 --> 00:34:29,276 You're like? 610 00:34:29,276 --> 00:34:32,216 "Okay, they are doing the opposite of what I want them to do. 611 00:34:32,216 --> 00:34:36,616 They're doing the opposite of what would be acceptable and normal to this family," right? 612 00:34:36,876 --> 00:34:41,006 So think of the wildcard mask, it's the rebel, it's the opposite. 613 00:34:41,006 --> 00:34:44,476 So it's going to be the backwards mask, essentially. 614 00:34:44,476 --> 00:34:50,746 So we see the mask is 255.255.255.128. 615 00:34:51,266 --> 00:34:57,006 The wildcard mask is exactly the opposite, flip it, as in, if we're to look at this in binary, 616 00:34:57,006 --> 00:35:01,466 you know, 111111111, all the way down to, you know, 0.1.00000, 617 00:35:01,466 --> 00:35:03,486 so that's the normal subnet mask in all binary. 618 00:35:03,646 --> 00:35:04,546 wildcard mask flips. 619 00:35:04,596 --> 00:35:08,296 So wherever you see a 1, put a 0, wherever you see a 0, put a 1. 620 00:35:08,396 --> 00:35:17,326 So the wildcard mask could be 0000000.000.000.011111. 621 00:35:17,326 --> 00:35:21,496 So, you know, and take that all in binary and then flip it as exactly the opposite 622 00:35:21,706 --> 00:35:22,866 and there, you have the wildcard mask. 623 00:35:22,866 --> 00:35:24,466 They are the weirdest looking things ever. 624 00:35:24,656 --> 00:35:30,266 So the question is what is that-- what is that binary number as a decimal? 625 00:35:30,506 --> 00:35:36,986 Well, that's where you pull out your mathematical mind and add 1,2,4,6,8,16-- 626 00:35:37,856 --> 00:35:42,166 did I count that right-- 32, 64, right. 627 00:35:42,366 --> 00:35:44,566 That didn't feel right but, you know how what I mean. 628 00:35:44,596 --> 00:35:49,566 You add all the binary digits up to 64 together, you know, in one big math problem. 629 00:35:49,746 --> 00:35:52,176 And that will give if you add them all up, 127. 630 00:35:52,946 --> 00:35:59,376 So the wildcard mask, instead of being nice and easy as a subnet mask, I go in there and I say, 631 00:35:59,376 --> 00:36:04,176 "Actually, it's going to be 0.0.0.127. 632 00:36:04,836 --> 00:36:08,646 Creepy! That's it. 633 00:36:08,646 --> 00:36:13,166 That's the accurate way of identifying, "I want to block that whole network." 634 00:36:13,166 --> 00:36:17,146 Now, I've got a shortcut for you, doing it all binary, it's kind of painful. 635 00:36:17,366 --> 00:36:20,696 So what I usually do if I'm, like, "Okay, what's the wildcard mask?" 636 00:36:21,026 --> 00:36:27,926 I take all 255 and subtract my subnet mask that I want to kind of convert it 637 00:36:27,926 --> 00:36:35,176 over to a wildcard mask, and that will give me, I mean, obviously, easy math there and I go 127, 638 00:36:35,316 --> 00:36:38,546 you know-- so that-- that is the wildcard mask for this subnet mask, 639 00:36:38,546 --> 00:36:42,686 you know, /25 or 255.255.255.128. 640 00:36:42,686 --> 00:36:43,356 That's the opposite. 641 00:36:43,356 --> 00:36:48,296 So again, nice and bizarre, that's probably the most difficult thing of access list. 642 00:36:48,296 --> 00:36:51,536 Next to figuring out which direction to apply them is going, "Okay, 643 00:36:51,536 --> 00:36:54,216 what's up with this wildcard mask? 644 00:36:54,406 --> 00:36:54,986 Why would I use?" 645 00:36:54,986 --> 00:36:56,046 So let me ask you this. 646 00:36:56,046 --> 00:36:57,806 What would the wildcard mask be for this? 647 00:36:58,086 --> 00:37:04,076 If I were to generate a wildcard mask for 192.168.1.0/24, what would it be? 648 00:37:04,076 --> 00:37:10,216 It'll be-- we'd say, Okay, deny or permit 192.1681.0 with wildcard mask of 000255. 