1 00:00:08,667 --> 00:00:11,600 - So I've talked about in theory, what an access list 2 00:00:11,600 --> 00:00:15,375 is that's an identification or classification tool. 3 00:00:15,375 --> 00:00:17,365 I talked about at a real high level, 4 00:00:17,365 --> 00:00:19,999 that there's things called numbered and named access lists, 5 00:00:19,999 --> 00:00:21,365 although we haven't really looked at how 6 00:00:21,365 --> 00:00:22,509 to configure them yet. 7 00:00:22,509 --> 00:00:25,725 And I've talked about how, at a high level there's 8 00:00:25,725 --> 00:00:29,129 differences between a standard and extended access list. 9 00:00:29,129 --> 00:00:31,314 Now we're gonna go into more details about standard 10 00:00:31,314 --> 00:00:34,374 access lists, what they can do, what they can't do, 11 00:00:34,374 --> 00:00:35,737 how to configure them. 12 00:00:35,737 --> 00:00:37,782 And then just for demonstration purposes, 13 00:00:37,782 --> 00:00:39,902 I'm gonna pair a standard access list 14 00:00:39,902 --> 00:00:42,229 with a feature, a security feature, 15 00:00:42,229 --> 00:00:44,147 called an access group feature. 16 00:00:44,147 --> 00:00:47,564 So you can see how the two work together. 17 00:00:48,992 --> 00:00:51,803 So a standard access list, probably the most basic 18 00:00:51,803 --> 00:00:54,362 and simple of the access lists you can configure, 19 00:00:54,362 --> 00:00:58,010 identifies traffic simply based on the layer three header. 20 00:00:58,010 --> 00:00:59,616 So if you have anything you wanna match 21 00:00:59,616 --> 00:01:03,783 other than the layer-3 header, this is not the tool for you. 22 00:01:04,807 --> 00:01:07,338 Within the layer-3 header, the only thing it can 23 00:01:07,338 --> 00:01:10,967 match on is the source IP address and that's it. 24 00:01:10,967 --> 00:01:12,943 So once again, if you wanna match on anything other 25 00:01:12,943 --> 00:01:15,876 than this, like the destination of where the packet's going, 26 00:01:15,876 --> 00:01:17,969 or something else in the IP header, 27 00:01:17,969 --> 00:01:20,386 this is not the tool for you. 28 00:01:22,110 --> 00:01:24,447 So when you're configuring a standard access list, 29 00:01:24,447 --> 00:01:26,875 if you're gonna be using a numbered access list, 30 00:01:26,875 --> 00:01:31,054 the number should be in the range from one to 99. 31 00:01:31,054 --> 00:01:33,424 In other words, at the global configuration level, 32 00:01:33,424 --> 00:01:34,943 we're gonna see this in just a moment, 33 00:01:34,943 --> 00:01:37,650 you're gonna type access-list and then 34 00:01:37,650 --> 00:01:38,947 you're gonna give it a number. 35 00:01:38,947 --> 00:01:41,290 If the number you give it is in this range, 36 00:01:41,290 --> 00:01:45,373 iOS knows, okay what follows next is I can only-- 37 00:01:46,680 --> 00:01:49,274 I should say this, when iOS sees a number in this range, 38 00:01:49,274 --> 00:01:52,456 it says okay now after this the only options 39 00:01:52,456 --> 00:01:55,295 I'm going to give the user, the network admin who's 40 00:01:55,295 --> 00:01:58,096 configuring me, is the option to match on the source IP 41 00:01:58,096 --> 00:02:02,269 address and a wildcard mask, and that's it. 42 00:02:02,269 --> 00:02:04,906 Now there's also an extended range, or I should say 43 00:02:04,906 --> 00:02:07,323 an expanded range of numbers. 44 00:02:08,483 --> 00:02:11,578 Because for most people, 'cause remember with access 45 00:02:11,578 --> 00:02:15,281 lists for example one, that is the name of the container. 46 00:02:15,281 --> 00:02:17,281 I could have multiple lines of that. 47 00:02:17,281 --> 00:02:19,587 Access list one, match on this. 48 00:02:19,587 --> 00:02:21,568 Access list one, match on that. 49 00:02:21,568 --> 00:02:23,673 Access list one, match on something else. 50 00:02:23,673 --> 00:02:26,941 So I could have dozens or even hundreds of access control 51 00:02:26,941 --> 00:02:29,829 entries all numbered one. 52 00:02:29,829 --> 00:02:33,996 Now for most companies, this range here is more than enough. 53 00:02:36,009 --> 00:02:38,115 But sometimes especially when you're talking about 54 00:02:38,115 --> 00:02:42,389 internet service providers, their access list can be huge 55 00:02:42,389 --> 00:02:45,217 because they've got thousands of companies that they're 56 00:02:45,217 --> 00:02:48,341 servicing and they need to have different access lists 57 00:02:48,341 --> 00:02:51,032 for each one and so they might run out of 'em, 58 00:02:51,032 --> 00:02:53,158 even from one to 99. 59 00:02:53,158 --> 00:02:56,591 So there is an expanded range of standard ACL's 60 00:02:56,591 --> 00:02:58,560 and you should probably memorize this number 61 00:02:58,560 --> 00:03:01,643 from 1300, I'll write this down here, 62 00:03:03,179 --> 00:03:05,096 from 1300 through 1999. 63 00:03:11,507 --> 00:03:13,658 So the same thing, if you're configuring your access list 64 00:03:13,658 --> 00:03:17,241 as a numbered access list, access-list 1301 65 00:03:18,301 --> 00:03:21,968 or access-list 1400, anything in this range, 66 00:03:22,928 --> 00:03:26,810 it's as if you were using the numbers one through 99. 