1
00:00:00,740 --> 00:00:06,890
So let's have a look at another example, in this example, we want to permit host 10.1.1.1 to server

2
00:00:06,890 --> 00:00:08,130
10.1.2.1.

3
00:00:08,540 --> 00:00:15,050
So this host should be permitted to this server, but we want to deny everyone else sending traffic to

4
00:00:15,050 --> 00:00:15,700
that server.

5
00:00:16,100 --> 00:00:21,230
But we also want to allow traffic to go to all other servers so anyone else should be able to connect

6
00:00:21,230 --> 00:00:22,190
to all other servers.

7
00:00:22,640 --> 00:00:27,460
So the first decision again is where are we going to bind this access control list and in which direction?

8
00:00:27,890 --> 00:00:33,730
So we could bind it on f0/0 inbound or we could bind it on f01 outbound.

9
00:00:34,250 --> 00:00:41,510
The issue with trying to bind the access list on f0/0 is that we cannot specify destination addresses

10
00:00:41,510 --> 00:00:43,370
with the standard IP access list.

11
00:00:43,400 --> 00:00:49,220
You can only specify source addresses, so you won't be able to implement this statement that says deny

12
00:00:49,220 --> 00:00:56,270
everyone else to a specific server but allow traffic to all other servers because otherwise you're going

13
00:00:56,270 --> 00:00:58,130
to say deny any

14
00:00:58,340 --> 00:01:03,470
and the very next statement is going to be permit any, which won't work because the permit any will

15
00:01:03,470 --> 00:01:04,280
never be used.

16
00:01:04,910 --> 00:01:09,430
So what are we going to do is we're going to bind it on this interface outbound f0/1.

17
00:01:10,040 --> 00:01:16,430
This also follows best practices which say that you should bind standard IP access lists as close to

18
00:01:16,430 --> 00:01:17,880
the destination as possible.

19
00:01:18,260 --> 00:01:20,180
I'll explain more about that in a moment.

20
00:01:21,690 --> 00:01:26,160
So on our router, we could configure this access control list by going into global configuration mode

21
00:01:26,820 --> 00:01:30,450
and typing acces list, let's choose number 3

22
00:01:31,580 --> 00:01:32,210
permit

23
00:01:33,460 --> 00:01:35,890
10.1.1.1

24
00:01:37,330 --> 00:01:43,000
and then we could go into the interface f0/1 and type the command IP access group

25
00:01:44,370 --> 00:01:45,240
3 out.

26
00:01:47,110 --> 00:01:50,530
So once again, I could do the command show access lists.

27
00:01:54,060 --> 00:01:58,950
Which just show me that simple access list that I've just created, the catch here was to remember where to bind

28
00:01:58,950 --> 00:01:59,730
the access list

29
00:02:00,620 --> 00:02:07,400
and to remember that you don't need a deny any at the end, because there's an implicit deny in an access list

30
00:02:07,400 --> 00:02:07,910
statement.

31
00:02:08,449 --> 00:02:10,699
I'm gonna explain what this number 10 means in a moment.

32
00:02:12,270 --> 00:02:18,240
In this example, we want to permit subnet 10.1.1.0 and then deny everyone else, once again

33
00:02:18,240 --> 00:02:24,660
we would bind the access control list inbound on fastEthernet 0/0 so as to make the access list as

34
00:02:24,660 --> 00:02:25,820
efficient as possible.

35
00:02:26,190 --> 00:02:32,250
We once again don't want the Rawda having to process packets internally just to have them dropped on

36
00:02:32,250 --> 00:02:34,100
an external outbound interface.

37
00:02:34,410 --> 00:02:37,020
So we'll bind the access control list inbound.

38
00:02:37,960 --> 00:02:38,280
So on our router

39
00:02:39,850 --> 00:02:41,590
going into global configuration mode

40
00:02:43,070 --> 00:02:49,970
type the command access list t and in this case, let's choose number 4 and we will permit, in this case,

41
00:02:49,970 --> 00:02:51,500
a specific subnet.