649 00:37:10,846 --> 00:37:13,786 That's the flip opposite of a /24. 650 00:37:14,196 --> 00:37:19,136 and the way to think about is if you like looking at things in terms of decimal, 651 00:37:19,296 --> 00:37:25,466 wherever you see a zero, that tells the router, "Look at this, evaluate this. 652 00:37:25,466 --> 00:37:30,576 This access list is either permitting or denying so when this packet comes in, look at this. 653 00:37:30,836 --> 00:37:32,716 Look at the 192." 654 00:37:32,716 --> 00:37:37,636 And then it goes, "Okay a zero -- that means look at this, look at this, well 192.168. 655 00:37:37,636 --> 00:37:39,426 Oh a 1, look at this. 656 00:37:39,426 --> 00:37:43,686 You make sure that you're watching this and then this last one is I don't care. 657 00:37:43,686 --> 00:37:49,856 Essentially, the 255 are all ones says, "I don't really care what's 658 00:37:49,856 --> 00:37:51,226 in that last octet, and that's good." 659 00:37:51,226 --> 00:37:58,926 So if I have an access list, that' saying it deny 192.1681.0, you know, this guys 192.1681.50 660 00:37:58,926 --> 00:38:01,646 and it's going to come in and say "Okay, you're 192, I look at that, I look at that , 661 00:38:01,646 --> 00:38:07,116 look at that" and it's like .50, I don't really care about that, you know, whatever. 662 00:38:07,116 --> 00:38:09,866 So you will be denied because you start with this. 663 00:38:10,056 --> 00:38:13,156 So it's really like what do you matching on with this. 664 00:38:13,466 --> 00:38:16,206 You could-- you won't do this but you could. 665 00:38:16,736 --> 00:38:21,816 You could do something like I want to create an access list center that says, 666 00:38:21,956 --> 00:38:34,076 "I want to match 192.053.0 with a wildcard mask of 0.255.0255." 667 00:38:35,006 --> 00:38:39,606 And what that says is you know, let's just say we said deny and then we put that information. 668 00:38:39,726 --> 00:38:44,336 Let' say, "Okay, I'm going to deny any IP address that has 192 in the first octet. 669 00:38:44,956 --> 00:38:48,656 I don't care what's in the second octet but they also have to have 53 670 00:38:48,656 --> 00:38:51,736 in the third octet, right 'cause that's a match. 671 00:38:51,736 --> 00:38:53,286 This one, I don't care what's in the last octet." 672 00:38:53,696 --> 00:38:58,776 So you can actually deny things based on, you know, just one octet, 673 00:38:58,776 --> 00:39:01,056 I mean if-- okay, let me ask you this. 674 00:39:01,356 --> 00:39:04,236 What do you think-- let's say I want a wildcard mask 675 00:39:04,336 --> 00:39:07,936 that would deny everything all the time, what would it look like? 676 00:39:08,566 --> 00:39:09,626 I would say deny. 677 00:39:09,626 --> 00:39:11,106 On the IP address, I would just put 000. 678 00:39:11,106 --> 00:39:13,336 It doesn't matter what you put there 'cause it's not really caring about. 679 00:39:13,336 --> 00:39:21,306 Wildcard mask 255.255.2550 or so not 0-- 255.255.255-- I've said that too often. 680 00:39:21,306 --> 00:39:27,926 255.255.255.255 it's very much saying deny, I don't care, I don't care, you're denied. 681 00:39:28,076 --> 00:39:29,486 It doesn't matter what IP address you have. 682 00:39:29,766 --> 00:39:30,896 You could also go the other way. 683 00:39:30,896 --> 00:39:32,686 For instance, let me show you this. 684 00:39:32,686 --> 00:39:34,786 Remember when we did that access list? 685 00:39:35,016 --> 00:39:40,236 Let me just use access list 50 as an example. 