67 00:03:26,810 --> 00:03:29,240 iOS still recognizes that you want 68 00:03:29,240 --> 00:03:31,407 is a standard access list. 69 00:03:37,336 --> 00:03:39,089 Standard access lists should be applied 70 00:03:39,089 --> 00:03:41,633 closest to the destination. 71 00:03:41,633 --> 00:03:42,468 What does that mean? 72 00:03:42,468 --> 00:03:45,495 We'll take a look at that in just a moment. 73 00:03:45,495 --> 00:03:47,524 And there's no method to check the decimation address 74 00:03:47,524 --> 00:03:50,824 or port numbers because all the standard access list checks 75 00:03:50,824 --> 00:03:53,792 is the source IP address, that's it. 76 00:03:53,792 --> 00:03:56,448 Now a lot of times, that's all you need to check. 77 00:03:56,448 --> 00:03:58,515 You know, based on the feature that you're using, 78 00:03:58,515 --> 00:04:00,020 maybe you say, you know what, all I care about 79 00:04:00,020 --> 00:04:01,662 is where this packet's coming from. 80 00:04:01,662 --> 00:04:03,706 I could care less about where it's going to 81 00:04:03,706 --> 00:04:05,956 or anything else like that. 82 00:04:07,570 --> 00:04:10,018 So here's how you would configure a standard access list. 83 00:04:10,018 --> 00:04:12,672 So notice a few very important things here. 84 00:04:12,672 --> 00:04:15,010 Number one, where are we doing it? 85 00:04:15,010 --> 00:04:18,235 At the global configuration level. 86 00:04:18,235 --> 00:04:20,121 So that's very important. 87 00:04:20,121 --> 00:04:22,954 Number two, so we say access-list, 88 00:04:25,261 --> 00:04:28,031 we provide a number that's in the standard range 89 00:04:28,031 --> 00:04:31,401 and then you have to say permit or deny. 90 00:04:31,401 --> 00:04:34,096 Now remember, permit or deny, we don't know 91 00:04:34,096 --> 00:04:35,285 what that's gonna do. 92 00:04:35,285 --> 00:04:37,308 If we're talking about an encryption feature 93 00:04:37,308 --> 00:04:39,114 that's using this, that means permit the packet 94 00:04:39,114 --> 00:04:41,912 to be encrypted or deny it to be encrypted. 95 00:04:41,912 --> 00:04:44,172 If we're using the access group feature, 96 00:04:44,172 --> 00:04:46,492 which is what I am gonna be using for my demonstrations, 97 00:04:46,492 --> 00:04:48,992 permit means allow the packet through. 98 00:04:48,992 --> 00:04:53,446 Deny means kill the packet, deny it, block it. 99 00:04:53,446 --> 00:04:56,250 And now we specify some 32 bit number 100 00:04:56,250 --> 00:04:58,083 as our source address. 101 00:04:59,131 --> 00:05:01,214 And then a wildcard mask. 102 00:05:04,790 --> 00:05:06,701 Now to verify what we've configured, 103 00:05:06,701 --> 00:05:09,174 we can do show IP access-list. 104 00:05:09,174 --> 00:05:11,203 And that will show us our access list. 105 00:05:11,203 --> 00:05:14,506 Now that's gonna show you what feature or features, 106 00:05:14,506 --> 00:05:16,759 'cause you've got more than one that are using 107 00:05:16,759 --> 00:05:19,350 this access list for identification purposes. 108 00:05:19,350 --> 00:05:21,010 But it will show you the access list that you've 109 00:05:21,010 --> 00:05:23,855 configured or you can do show run 110 00:05:23,855 --> 00:05:27,887 and you can use the pipe symbol on your keyboard. 111 00:05:27,887 --> 00:05:32,521 And then inc, that's short for include access-list. 112 00:05:32,521 --> 00:05:35,179 Or you can just look at show run. 113 00:05:35,179 --> 00:05:38,004 Now in order to actually use an access list for something, 114 00:05:38,004 --> 00:05:39,460 'cause if you just configure this access list 115 00:05:39,460 --> 00:05:41,470 and it's sitting in a global configuration level, 116 00:05:41,470 --> 00:05:43,763 it's not doing anything. 117 00:05:43,763 --> 00:05:45,870 Here's an example, remember back when we were talking about 118 00:05:45,870 --> 00:05:49,858 switching and I said if you wanna create a VLAN 119 00:05:49,858 --> 00:05:52,562 and have some hosts on your switch, use that VLAN. 120 00:05:52,562 --> 00:05:54,226 I said it was a two step process. 121 00:05:54,226 --> 00:05:55,975 I said at the global configuration level, 122 00:05:55,975 --> 00:05:58,516 you typed VLAN five or VLAN 100, 123 00:05:58,516 --> 00:06:01,285 and then you had to go to the interface and say, 124 00:06:01,285 --> 00:06:05,934 switch port access VLAN five or switch port access VLAN 100. 125 00:06:05,934 --> 00:06:08,849 Well on a switch, if I just configured VLAN five 126 00:06:08,849 --> 00:06:12,628 and nothing else, that's a broadcast domain 127 00:06:12,628 --> 00:06:14,669 that isn't really being used for anything. 128 00:06:14,669 --> 00:06:16,086 Same thing here. 129 00:06:16,086 --> 00:06:18,046 If I configure my access list, but I don't have 130 00:06:18,046 --> 00:06:19,538 any feature that's referencing it, 131 00:06:19,538 --> 00:06:22,159 it's just taking up space in my running config. 132 00:06:22,159 --> 00:06:24,159 It's not doing anything. 133 00:06:25,016 --> 00:06:27,179 So one of the first features that you learn 134 00:06:27,179 --> 00:06:30,727 in the CCNA level that uses access lists 135 00:06:30,727 --> 00:06:35,420 is something called the IP Access-Group feature. 