42
00:02:51,500 --> 00:02:56,390
So 10.1.1.0 and then we need to put in the wild card mask.

43
00:02:57,230 --> 00:02:58,820
A zero in binary means match.

44
00:02:59,000 --> 00:03:05,750
So the first octet 10 mismatch, second octet 1 mismatch, third octet 1 mismatch at the last

45
00:03:05,750 --> 00:03:07,520
octet can be equal to anything.

46
00:03:08,210 --> 00:03:11,450
There's an implicit deny, so we don't have to specify anything else.

47
00:03:11,990 --> 00:03:19,070
However, if you want to log information, you could do the following access list 4 deny

48
00:03:20,020 --> 00:03:27,040
and notice the option, any that notice this option log that would allow us to log information to a sys

49
00:03:27,040 --> 00:03:33,370
log server or log locally on the router so that we can see which packets were denied, when it comes

50
00:03:33,370 --> 00:03:39,280
to logging its best practice not to log locally on the router, but to push it to a server like a sys

51
00:03:39,280 --> 00:03:39,940
log server.

52
00:03:40,420 --> 00:03:46,390
The reason for that is that the router has limited space for storing log messages, whereas if you store

53
00:03:46,390 --> 00:03:51,730
that on a syslog server, you can store huge amounts of data because of the size of hard disks these days.

54
00:03:52,030 --> 00:03:56,650
So it makes sense to back the logging information off to an external server.

55
00:03:57,340 --> 00:04:05,080
The last step in this example is to go interface f0/0 and type the command IP access group

56
00:04:06,420 --> 00:04:07,350
4 in.

57
00:04:08,690 --> 00:04:10,940
Once again, I could do the command access list.

58
00:04:14,390 --> 00:04:20,600
If I just wanted to see that specific access list, I could put a number on, so access list 4 you can see

59
00:04:20,600 --> 00:04:26,030
the first line is saying permit 10.1.1.0 with wild card bit 0.0.0.255

60
00:04:26,750 --> 00:04:30,560
and the second line is saying deny any and log that information.

61
00:04:31,130 --> 00:04:35,030
Show IP interface f0/0

62
00:04:37,380 --> 00:04:44,130
it shows me that the inbound access list is 4, so we have bound access list 4 inbound on fastethernet

63
00:04:44,130 --> 00:04:45,070
0/0.

64
00:04:45,990 --> 00:04:50,820
Now this example, the interface is shut down, not to concern because I'm just showing you the Syntex

65
00:04:50,820 --> 00:04:53,940
of the access lists rather than showing you a working example.

66
00:04:54,990 --> 00:04:59,130
Be careful with adding an explicit deny, as I did in this example.

67
00:04:59,520 --> 00:05:05,250
You need to read between the lines in the questions and make sure that you are explicitly asked to deny

68
00:05:05,250 --> 00:05:05,820
traffic.

69
00:05:06,330 --> 00:05:07,440
If not asked

70
00:05:07,620 --> 00:05:13,650
don't add the line to deny any because they may be testing you to make sure you know about the implicit

71
00:05:13,650 --> 00:05:16,140
denial at the end of every access list.

72
00:05:17,520 --> 00:05:24,600
Another example in this case, we want to permit 10.1.1.1 to telnet to the router and then we

73
00:05:24,600 --> 00:05:29,070
want to deny everyone else telnet to the router and allow traffic anywhere else.

74
00:05:29,610 --> 00:05:32,100
Now, once again, you need to read between the lines carefully.

75
00:05:32,340 --> 00:05:35,910
In this example, we are setting up a standard access control list.

76
00:05:36,450 --> 00:05:42,080
So the only way to do this is to bind the standard access control list on the VTY lines.

77
00:05:42,810 --> 00:05:48,040
Remember, standard IP access lists cannot determine protocol or destination addresses.