686 00:39:40,366 --> 00:39:45,686 And I did permit and like in that first example, we said host, you know, 687 00:39:45,686 --> 00:39:48,176 10.1.1.1 right, a different way of doing. 688 00:39:48,176 --> 00:39:49,316 So there's a couple of ways you can do it. 689 00:39:49,316 --> 00:39:54,136 A different way of doing it is I could've said permit 10.1.1.1 but now, it's going to ask me 690 00:39:54,136 --> 00:39:56,676 for a wildcard mask so I would put 0000. 691 00:39:56,676 --> 00:39:58,226 Now, watch this. 692 00:39:58,626 --> 00:40:00,826 I'll do a show IP access list. 693 00:40:02,756 --> 00:40:03,816 Access list 50. 694 00:40:03,816 --> 00:40:07,576 It's automatically dropped that because it assumes the host command. 695 00:40:07,696 --> 00:40:08,916 I could've done the same thing. 696 00:40:08,916 --> 00:40:17,486 I could type in access list 51 permit host 10.1.1.1, hit the Enter key, show access list. 697 00:40:18,696 --> 00:40:20,136 Look they're one and the same. 698 00:40:20,136 --> 00:40:24,706 One, I used the wildcard mask of all zeros, one, I used the host command to type it in there 699 00:40:24,706 --> 00:40:28,806 and it ends up being the same thing, the same result. 700 00:40:30,156 --> 00:40:39,106 So back to the example, we were using access list 2 up here and I said, deny 192.168.2.128 701 00:40:39,106 --> 00:40:41,616 with a wildcard bits 000127, right. 702 00:40:41,616 --> 00:40:44,206 So that's the opposite of the subnet mask. 703 00:40:44,206 --> 00:40:47,196 Okay, that's great and I'm going to want to come back-- 704 00:40:47,196 --> 00:40:49,326 good grief if we got these things at mess now. 705 00:40:49,326 --> 00:40:51,636 I'm going to come back in here and I'm going to apply that algorithm. 706 00:40:51,636 --> 00:40:56,766 But before I do, remember an access list with only a deny command will deny everything 'cause 707 00:40:56,766 --> 00:41:03,596 of the implicit so I need to go in there and do access list 2 permit any. 708 00:41:04,226 --> 00:41:05,546 And let's get rid of the other one. 709 00:41:05,596 --> 00:41:09,456 No access list, my little demo access list 50 and 51, they're gone. 710 00:41:10,316 --> 00:41:14,786 So to show IP access list, and now I've got few of that-- I have access list. 711 00:41:14,786 --> 00:41:19,176 So I've got deny 192.1682, okay, that looks good and permit everything else. 712 00:41:19,176 --> 00:41:20,586 So now, I need to apply it. 713 00:41:20,866 --> 00:41:26,156 And since this said, "Only-- you know, I just get rid of all this chicken scratch. 714 00:41:26,696 --> 00:41:32,996 Only deny access to this one network, that's my focus. 715 00:41:33,216 --> 00:41:35,506 I'm going to go into the router. 716 00:41:35,506 --> 00:41:40,336 I'm going to say, "Okay, show IP and interface brief and I'm going to look, I mean-- 717 00:41:40,336 --> 00:41:42,726 Well, that's the network I want to block access to. 718 00:41:42,976 --> 00:41:48,076 I don't want 192.1682.128 to get there so I'll go 719 00:41:48,076 --> 00:41:52,516 in the FAST ethernet 0/0 IP access group 2 'cause that's the accesses I created right here, 720 00:41:53,236 --> 00:41:54,776 number 2, right? 721 00:41:55,236 --> 00:41:56,676 And then out. 722 00:41:57,396 --> 00:42:06,646 So as this network tries to go out FAST ethernet 0/0, I'm going to deny them. 723 00:42:07,206 --> 00:42:08,096 So let's give it a try. 724 00:42:08,096 --> 00:42:11,966 I'm going to shoot over to Router 3 first, just to make sure. 725 00:42:12,286 --> 00:42:18,306 I'm going to do a Ping 192.168.1.50 and it works. 