136 00:06:35,420 --> 00:06:38,007 Now this is an interface level feature, 137 00:06:38,007 --> 00:06:40,283 it's a security feature and it's like it says here, 138 00:06:40,283 --> 00:06:41,676 a primitive firewall. 139 00:06:41,676 --> 00:06:44,531 Basically it's using the access list to determine 140 00:06:44,531 --> 00:06:47,746 if a packet matches a permit statement, 141 00:06:47,746 --> 00:06:49,541 allow the packet through. 142 00:06:49,541 --> 00:06:51,292 If the packet matches a drop statement, 143 00:06:51,292 --> 00:06:55,459 well I should say a deny statement, filter it, drop it. 144 00:06:57,360 --> 00:06:59,419 An IP access group is directional. 145 00:06:59,419 --> 00:07:00,807 So when you apply it to an interface, 146 00:07:00,807 --> 00:07:04,206 you have to specify am I looking at traffic coming in, 147 00:07:04,206 --> 00:07:05,934 that's coming in off the cable. 148 00:07:05,934 --> 00:07:08,129 Or am I looking at traffic that's going out, 149 00:07:08,129 --> 00:07:10,498 that I'm about to put on to the cable. 150 00:07:10,498 --> 00:07:12,857 You have to specify directionality. 151 00:07:12,857 --> 00:07:14,904 And then a references and access list either 152 00:07:14,904 --> 00:07:17,298 could be a named access list or a numbered access list 153 00:07:17,298 --> 00:07:21,465 for the identification or classification purposes. 154 00:07:22,353 --> 00:07:25,242 And so here's an example of how you would apply it. 155 00:07:25,242 --> 00:07:29,042 So notice that we are at the interface level. 156 00:07:29,042 --> 00:07:31,959 And you would say, IP access-group and then 157 00:07:31,959 --> 00:07:33,730 you reference your access list. 158 00:07:33,730 --> 00:07:37,987 Like IP access-group one or access-group two. 159 00:07:37,987 --> 00:07:41,904 And then you specify your direction, in or out. 160 00:07:43,206 --> 00:07:45,893 Now one thing that's important about the IP access-group 161 00:07:45,893 --> 00:07:48,279 feature is you can only have it in 162 00:07:48,279 --> 00:07:51,067 one direction per protocol. 163 00:07:51,067 --> 00:07:52,318 What do I mean by that? 164 00:07:52,318 --> 00:07:56,862 Well for example, I could say IP, I'll just put 165 00:07:56,862 --> 00:07:58,321 little hash symbols here. 166 00:07:58,321 --> 00:08:01,988 IP access-group four, let me get rid of some 167 00:08:04,060 --> 00:08:05,643 of this stuff here. 168 00:08:09,741 --> 00:08:13,241 Okay I could say, IP access-group four in. 169 00:08:15,291 --> 00:08:18,791 And I could say IP access-group eight out. 170 00:08:22,684 --> 00:08:26,683 So right now, if a packet comes, we don't know 171 00:08:26,683 --> 00:08:27,744 what this interface is. 172 00:08:27,744 --> 00:08:29,642 Let's just put something here, let's say it's 173 00:08:29,642 --> 00:08:32,059 fast ethernet 0/0. 174 00:08:35,631 --> 00:08:39,798 Okay, so if a packet comes in, fast ethernet 0/0, 175 00:08:40,939 --> 00:08:43,543 I'm gonna stop and I'm gonna inspect that packet 176 00:08:43,543 --> 00:08:47,342 against my standard access list number four. 177 00:08:47,342 --> 00:08:49,357 If there's a line in access list four, 178 00:08:49,357 --> 00:08:51,598 an access control entry that says deny, 179 00:08:51,598 --> 00:08:53,700 I'm gonna drop the packet. 180 00:08:53,700 --> 00:08:55,377 If there's a line in my standard access list 181 00:08:55,377 --> 00:08:57,460 that says permit that matches this packet, 182 00:08:57,460 --> 00:08:58,544 I'm gonna forward it through, 183 00:08:58,544 --> 00:09:00,793 I'm gonna let it into my device. 184 00:09:00,793 --> 00:09:04,360 Now if there's a packet that came in some other interface, 185 00:09:04,360 --> 00:09:07,626 fast ethernet 11 or a serial interface and my router 186 00:09:07,626 --> 00:09:12,277 has decided it needs to route it out, fast ethernet 00, 187 00:09:12,277 --> 00:09:14,320 well then it's gonna look at access list eight 188 00:09:14,320 --> 00:09:16,655 to make that decision. 189 00:09:16,655 --> 00:09:20,183 Now let's say I come back later and I say, 190 00:09:20,183 --> 00:09:23,183 IP access-group, let's say seven in. 191 00:09:29,358 --> 00:09:30,667 And then guess what? 192 00:09:30,667 --> 00:09:33,250 It's going to delete this line. 193 00:09:34,191 --> 00:09:38,866 'Cause I can only have one inbound and one outbound. 194 00:09:38,866 --> 00:09:41,693 So whatever the most recent one is that you typed in, 195 00:09:41,693 --> 00:09:43,775 it will override what the previous 196 00:09:43,775 --> 00:09:45,942 one was that said inbound. 197 00:09:47,285 --> 00:09:51,323 So let's play around with this a little bit. 198 00:09:51,323 --> 00:09:53,887 So we're gonna use this topology. 