78
00:05:48,510 --> 00:05:55,170
So if the example is asking for a standard IP list to deny or permit telnet, then you know that you

79
00:05:55,170 --> 00:05:58,010
have to bind that access list on the VTY lines.

80
00:05:59,150 --> 00:06:01,710
So here's an example I'm going to tell me to a router.

81
00:06:03,250 --> 00:06:05,920
This case, the address is 10.0.0.254

82
00:06:07,330 --> 00:06:08,200
put in my username

83
00:06:09,830 --> 00:06:12,710
put in my password typing the command show run

84
00:06:13,730 --> 00:06:22,520
pipe section line will show me what's configured on the lines of this router, as you can see here,

85
00:06:23,090 --> 00:06:27,800
there are no access lists on the VTY lines of this router then I could do the following

86
00:06:29,190 --> 00:06:32,370
list, let's just pick a number like 10,

87
00:06:34,390 --> 00:06:34,930
permit

88
00:06:35,910 --> 00:06:40,920
and notice, the IP address is 10.1.1.1, no one else is allowed to telnet to the router.

89
00:06:42,090 --> 00:06:47,730
So permit 10.1.1.1 and then I can go in to the line VTY , so line VTY 04

90
00:06:49,070 --> 00:06:53,570
and I need to use the command access clause rather than access group.

91
00:06:54,780 --> 00:06:55,080
Notice 

92
00:06:55,140 --> 00:07:02,130
you can specify either standard IP access  list or extended access lists, in early IOS's you could only

93
00:07:02,130 --> 00:07:07,940
choose standard IP access lists, but these days you can use both standard and extended ACLs.

94
00:07:08,400 --> 00:07:09,900
So I'm going to choose 10.

95
00:07:10,910 --> 00:07:16,430
Notice I can filter incoming telnet connections or outgoing Telnet connections, so I'm going to

96
00:07:16,430 --> 00:07:17,270
specify in.

97
00:07:19,970 --> 00:07:26,030
So now I'm going to try and telnet to the router again, so telnet 10.0.0.254 and notice

98
00:07:26,050 --> 00:07:33,840
notice that Telnet connection does not open because we are denying Telnet to the router just to prove

99
00:07:33,840 --> 00:07:36,620
that to you if I remove this access class

100
00:07:38,080 --> 00:07:41,140
and then put it back on again, notice I'm able to telnet

101
00:07:42,750 --> 00:07:46,080
and I can successfully log in, its disconnect

102
00:07:48,020 --> 00:07:49,520
put that access list back again,

103
00:07:51,090 --> 00:07:51,900
try and telnet.

104
00:07:53,170 --> 00:08:00,940
I notice the telnet is denied, so please don't forget about access lists that can be bound on VTY lines

105
00:08:01,360 --> 00:08:04,630
to permit or deny Telnet or SSH access to a router.

106
00:08:05,580 --> 00:08:09,330
Once again, show, run, pipe, section line.

107
00:08:10,540 --> 00:08:11,410
Shows me

108
00:08:13,960 --> 00:08:18,070
that I have the access class 10 bound inbound on the VTY line.

109
00:08:19,050 --> 00:08:25,950
So I'm unable to telnet from my PC, let's have a look at the IP address of my PC, as you'll see here,

110
00:08:26,790 --> 00:08:29,400
the IP address is 10.0.0.1.

111
00:08:30,950 --> 00:08:31,970
So on the router.

112
00:08:34,590 --> 00:08:41,440
IF I type the command, no access list 10, be careful with that command. It doesn't just remove a line in 

113
00:08:41,440 --> 00:08:44,110
the access list, it deletes the entire axis list.

114
00:08:44,530 --> 00:08:51,450
So typing the command do show access list 10 will show me that that access list does not exist.

115
00:08:51,970 --> 00:08:54,160
So I've just deleted the access list entirely,

116
00:08:54,730 --> 00:09:01,990
but I could type the command list 10 permit, 10.0.0.1 and then go on to my line VTY

117
00:09:02,000 --> 00:09:04,360
just make sure that it's bound.