726 00:42:18,456 --> 00:42:20,556 Now, don't be surprised. 727 00:42:20,556 --> 00:42:22,536 You're like, "Oh, I thought-- didn't we deny that network?" 728 00:42:22,536 --> 00:42:24,716 Yes, but Router 3 is not that network. 729 00:42:24,716 --> 00:42:29,816 Router 3 came from this IP address, 10.1.1.1. 730 00:42:29,906 --> 00:42:31,176 That's the IP address I Ping'd from. 731 00:42:31,176 --> 00:42:33,216 So the access list came in there. 732 00:42:33,216 --> 00:42:34,526 As a matter of fact, let's verify it. 733 00:42:34,746 --> 00:42:38,526 The access list said, "Well 10.1.1.1 come on in." 734 00:42:38,526 --> 00:42:42,966 So I'll do a show IP access, you know, I've seen matches. 735 00:42:42,966 --> 00:42:44,756 You know, those Pings are, you know, come on in. 736 00:42:44,756 --> 00:42:48,596 you can feel free to come in but, now let me show you something else. 737 00:42:48,596 --> 00:42:56,806 Let me first-- I'll do the PC, I'm going to PC3 up there which is right here, okay? 738 00:42:57,506 --> 00:43:01,466 So PC 3 is right here so I'm going to do a Ping-- 739 00:43:01,466 --> 00:43:07,616 let's do Ping 192.168.1.50 which is that host over there. 740 00:43:08,036 --> 00:43:11,186 Hit the Enter key and sure enough, I'm getting unreachable messages back. 741 00:43:11,186 --> 00:43:14,276 And those used are sure indicator that you've done it right. 742 00:43:14,276 --> 00:43:18,576 But if you want to feel that warm and fuzzy feeling, you can do a show access list. 743 00:43:18,576 --> 00:43:24,726 And now, I can I'm getting denied packets from that access list. 744 00:43:24,966 --> 00:43:29,236 The other thing I wanted to show you is I said Router 3 is not coming from this network. 745 00:43:29,236 --> 00:43:30,356 It's coming from this, right? 746 00:43:30,706 --> 00:43:31,956 Well, watch this. 747 00:43:32,066 --> 00:43:35,036 If I want to, I can make it come from that network. 748 00:43:35,346 --> 00:43:35,826 Let's see how. 749 00:43:36,166 --> 00:43:41,836 I'm going to go to Router 3 and I'm going to type in ping, you know that one works fine. 750 00:43:41,836 --> 00:43:44,826 It's coming from another one so I'm going to hit the question mark after the ping command. 751 00:43:45,046 --> 00:43:50,266 I'm going to say, "I'm actually coming from the source IP address. 752 00:43:50,576 --> 00:43:57,286 And I can either type in my IP address or I type in 192.1682.129 or I can type 753 00:43:57,286 --> 00:43:59,006 in the source, FAST ethernet 0/0. 754 00:43:59,296 --> 00:44:04,096 And sure enough, now, take a look at this, it says, I'm sending five pings to that guy 755 00:44:04,426 --> 00:44:12,756 with a source address of 192.168.1.129, which is right there, 756 00:44:12,756 --> 00:44:15,496 and you can see sure enough those are all denied by the access-list. 757 00:44:15,496 --> 00:44:16,236 That's pretty cool. 758 00:44:16,266 --> 00:44:17,926 Okay. Last example, and first off, at this point, 759 00:44:17,926 --> 00:44:22,766 you should feel a little more warm and fuzzy about doing this. 760 00:44:22,766 --> 00:44:26,636 So you might just want to pause and write this up on paper or try it on a router 761 00:44:26,636 --> 00:44:29,566 if you have one and see if you can figure that out. 762 00:44:29,756 --> 00:44:37,426 But I'd like to use this last example to illustrate an example of using named access-list 763 00:44:37,536 --> 00:44:39,736 which I love far more than the number ones. 764 00:44:39,766 --> 00:44:45,606 So it says, "Create a standard access-list to block 192.168.2.50, 765 00:44:45,906 --> 00:44:48,626 to this one, from reaching 10.1.1. 