199 00:09:53,887 --> 00:09:57,316 And I'm gonna build this up from the CCNA 200 00:09:57,316 --> 00:09:59,189 racks we have here at INE. 201 00:09:59,189 --> 00:10:00,827 So if you're using our rack rental tokens, 202 00:10:00,827 --> 00:10:03,905 you could create this on your own. 203 00:10:03,905 --> 00:10:06,621 And I thought about having this pre-built in advance, 204 00:10:06,621 --> 00:10:09,138 but then I thought I could use this as a good learning tool 205 00:10:09,138 --> 00:10:12,888 for you guys, so when I'm creating a topology 206 00:10:14,308 --> 00:10:17,381 from nothing, step number one is you have to know 207 00:10:17,381 --> 00:10:18,561 what do I have to work with. 208 00:10:18,561 --> 00:10:21,476 What physical equipment do I have, how is it physically 209 00:10:21,476 --> 00:10:23,722 cabled up, and I know that my physical 210 00:10:23,722 --> 00:10:25,639 topology supports this. 211 00:10:27,038 --> 00:10:28,507 And how do I know that? 212 00:10:28,507 --> 00:10:32,674 Well because if you rent time on our CCNA CCNP racks, 213 00:10:33,598 --> 00:10:36,174 this is what the LAN topology looks like. 214 00:10:36,174 --> 00:10:38,213 This is every possible LAN connection. 215 00:10:38,213 --> 00:10:42,109 And so you can see from this, I can derive all kinds 216 00:10:42,109 --> 00:10:43,888 of certain topologies. 217 00:10:43,888 --> 00:10:46,683 So for example, I wanna use my connection 218 00:10:46,683 --> 00:10:49,001 from R1 to switch one. 219 00:10:49,001 --> 00:10:51,550 So that's right here, I'm gonna be using this connection. 220 00:10:51,550 --> 00:10:53,020 This connection I'm not gonna use it, 221 00:10:53,020 --> 00:10:54,931 so I'm just gonna shut it down and so that 222 00:10:54,931 --> 00:10:57,920 is not even part of my topology. 223 00:10:57,920 --> 00:11:00,450 I'm gonna use this connection from R2 to switch one. 224 00:11:00,450 --> 00:11:02,117 Which is right here. 225 00:11:03,472 --> 00:11:05,005 Once again, even though R2 has a connection 226 00:11:05,005 --> 00:11:06,569 to switch two I'm not gonna use it. 227 00:11:06,569 --> 00:11:07,910 I'm gonna shut it down, disable it, 228 00:11:07,910 --> 00:11:10,741 so it's not even part of my diagram. 229 00:11:10,741 --> 00:11:12,370 I'm gonna use this connection from switch one 230 00:11:12,370 --> 00:11:14,354 to switch two, I only need one connection 231 00:11:14,354 --> 00:11:17,780 for this lab I'm creating, 0/10. 232 00:11:17,780 --> 00:11:20,423 So I'm gonna use this one link right here. 233 00:11:20,423 --> 00:11:22,860 I'm gonna shut the other ones down. 234 00:11:22,860 --> 00:11:25,908 So what I usually do is, in this lab, 235 00:11:25,908 --> 00:11:29,935 I will disable interfaces that I don't use 236 00:11:29,935 --> 00:11:32,354 because I don't want them to distract me. 237 00:11:32,354 --> 00:11:34,406 I don't want my traffic to go off in directions 238 00:11:34,406 --> 00:11:37,283 I can't foresee, I can't predict. 239 00:11:37,283 --> 00:11:41,009 And then I will only enable with a no shut command, 240 00:11:41,009 --> 00:11:44,870 those interfaces are actually part of my topology. 241 00:11:44,870 --> 00:11:47,607 So these numbers here in brown are the actual interfaces 242 00:11:47,607 --> 00:11:51,048 I'm gonna be using, like 0/1, 243 00:11:51,048 --> 00:11:55,800 0/2, 0/10 and anything that's not 244 00:11:55,800 --> 00:11:59,023 shown here that's on this diagram is not being used. 245 00:11:59,023 --> 00:12:03,199 For example 13, 14, and 15, switch three entirely, 246 00:12:03,199 --> 00:12:04,246 I'm not even using him. 247 00:12:04,246 --> 00:12:06,223 So all these connections at switch three 248 00:12:06,223 --> 00:12:08,830 are disabled, I'm not using it. 249 00:12:08,830 --> 00:12:11,234 Now once I've figured out from my physical topology, 250 00:12:11,234 --> 00:12:14,485 what interface I want up and actually active, 251 00:12:14,485 --> 00:12:16,942 and what interfaces are not relevant, 252 00:12:16,942 --> 00:12:20,526 then the next thing is to figure out my IP addressing. 253 00:12:20,526 --> 00:12:23,079 And so I just came up with some very easy addresses, 254 00:12:23,079 --> 00:12:24,586 I sort of base it off of the interface, 255 00:12:24,586 --> 00:12:26,400 off of the device names. 256 00:12:26,400 --> 00:12:28,758 I figured okay, router one connecting to switch one, 257 00:12:28,758 --> 00:12:31,096 let's just have a bunch of ones in the subnet. 258 00:12:31,096 --> 00:12:32,948 Switch one connecting to router two, 259 00:12:32,948 --> 00:12:34,857 let's have a combination of ones and twos, 260 00:12:34,857 --> 00:12:36,782 so that's sort of how I came up with these 261 00:12:36,782 --> 00:12:39,094 subnets here that I'm gonna use. 262 00:12:39,094 --> 00:12:41,278 And then for my host bits, once again, 263 00:12:41,278 --> 00:12:42,910 I tried to make it meaningful. 264 00:12:42,910 --> 00:12:46,536 Right switch one, I'll just have him be .11 for everything. 265 00:12:46,536 --> 00:12:49,458 Switch two I'll have him be .22 for everything. 266 00:12:49,458 --> 00:12:53,224 So that way my IP subnetting scheme makes sense to me. 267 00:12:53,224 --> 00:12:55,639 And when I see these subnets and my various routing tables, 268 00:12:55,639 --> 00:12:58,361 I'll sort of be able to visualize where 269 00:12:58,361 --> 00:13:01,431 they belong in my topology diagram. 