118
00:09:04,870 --> 00:09:06,970
So access class

119
00:09:08,270 --> 00:09:09,380
10 in.

120
00:09:10,700 --> 00:09:11,990
Now, if I try and telnet.

121
00:09:13,500 --> 00:09:15,210
Notice the telnet is successful.

122
00:09:17,000 --> 00:09:18,620
So I'm able to telnet to the router.

123
00:09:23,980 --> 00:09:30,540
That is why do the command do show access list 10, you can see that there are two matches on this access

124
00:09:30,570 --> 00:09:32,550
list. If I telnet again,

125
00:09:34,550 --> 00:09:37,220
do show command, notice the matches are increasing.

126
00:09:38,490 --> 00:09:43,290
Can I still telnet to the router if I delete this access list?So I'm going to type the command access

127
00:09:43,290 --> 00:09:43,670
list

128
00:09:45,390 --> 00:09:45,810
10.

129
00:09:47,210 --> 00:09:50,780
Do the show command and as you can see, the access list has been removed.

130
00:09:52,420 --> 00:09:55,610
I'll disconnect my telnet session, let me see if I can telnet again

131
00:09:56,230 --> 00:09:57,340
And as you can see.

132
00:09:58,820 --> 00:09:59,870
I can gain access.

133
00:10:01,500 --> 00:10:03,120
Do show run.

134
00:10:04,470 --> 00:10:06,870
Pipe, section line.

135
00:10:10,010 --> 00:10:12,680
Shows me that the axis list is still bound.

136
00:10:13,770 --> 00:10:14,880
And this is a big gotcha.

137
00:10:14,910 --> 00:10:21,660
This also applies to expound on interfaces, you can find a non-existent access list on an interface.

138
00:10:22,080 --> 00:10:28,320
It's very dangerous because if someone later on created that access list and let's say inadvertently

139
00:10:28,320 --> 00:10:33,990
configured it for something else, that axis list would immediately become active and traffic would

140
00:10:33,990 --> 00:10:38,610
be denied or permitted unexpectedly as per the new access list.

141
00:10:39,240 --> 00:10:46,200
So let's say we permitted 10.1.2.1, for argument's sake., now suddenly if I telnet back

142
00:10:46,200 --> 00:10:46,890
to the router.

143
00:10:48,190 --> 00:10:50,170
Notice the telnet session is denied.

144
00:10:50,980 --> 00:10:55,960
Be very careful with your access lists, create them, then bind them.

145
00:10:56,440 --> 00:10:59,680
If you delete them, remove them from the bindings.

146
00:10:59,830 --> 00:11:03,790
In other words, remove them from the VTY lines or from the interfaces.

147
00:11:04,360 --> 00:11:11,680
Do not allow nonexistent access lists to be bound to interfaces and do not allow access lists just to

148
00:11:11,680 --> 00:11:15,240
exist in a configuration not being bound anywhere.

149
00:11:17,140 --> 00:11:23,050
Just a reminder again, about remarks, remarks allow us to add descriptions to access control lists so

150
00:11:23,050 --> 00:11:28,750
that they are easier to understand problem with access list as they can get fairly complicated if you

151
00:11:28,750 --> 00:11:30,760
have a 10 line or 20 line ACL.

152
00:11:31,060 --> 00:11:35,330
The last thing you want to do is decipher what the access list is intended to do.

153
00:11:35,800 --> 00:11:41,650
So adding remarks can make it a lot easier to follow and understand, typing the command access list

154
00:11:44,400 --> 00:11:50,070
on this router shows me the access lists configured at the moment, you can see there are access lists

155
00:11:50,340 --> 00:11:54,000
with various lines, but they themselves don't mean much.

156
00:11:54,540 --> 00:11:56,970
Rather than doing that, let's create an access list.