766 00:44:48,626 --> 00:44:49,356 That's this one. 767 00:44:49,356 --> 00:44:51,126 So, block them from getting there. 768 00:44:51,606 --> 00:44:54,346 So looking at that, I can think, "Okay. 769 00:44:54,346 --> 00:44:57,746 Well, I could either apply it outbound right here. 770 00:44:57,746 --> 00:45:03,156 Can anyone say this guy is blocked from getting here or I could apply it inbound right here. 771 00:45:04,266 --> 00:45:10,556 Now, basically, regardless of which one you choose the results is going to be the same. 772 00:45:10,666 --> 00:45:16,766 I'm not going to be able to reach this, but also by saying block to this WAN IP address I'm going 773 00:45:16,766 --> 00:45:20,096 to be automatically be denied from reaching that network too, why? 774 00:45:20,096 --> 00:45:22,736 Because standard access-list can't say what you're denied from. 775 00:45:22,986 --> 00:45:24,386 They just say, "You're denied." 776 00:45:24,386 --> 00:45:31,246 So, when I say deny 192.168.2.50 and apply either out, excuse me, out right here 777 00:45:31,556 --> 00:45:35,956 or in right here then access-list is going to say, "You are denied. 778 00:45:35,956 --> 00:45:37,666 You are denied from getting any further." 779 00:45:37,936 --> 00:45:45,896 So, honestly, I would think it might be a little more efficient to apply it out right here 780 00:45:45,896 --> 00:45:49,576 because otherwise you have to cross the whole WAN link just to find 781 00:45:49,576 --> 00:45:51,476 out on the other side that you're denied. 782 00:45:51,476 --> 00:45:53,706 It's like a bad trip to Disney Land, right? 783 00:45:53,706 --> 00:45:57,506 You got to drive all the way to California just to find out Disney Land is closed 784 00:45:57,506 --> 00:45:58,726 for the day or something like that. 785 00:45:58,726 --> 00:46:02,006 So you don't want to have this packets drive further than necessary. 786 00:46:02,226 --> 00:46:06,596 So in this case since the result is the same I'm thinking applying it outbound right here would 787 00:46:06,596 --> 00:46:08,136 be the best way to go. 788 00:46:08,136 --> 00:46:09,046 So, let's do this. 789 00:46:09,046 --> 00:46:11,326 I'm going to get into router 2. 790 00:46:11,686 --> 00:46:14,146 I haven't even been on this one yet. 791 00:46:14,616 --> 00:46:18,616 And let's go into global config mode. 792 00:46:18,616 --> 00:46:23,146 So now let me show you, so, so far we've been using number access-list which is done by typing 793 00:46:23,146 --> 00:46:27,836 in access-list and a number, whatever number we want to, to pick what kind. 794 00:46:28,166 --> 00:46:32,706 But the better way, I believe it's a lot cleaner 795 00:46:32,706 --> 00:46:37,136 or it just makes more sense is to type in IP access-list. 796 00:46:37,876 --> 00:46:42,846 Okay. Same thing that we're after in access-list just putting the IP and the keyboard in front 797 00:46:42,846 --> 00:46:46,206 of it tells it I'm going to create a named access-list. 798 00:46:46,356 --> 00:46:50,796 So notice, instead of asking me for a number to identify what kind it is it's just asking me, 799 00:46:50,796 --> 00:46:53,556 it's just like, "Hey, why don't you just identify what it is? 800 00:46:53,556 --> 00:46:56,326 Is it a standard or is it an extended access-list? 801 00:46:56,596 --> 00:46:58,226 Now, all these other commands is like, "Okay. 802 00:46:58,226 --> 00:46:59,676 Do you want to renumber it? 803 00:46:59,676 --> 00:47:01,416 Do you want to set up logging or a log update?" 