270 00:13:01,431 --> 00:13:04,043 Then what I do is once I have all this mapped out, 271 00:13:04,043 --> 00:13:07,158 this is a great exercise for you in order to 272 00:13:07,158 --> 00:13:09,571 test your skills and your knowledge about 273 00:13:09,571 --> 00:13:12,027 have I memorized the commands? 274 00:13:12,027 --> 00:13:14,555 Do I actually know the commands really well? 275 00:13:14,555 --> 00:13:18,334 This is what I do, I bring up a text editor 276 00:13:18,334 --> 00:13:20,834 like Notepad, let me go to it. 277 00:13:24,613 --> 00:13:28,384 And I will write out my configuration in the text editor 278 00:13:28,384 --> 00:13:30,171 from beginning to end. 279 00:13:30,171 --> 00:13:32,495 Okay I need to go into enable mode first, 280 00:13:32,495 --> 00:13:35,479 then config T, I'll type in a host name. 281 00:13:35,479 --> 00:13:38,585 So this is all the configuration that router 282 00:13:38,585 --> 00:13:41,418 one should need for this topology. 283 00:13:42,311 --> 00:13:45,177 And then I'll scroll down and I'll make a configuration 284 00:13:45,177 --> 00:13:47,703 for the next device, router two. 285 00:13:47,703 --> 00:13:50,145 And then the next device, so I'll write in text 286 00:13:50,145 --> 00:13:53,642 all of the configuration I think I need for each device. 287 00:13:53,642 --> 00:13:56,379 And then I'll copy and paste it in. 288 00:13:56,379 --> 00:13:59,851 If I was right, if I didn't mess up any of my commands, 289 00:13:59,851 --> 00:14:02,598 I won't get any error messages and I'll be done. 290 00:14:02,598 --> 00:14:04,800 If I get any error messages, then I'll know, 291 00:14:04,800 --> 00:14:08,388 oh okay I misspelled something or I forgot a keyword. 292 00:14:08,388 --> 00:14:11,932 And this is a great way for you to practice 293 00:14:11,932 --> 00:14:13,906 your knowledge of your iOS commands, 294 00:14:13,906 --> 00:14:14,985 so let's just go ahead and do it. 295 00:14:14,985 --> 00:14:16,683 I haven't actually implemented any of this yet. 296 00:14:16,683 --> 00:14:17,982 Hopefully all of it's right. 297 00:14:17,982 --> 00:14:21,649 So let's go into router one and put this in. 298 00:14:22,814 --> 00:14:26,481 Okay, I'll just right-click and paste it in. 299 00:14:29,363 --> 00:14:31,874 And everything looks good, there were no error messages. 300 00:14:31,874 --> 00:14:35,272 Alright, save my configuration. 301 00:14:35,272 --> 00:14:38,605 And let's repeat it now with router two. 302 00:14:41,305 --> 00:14:42,305 Copy, paste. 303 00:14:48,489 --> 00:14:50,106 And we're done with him. 304 00:14:50,106 --> 00:14:52,523 Now let's go to router three. 305 00:15:02,144 --> 00:15:05,968 Okay this guy clearly has a debug running. 306 00:15:05,968 --> 00:15:08,628 Show debug, otherwise I would not have 307 00:15:08,628 --> 00:15:11,823 seen that I don't think, let's see. 308 00:15:11,823 --> 00:15:13,269 Yup, there's a debug running. 309 00:15:13,269 --> 00:15:14,798 So how do I turn off all debugs if I don't wanna 310 00:15:14,798 --> 00:15:16,991 see a bunch of stuff? 311 00:15:16,991 --> 00:15:17,991 Undebug all. 312 00:15:20,744 --> 00:15:24,046 Alright and let's go to router four. 313 00:15:24,046 --> 00:15:28,067 Show debug, do you have anything running in you? 314 00:15:28,067 --> 00:15:29,400 No, that's good. 315 00:15:38,675 --> 00:15:41,453 Okay and then my switches. 316 00:15:41,453 --> 00:15:44,499 Now my switches, I'm configuring them a little bit 317 00:15:44,499 --> 00:15:46,975 differently than what we've been dealing with in the videos. 318 00:15:46,975 --> 00:15:50,573 In the videos, all of my physical interfaces 319 00:15:50,573 --> 00:15:55,531 were always configured as layer two switching ports, 320 00:15:55,531 --> 00:15:59,792 as either switch port mode access, or switch port mode 321 00:15:59,792 --> 00:16:03,830 trunk, or switch port mode dynamic something. 322 00:16:03,830 --> 00:16:06,550 And you could certainly do that, I could've elected 323 00:16:06,550 --> 00:16:09,542 to have three different VLAN's because these 324 00:16:09,542 --> 00:16:11,848 are three different broadcast domains. 325 00:16:11,848 --> 00:16:14,936 And then I would've made the switch port mode access 326 00:16:14,936 --> 00:16:17,691 and then I would've needed to create a layer three 327 00:16:17,691 --> 00:16:20,868 switched virtual interface like interface VLAN one, 328 00:16:20,868 --> 00:16:23,725 interface VLAN two, interface VLAN whatever. 329 00:16:23,725 --> 00:16:26,397 But there's an alternative approach. 330 00:16:26,397 --> 00:16:28,373 That's one way you could do it. 331 00:16:28,373 --> 00:16:29,939 But on these switches, because these switches 332 00:16:29,939 --> 00:16:32,841 are multilayer switches, meaning they can be routing, 333 00:16:32,841 --> 00:16:36,093 I can actually elect to convert their ports 334 00:16:36,093 --> 00:16:39,862 from a layer two switching port like access or trunk 335 00:16:39,862 --> 00:16:42,701 into what's called a routed port. 336 00:16:42,701 --> 00:16:44,723 Which means it's like a port on a router. 337 00:16:44,723 --> 00:16:47,283 You can slap an IP address on it and 338 00:16:47,283 --> 00:16:48,923 it's a layer three interface. 339 00:16:48,923 --> 00:16:52,612 And you simply do that on switches by using the 340 00:16:52,612 --> 00:16:54,191 no switch port command. 