157
00:11:56,970 --> 00:12:03,590
It's a access list 5 permit, let's say, for instance, 10.1.2.1

158
00:12:04,230 --> 00:12:07,770
but now what you can do is you can say access list 5 remark

159
00:12:09,160 --> 00:12:14,650
and now you can put in a remark up to 100 characters, so something like permit,

160
00:12:17,740 --> 00:12:19,330
permit the boss, access

161
00:12:20,400 --> 00:12:22,680
to exchange

162
00:12:23,860 --> 00:12:29,290
server or whatever you decide, now I'm typing the command show access list.

163
00:12:33,130 --> 00:12:39,580
Doesn't show the remark, but not as if I do the command show run to include access list.

164
00:12:41,990 --> 00:12:48,110
Notice the remark is displayed in the access list, which makes it a lot easier to see what's going

165
00:12:48,110 --> 00:12:48,350
on.

166
00:12:49,040 --> 00:12:53,780
I could create another line in that access list, let's say access list 5 permit

167
00:12:57,440 --> 00:12:59,060
and then I could create another remark.

168
00:13:08,010 --> 00:13:08,850
Something like this

169
00:13:09,910 --> 00:13:13,270
and now doing the same command again, show run pipe include access list.

170
00:13:17,320 --> 00:13:23,410
Allows me to see each line in the access list and it's relevant remark, thus making it a lot easier to

171
00:13:23,410 --> 00:13:24,640
understand what's going on.

172
00:13:26,360 --> 00:13:32,810
Some guidelines regarding access lists, firstly, the type of the access list indicates what can be filtered.

173
00:13:33,110 --> 00:13:39,140
In other words, a standard IP access list can only filter on source IP addresses or networks.

174
00:13:39,590 --> 00:13:45,410
An extended IP access list can filter both on source and destination addresses, source and destination

175
00:13:45,410 --> 00:13:49,730
port numbers and various other options relating to IP protocols.

176
00:13:50,090 --> 00:13:52,670
So extended access lists tend to be a lot more powerful.

177
00:13:53,060 --> 00:13:55,760
The order of processing is also of great importance.

178
00:13:56,210 --> 00:13:58,640
You should place your more specific statements first.

179
00:13:59,600 --> 00:14:06,920
If your first statement was permit any and your second statement was deny host 10 .1.1.1, that

180
00:14:06,920 --> 00:14:12,830
second in statement would be irrelevant because of your first statement saying permit any, remember access

181
00:14:12,830 --> 00:14:15,200
access control lists are process top down.

182
00:14:15,500 --> 00:14:18,980
If there's a match on a line, all subsequent lines are ignored.

183
00:14:19,280 --> 00:14:21,620
So I permit any would be matched

184
00:14:21,800 --> 00:14:28,490
and all traffic, including traffic from host 10.1.1.1 would be permitted and the second line denying

185
00:14:28,500 --> 00:14:30,450
host 10.1.1.1 would be ignored.

186
00:14:31,190 --> 00:14:35,750
Don't forget that there's an implicit denial at the end of every access control list.

187
00:14:36,050 --> 00:14:39,860
Unless you explicitly permit something, it's going to be denied.

188
00:14:40,430 --> 00:14:46,280
Only one access list can be bound per interface, per direction, per protocol.

189
00:14:46,820 --> 00:14:54,410
In other words, an IP version 4 ACL can be bound either in or out on a per interface basis.

190
00:14:54,710 --> 00:15:00,830
You cannot have two IP version 4 access lists inbound on the same interface, but you can have one

191
00:15:00,830 --> 00:15:01,850
in and one out.

192
00:15:02,450 --> 00:15:08,330
As I've already demonstrated, if you try and bind two IP access lists inbound on the same interface,

193
00:15:08,330 --> 00:15:10,610
the second one will just replace the first one.

194
00:15:12,260 --> 00:15:14,120
So where should you place your access lists?

195
00:15:14,450 --> 00:15:21,110
Now, the best practice from Cisco is to place Standard ACLs as close to the destination as possible.