804 00:47:01,416 --> 00:47:03,536 But really the main command is standard access-- 805 00:47:03,536 --> 00:47:06,416 well, right now we are creating standard access-list. 806 00:47:06,416 --> 00:47:07,396 So I'll type that. 807 00:47:07,396 --> 00:47:11,616 Well, you can even use this command to modify one of the numbered or now I'm going 808 00:47:11,616 --> 00:47:13,366 to give you the option to type a named. 809 00:47:13,546 --> 00:47:19,066 So I'm going to say, BLOCK PC 2 ACL. 810 00:47:19,066 --> 00:47:20,616 I put little underscores in between. 811 00:47:20,616 --> 00:47:21,646 You can't put spaces. 812 00:47:21,966 --> 00:47:25,086 But do you see how that makes more sense when I do a show access-list? 813 00:47:25,086 --> 00:47:30,206 If I see, BLOCK PC 2 ACL-- it's going to bug me. 814 00:47:30,206 --> 00:47:36,416 Hang on. I want BLOCK PC 2 not-- no underscore there. 815 00:47:36,416 --> 00:47:41,246 So BLOCK PC 2 ACL, now when I do the show command I can see exact-- 816 00:47:41,246 --> 00:47:43,266 just by looking at the name I know what it is rather 817 00:47:43,266 --> 00:47:45,636 than being like, "Oh, what was number 73 again?" 818 00:47:45,676 --> 00:47:48,126 You know, you have to have some kind of reference for that. 819 00:47:48,126 --> 00:47:49,476 So I'm going to say, "Okay. 820 00:47:49,476 --> 00:47:55,826 I want to block 192.168.2.50." 821 00:47:55,826 --> 00:47:58,116 So the way this works is it's just as if I had type IP access-list now-- 822 00:47:58,116 --> 00:48:01,976 or access-list, you know, whatever I want, now I can say, permits or deny 823 00:48:02,236 --> 00:48:03,756 or I can even use the sequence number. 824 00:48:04,086 --> 00:48:08,556 Now, you saw that by default so far when we type 825 00:48:08,556 --> 00:48:11,676 and create an access-list it creates sequence numbers of 10, right? 826 00:48:11,676 --> 00:48:13,726 The first command we type in is a sequence 10. 827 00:48:13,886 --> 00:48:14,966 Next one sequence 20. 828 00:48:14,966 --> 00:48:15,986 Next one sequence 30. 829 00:48:16,336 --> 00:48:19,226 Now, if you want to you can type in your own sequence number. 830 00:48:19,226 --> 00:48:21,056 So I can say, sequence 100. 831 00:48:21,346 --> 00:48:25,316 You know, and then type in permit or deny, or anything like that, or if I just type in permit 832 00:48:25,316 --> 00:48:28,816 or deny without typing any sequence number it will automatically use 833 00:48:28,816 --> 00:48:30,166 that increment of 10 for me. 834 00:48:30,286 --> 00:48:31,696 So I'm good with that. 835 00:48:31,696 --> 00:48:33,106 So let's just say, deny. 836 00:48:33,106 --> 00:48:43,506 I want to deny 192.168.2.50, wild card bit, 0.0.0.0, and then, you know, again, 837 00:48:43,506 --> 00:48:46,146 I've got now an access statement or accesses that were just to deny. 838 00:48:46,146 --> 00:48:49,376 So I'm going to say, "Permit any." 839 00:48:49,976 --> 00:48:59,666 Okay. So I'm going to go back and do a show access-list and now I can see I've got accesses. 840 00:48:59,666 --> 00:49:03,316 Don't you love the name better BLOCK PC 2 ACL? 841 00:49:03,316 --> 00:49:07,376 Same syntax as before or sequence 10 deny that host. 842 00:49:07,376 --> 00:49:09,186 Sequence 20 permit everything else. 843 00:49:09,456 --> 00:49:17,406 So now I can go into interphase serial 0/1 on that side. 844 00:49:17,806 --> 00:49:22,466 Network diagrams are essential for this and do IP access-group 845 00:49:22,956 --> 00:49:25,946 and now I'll just type in the name BLOCK PC 2 ACL. 846 00:49:26,136 --> 00:49:30,096 By the way, keep in mind, oops, this is case sensitive. 