341 00:16:54,191 --> 00:16:56,652 When you type no switch port, then it allows you to 342 00:16:56,652 --> 00:17:00,443 put in an IP address as if it was a port on a router. 343 00:17:00,443 --> 00:17:03,331 And for me, this was easier because I didn't have to 344 00:17:03,331 --> 00:17:06,757 create VLAN's, I don't have to create interface VLAN's, 345 00:17:06,757 --> 00:17:09,999 I can basically turn this switch into a router 346 00:17:09,999 --> 00:17:12,149 with three interfaces. 347 00:17:12,149 --> 00:17:14,518 So let's go ahead and put that on there for, 348 00:17:14,518 --> 00:17:16,864 and notice I'm using the interface range command 349 00:17:16,864 --> 00:17:18,751 to shut down all of my interfaces first 350 00:17:18,751 --> 00:17:21,290 and then I selectively go into each interface, 351 00:17:21,290 --> 00:17:23,802 say no switch port, add an IP address, 352 00:17:23,802 --> 00:17:26,469 and then bring the interface up. 353 00:17:27,703 --> 00:17:29,604 So my configurations for my switches 354 00:17:29,604 --> 00:17:31,604 are a little bit larger. 355 00:17:41,140 --> 00:17:44,510 Oh okay, something wasn't right. 356 00:17:44,510 --> 00:17:47,485 So right there I can tell, it did not like the 357 00:17:47,485 --> 00:17:50,582 no auto summary, ahh okay so look at this. 358 00:17:50,582 --> 00:17:51,898 So this is a great test. 359 00:17:51,898 --> 00:17:54,692 So as you're doing this, if you see the caret symbol, 360 00:17:54,692 --> 00:17:56,839 you say uh-oh something went wrong. 361 00:17:56,839 --> 00:17:59,040 Because that indicates iOS didn't like something. 362 00:17:59,040 --> 00:18:02,216 So at first it looks like it didn't like no auto summary, 363 00:18:02,216 --> 00:18:04,719 but I think wait a second, that's a valid command. 364 00:18:04,719 --> 00:18:06,046 Why didn't it like that? 365 00:18:06,046 --> 00:18:09,312 But look, we're at the global configuration level. 366 00:18:09,312 --> 00:18:13,110 This is a rip command and then if I go up a little bit 367 00:18:13,110 --> 00:18:16,407 more, ahh, IP routing not enabled. 368 00:18:16,407 --> 00:18:20,886 So I forgot in my configuration, I should probably 369 00:18:20,886 --> 00:18:24,386 put in IP routing up here towards the top. 370 00:18:25,538 --> 00:18:27,763 And I should do that in switch two as well, 371 00:18:27,763 --> 00:18:30,185 because he will need IP routing. 372 00:18:30,185 --> 00:18:31,414 Actually that is switch two. 373 00:18:31,414 --> 00:18:34,247 Let's do it up here in switch one. 374 00:18:35,398 --> 00:18:37,540 Alright, let's try copying. 375 00:18:37,540 --> 00:18:39,391 I don't have to copy and paste thing whole thing, 376 00:18:39,391 --> 00:18:42,085 'cause a lot of the interfaces already worked. 377 00:18:42,085 --> 00:18:44,015 So actually what I'll do is I'll just put 378 00:18:44,015 --> 00:18:45,848 IP routing right here. 379 00:18:48,070 --> 00:18:50,903 And then I'll take it out up here. 380 00:18:52,859 --> 00:18:54,818 Okay because I previously didn't exit, 381 00:18:54,818 --> 00:18:56,989 if I did copy and paste this whole thing in again, 382 00:18:56,989 --> 00:18:59,245 because I typed exit here at the interface level, 383 00:18:59,245 --> 00:19:02,298 I would be back to global configuration level again. 384 00:19:02,298 --> 00:19:03,767 And this command would work. 385 00:19:03,767 --> 00:19:07,517 So this all I'm gonna copy and paste for now. 386 00:19:10,661 --> 00:19:13,701 There we go and now let's go into switch two 387 00:19:13,701 --> 00:19:15,368 and finish that off. 388 00:19:16,312 --> 00:19:17,685 I know I could've started like I said, 389 00:19:17,685 --> 00:19:19,162 with all this stuff preconfigured. 390 00:19:19,162 --> 00:19:20,760 And for those of you who are watching the video saying, 391 00:19:20,760 --> 00:19:23,919 I wish you would have done that, I'm sorry, 392 00:19:23,919 --> 00:19:25,459 but I figured for those of you who might actually 393 00:19:25,459 --> 00:19:27,364 be trying to build labs from scratch, 394 00:19:27,364 --> 00:19:31,531 this could be a useful example of a way of doing that. 395 00:19:33,318 --> 00:19:35,599 And practicing your memorization of iOS commands 396 00:19:35,599 --> 00:19:37,016 at the same time. 397 00:19:41,782 --> 00:19:44,939 Okay so if everything's working correctly, 398 00:19:44,939 --> 00:19:49,047 router one now should have a connected network 399 00:19:49,047 --> 00:19:53,605 and he should have one, two, three, four routes 400 00:19:53,605 --> 00:19:57,655 that he learned via rip, four rip routes, four subnets. 401 00:19:57,655 --> 00:19:58,905 Let's find out. 402 00:20:04,167 --> 00:20:05,334 Show IP route. 403 00:20:08,332 --> 00:20:11,245 And there they are, they are all four rip routes, 404 00:20:11,245 --> 00:20:13,447 so right now router one should be able to ping 405 00:20:13,447 --> 00:20:15,780 all the way down to 2.4.2.4. 406 00:20:19,771 --> 00:20:21,072 And he can. 407 00:20:21,072 --> 00:20:23,874 Okay, so I now have end to end connectivity, 408 00:20:23,874 --> 00:20:27,116 let's practice my access list. 409 00:20:27,116 --> 00:20:29,820 So we know that with a standard access list, 410 00:20:29,820 --> 00:20:32,653 all it can match on is the source. 