196
00:15:21,260 --> 00:15:24,500
And the reason for this is that you cannot match specific protocols, 

197
00:15:24,860 --> 00:15:31,310
now, in the real world, most ACL implementations will be using extended IP access lists because of

198
00:15:31,310 --> 00:15:37,460
the fact that you can filter based on both source and destination IP address as well as source and destination

199
00:15:37,460 --> 00:15:38,510
ports and so forth.

200
00:15:39,020 --> 00:15:44,180
Whereas with IP standard access control lists you can only filter based on the source address.

201
00:15:44,840 --> 00:15:51,620
So in this example, if you didn't want 10.1.1.1 to connect to the server, 10.1.2.1 you

202
00:15:51,620 --> 00:15:59,240
could bind a standard IP access list either inbound on R1 or outbound and R1 or inbound on

203
00:15:59,240 --> 00:16:08,150
R2 or outbound R2. If you decided to bind an access list denying this host inbound on R1

204
00:16:08,570 --> 00:16:16,220
you would not only deny 10 one one one access to the server, but you would also deny the host access

205
00:16:16,220 --> 00:16:23,240
to all other parts of the network because you cannot specify a destination, but only a source if you

206
00:16:23,240 --> 00:16:30,140
bound an access list inbound on R1 denying hosting one one one, you would deny that host access to

207
00:16:30,140 --> 00:16:31,550
all parts of the network.

208
00:16:31,970 --> 00:16:35,420
So this wouldn't be a good place to bind that access list.

209
00:16:36,520 --> 00:16:43,450
If you bound the access list outbound on R1 saying deny host 10.1.1.1 the host would 

210
00:16:43,450 --> 00:16:45,160
allowed access to this host.

211
00:16:45,730 --> 00:16:52,720
But once again, 10.1.1.1 would be denied access to this network, this network, as well as this

212
00:16:52,720 --> 00:16:58,900
network, because once again, you can only deny on the source address with a standard IP access list,

213
00:16:59,170 --> 00:17:02,260
not on the destination or port numbers.

214
00:17:02,740 --> 00:17:08,770
If you decided to bind the acccess list inbound on R2 the host 10.1.1.1 would have access to

215
00:17:08,770 --> 00:17:14,500
this network as well as this network, but it wouldn't have access to this network or this network.

216
00:17:14,680 --> 00:17:16,000
So that wouldn't work either.

217
00:17:16,960 --> 00:17:23,470
And lastly, if you decided to bind the access list outbound on R2, that would be the optimum place

218
00:17:23,470 --> 00:17:30,430
to place the access list because you would be denying host 10.1.1.1 access to the server that

219
00:17:30,430 --> 00:17:35,740
you wouldn't be denying that host access to any other part of the network and thus you would accomplish

220
00:17:35,740 --> 00:17:37,040
what you set out to do.

221
00:17:38,020 --> 00:17:44,170
However, with the extended IP access lists, the recommendation is to place the access list as close

222
00:17:44,170 --> 00:17:45,460
to the source as possible.

223
00:17:45,880 --> 00:17:51,040
The reason for this is that you can match specific protocols and specific destination addresses.

224
00:17:51,430 --> 00:17:56,020
So if you've bound an access list inbound on R1 you could say deny this 

225
00:17:56,020 --> 00:18:01,720
host 10.1.1.1 access to this host 10.1.2.1

226
00:18:02,290 --> 00:18:09,070
but permit this host access to any other part of the network and thus you would accomplish what you

227
00:18:09,070 --> 00:18:10,000
set out to do.

228
00:18:10,300 --> 00:18:15,580
And this example would be a lot more efficient than the previous example, because you would be denying

229
00:18:15,580 --> 00:18:21,900
traffic at this point rather than routing it all the way across the network to or to just to be dropped.

230
00:18:22,300 --> 00:18:28,990
So extended IP access lists are a lot more flexible and a lot more efficient and thus tend to be used

231
00:18:28,990 --> 00:18:30,280
more in the real world.