847 00:49:30,506 --> 00:49:33,846 So if you use lower, uppercase you got to keep it consistent. 848 00:49:33,846 --> 00:49:38,616 I always type them in all uppercase because it's easy for me to see in a show run 849 00:49:38,616 --> 00:49:43,506 and then I'll hit question mark, outbound, playing it out 0.00/1 interface. 850 00:49:43,856 --> 00:49:46,076 Good! So now I'm going to test it. 851 00:49:46,076 --> 00:49:47,276 I'm going to be sure that it works. 852 00:49:47,566 --> 00:49:54,306 Let's go to PC 2 and I'm going to ping 192.168.2. 853 00:49:54,306 --> 00:49:58,206 Well, actually, the goal was to block it from 10.1.1.1. 854 00:49:58,206 --> 00:50:00,566 So let's start there and make sure we achieved our goal. 855 00:50:00,906 --> 00:50:04,866 And sure enough I'm getting those unreachables show access-list. 856 00:50:05,356 --> 00:50:11,456 I can see that I'm denying that host so it is working, but also just as a bonus 857 00:50:11,456 --> 00:50:14,146 because there's-- with the standard there's no way of stopping it. 858 00:50:14,426 --> 00:50:18,656 I'm completely denying access to everything beyond that WAN interface as well 859 00:50:18,656 --> 00:50:20,546 because it's just saying, "You are denied." 860 00:50:20,776 --> 00:50:25,196 With the access-lists, as I said, the more and more 861 00:50:25,196 --> 00:50:27,436 and more you do the better and better they feel. 862 00:50:27,846 --> 00:50:33,146 What I would like you to do is first off, if you have your own router or something like that, 863 00:50:33,416 --> 00:50:36,626 use that to practice the syntax to come up with those scenarios. 864 00:50:36,626 --> 00:50:38,326 As a matter of fact you could just run through the scenarios. 865 00:50:38,326 --> 00:50:40,016 You know, just bring up the slide. 866 00:50:40,016 --> 00:50:44,106 I've been using this entire time, pause it, and now see if you can do those three examples 867 00:50:44,106 --> 00:50:47,396 on your own without actually watching me walk me through that. 868 00:50:47,646 --> 00:50:51,366 Then I would start going through in and coming up with your own scenarios. 869 00:50:51,366 --> 00:50:54,916 You know, come up with I want to deny this from this and try it out. 870 00:50:54,916 --> 00:50:58,376 I'm going to make that GNS 3 typology available to you. 871 00:50:58,376 --> 00:51:01,766 So if you have GNS 3, if you've played with that maybe you check out, 872 00:51:01,766 --> 00:51:06,996 I think CBT Nuggets has some free GNS 3 videos that you can download if you don't have access 873 00:51:06,996 --> 00:51:11,236 to whole thing that, well at least show you how to get started with it and so on. 874 00:51:11,236 --> 00:51:14,706 It's again free emulator software that you can use. 875 00:51:14,706 --> 00:51:16,856 You know, import that typology and start practicing 876 00:51:16,856 --> 00:51:18,896 with the environment that I've created right there. 877 00:51:19,416 --> 00:51:23,216 So once you're feeling pretty good about standard access-lists go ahead and jump 878 00:51:23,216 --> 00:51:26,316 into the next one which is going to be the extended world. 879 00:51:27,036 --> 00:51:30,336 I hope this been informative for you and I'd like to thank you for viewing. 83833