411 00:20:33,641 --> 00:20:35,755 So let's, first of all, write my objective. 412 00:20:35,755 --> 00:20:37,481 So if you're creating a lab for yourself or you're building 413 00:20:37,481 --> 00:20:40,236 a lab from scratch, you need to have a clearly defined 414 00:20:40,236 --> 00:20:42,626 idea of what is my objective in this lab. 415 00:20:42,626 --> 00:20:45,748 What am I trying to test and how am I gonna test it. 416 00:20:45,748 --> 00:20:48,331 So objective, test standard ACL 417 00:20:54,666 --> 00:20:57,666 feature and IP access-group feature, 418 00:21:01,837 --> 00:21:03,420 and directionality. 419 00:21:05,907 --> 00:21:08,490 Okay so how am I gonna do it? 420 00:21:08,490 --> 00:21:11,990 So my objective here is prevent IP packets 421 00:21:14,074 --> 00:21:15,741 sourced from R1 from 422 00:21:20,659 --> 00:21:21,576 pinging R4. 423 00:21:24,807 --> 00:21:28,108 So my idea here is that I want R1 to be able to 424 00:21:28,108 --> 00:21:30,775 ping everything but R4. 425 00:21:30,775 --> 00:21:32,994 Now here's the problem, I shouldn't say a problem, 426 00:21:32,994 --> 00:21:36,480 but my challenge is that a standard access list, 427 00:21:36,480 --> 00:21:38,328 I can't specify the direction. 428 00:21:38,328 --> 00:21:40,878 I mean I can't specify the destination. 429 00:21:40,878 --> 00:21:45,045 All I can specify in a standard access list is the source. 430 00:21:46,179 --> 00:21:49,429 So that being the case, let's see here, 431 00:21:50,425 --> 00:21:54,116 my access list should look something like this. 432 00:21:54,116 --> 00:21:57,783 ACL configuration, access-list and I'll just 433 00:21:59,258 --> 00:22:02,419 choose the number one because it's a standard access list. 434 00:22:02,419 --> 00:22:05,669 Deny and I'll say, host, actually let's 435 00:22:06,949 --> 00:22:10,592 do it with a wildcard mask, 1.1.1.1. 436 00:22:10,592 --> 00:22:12,431 And then what would the wildcard mask be 437 00:22:12,431 --> 00:22:15,764 to match all 32 bits of that host, 0000. 438 00:22:19,432 --> 00:22:23,599 Or I could've said access-list one deny host, 1.1.1.1. 439 00:22:24,760 --> 00:22:26,402 That also would've worked. 440 00:22:26,402 --> 00:22:28,405 And I need to put in a permit statement, 441 00:22:28,405 --> 00:22:31,680 because if I don't, that invisible deny anything 442 00:22:31,680 --> 00:22:35,847 will kill everything, so access-list one permit any. 443 00:22:38,736 --> 00:22:42,736 Okay now I have to use the access-group command. 444 00:22:45,463 --> 00:22:48,130 Which will be on some interface. 445 00:22:50,038 --> 00:22:54,247 And I'll say IP access-group one and then I'll 446 00:22:54,247 --> 00:22:58,595 have to supply some sort of direction, either in or out. 447 00:22:58,595 --> 00:23:03,077 Now this is where we get back to that one slide. 448 00:23:03,077 --> 00:23:04,327 If I go back... 449 00:23:06,346 --> 00:23:08,534 This bullet point right here. 450 00:23:08,534 --> 00:23:11,971 Where it said access list or standard access list, 451 00:23:11,971 --> 00:23:15,017 should be applied nearest to the destination. 452 00:23:15,017 --> 00:23:18,774 Here's where that is gonna make sense. 453 00:23:18,774 --> 00:23:22,441 If I took this IP access group and I put it, 454 00:23:25,037 --> 00:23:28,978 let's say right here, well if I put it in 455 00:23:28,978 --> 00:23:32,870 the outbound direction, would that work? 456 00:23:32,870 --> 00:23:37,291 That'd be saying, match packets going out this way. 457 00:23:37,291 --> 00:23:39,982 Well is there ever gonna be any packet going out this 458 00:23:39,982 --> 00:23:44,026 way with a source address that matches 1111? 459 00:23:44,026 --> 00:23:47,695 No, destination yes, but source address going 460 00:23:47,695 --> 00:23:50,775 this direction, no that wouldn't make sense. 461 00:23:50,775 --> 00:23:54,775 Okay what if I did it inbound on this interface? 462 00:23:56,764 --> 00:24:00,097 Okay, well that means a packet coming in 463 00:24:01,357 --> 00:24:05,373 that has a source address of 1111, it'll be matched 464 00:24:05,373 --> 00:24:08,269 and it'll be dropped because the access group 465 00:24:08,269 --> 00:24:10,381 feature says drop it. 466 00:24:10,381 --> 00:24:14,313 But that'll drop everything from router one. 467 00:24:14,313 --> 00:24:17,894 My objective was not to drop router one going everywhere, 468 00:24:17,894 --> 00:24:20,055 my objective was only if router one is trying 469 00:24:20,055 --> 00:24:24,071 to get to this guy down here, should I drop it. 470 00:24:24,071 --> 00:24:26,236 And that's why a standard access list should 471 00:24:26,236 --> 00:24:30,360 be applied as close to the destination as possible. 472 00:24:30,360 --> 00:24:33,711 Since you can't specify the destination, well, 473 00:24:33,711 --> 00:24:36,820 you might think oh okay well then why don't I put it 474 00:24:36,820 --> 00:24:38,403 right here inbound? 475 00:24:40,012 --> 00:24:42,845 Well here's the problem with that. 476 00:24:44,422 --> 00:24:48,880 If you put it here, router four, he will actually 477 00:24:48,880 --> 00:24:52,261 look up that packet and process it before he even 478 00:24:52,261 --> 00:24:54,928 looks at the access list. 479 00:24:54,928 --> 00:24:59,164 So let's just imagine for a moment that the destination 480 00:24:59,164 --> 00:25:02,478 was not a router, but imagine that this was a server 481 00:25:02,478 --> 00:25:04,938 right here that didn't support access lists 482 00:25:04,938 --> 00:25:06,787 'cause it's not a Cisco device. 483 00:25:06,787 --> 00:25:08,796 It's a Windows server or a Linux server. 484 00:25:08,796 --> 00:25:11,540 Well then in that case, the closest we could get 485 00:25:11,540 --> 00:25:15,457 to the destination would be right here on this. 486 00:25:16,465 --> 00:25:19,873 And I would say doing it in the outbound direction. 487 00:25:19,873 --> 00:25:22,588 So if I go to switch two and I go to interface 488 00:25:22,588 --> 00:25:26,105 fast ethernet 0/4 and I apply this command, 489 00:25:26,105 --> 00:25:29,210 I put this access list on it, on switch two. 490 00:25:29,210 --> 00:25:32,208 And then I put this command in the outbound direction. 491 00:25:32,208 --> 00:25:33,889 Let's see how that logic's gonna work. 492 00:25:33,889 --> 00:25:37,758 So as R1 is pinging R4, no one's gonna be looking 493 00:25:37,758 --> 00:25:40,331 at his packet, it's gonna go all the way through switch one 494 00:25:40,331 --> 00:25:42,622 so he can ping R2 if he wants to. 495 00:25:42,622 --> 00:25:45,175 He can ping any of the IP addresses on switch one 496 00:25:45,175 --> 00:25:48,417 if he wants to 'cause there's no access list here. 497 00:25:48,417 --> 00:25:52,584 Goes all the way down to switch two, if R1 is trying to ping 498 00:25:54,047 --> 00:25:56,797 this .22 or this .22, no problem. 499 00:25:58,724 --> 00:26:02,302 But then when it's routed out this interface, 500 00:26:02,302 --> 00:26:05,135 if I have IP access-group one out, 501 00:26:06,392 --> 00:26:08,502 he'll say hold on a second partner, 502 00:26:08,502 --> 00:26:10,702 I gotta look at that packet. 503 00:26:10,702 --> 00:26:15,308 And so if that packet matches 1111 as a source, 504 00:26:15,308 --> 00:26:17,457 he'll say, I'm gonna drop it. 505 00:26:17,457 --> 00:26:20,361 And so that will prevent router one from 506 00:26:20,361 --> 00:26:22,789 pinging router four. 507 00:26:22,789 --> 00:26:25,390 Let's go ahead and configure that on switch two 508 00:26:25,390 --> 00:26:26,890 just like it says. 509 00:26:30,111 --> 00:26:33,714 Access-list and I could pick any number in the 510 00:26:33,714 --> 00:26:36,566 standard range, I'll just pick one. 511 00:26:36,566 --> 00:26:38,931 People usually start with the lowest number. 512 00:26:38,931 --> 00:26:41,264 And I'll say deny host 1111. 513 00:26:44,744 --> 00:26:47,994 Or an alternative to that would be 1111 514 00:26:49,538 --> 00:26:53,462 and then a wildcard mask of all zeros. 515 00:26:53,462 --> 00:26:56,935 And then access-list one permit, 516 00:26:56,935 --> 00:26:58,726 I could put anything here. 517 00:26:58,726 --> 00:27:01,812 It doesn't really matter because that wildcard 518 00:27:01,812 --> 00:27:05,145 mask says, I could've used the word any. 519 00:27:06,059 --> 00:27:09,214 Let's see what happens actually here. 520 00:27:09,214 --> 00:27:11,631 Show run include access-list. 521 00:27:16,672 --> 00:27:18,074 So look what it did. 522 00:27:18,074 --> 00:27:21,675 My access list of 0000, it actually 523 00:27:21,675 --> 00:27:23,357 took out the wildcard mask. 524 00:27:23,357 --> 00:27:27,274 I could've typed it in as host, but it displays it as this. 525 00:27:27,274 --> 00:27:30,704 And this right here, it said, look that 32 bit number is 526 00:27:30,704 --> 00:27:33,456 meaningless because you said any of the bits 527 00:27:33,456 --> 00:27:35,192 could match it, it really doesn't matter. 528 00:27:35,192 --> 00:27:37,823 So that's the same thing as saying permit any. 529 00:27:37,823 --> 00:27:40,657 And now I just need to apply it. 530 00:27:40,657 --> 00:27:43,285 So now on switch two, I will go to interface 531 00:27:43,285 --> 00:27:46,172 fat ethernet 0/4 and I will insert my 532 00:27:46,172 --> 00:27:48,839 IP access-group one out command. 533 00:27:50,899 --> 00:27:55,244 'Cause I'm monitoring packets going out onto the wire. 534 00:27:55,244 --> 00:27:59,411 Interface fast ethernet 0/4 IP access-group one out. 535 00:28:03,694 --> 00:28:05,779 Alright so let's test it. 536 00:28:05,779 --> 00:28:08,869 From router one, I should be able to ping router two. 537 00:28:08,869 --> 00:28:10,731 'Cause there's no access list on switch one. 538 00:28:10,731 --> 00:28:14,685 So from router one, let's see if I can ping 1212. 539 00:28:14,685 --> 00:28:15,935 1212 and I can. 540 00:28:19,255 --> 00:28:21,691 From router one I should be able to ping this 541 00:28:21,691 --> 00:28:23,210 address on switch two. 542 00:28:23,210 --> 00:28:26,000 Because it's coming in this interface, there's no inbound 543 00:28:26,000 --> 00:28:29,541 access list here, there's no access groups 544 00:28:29,541 --> 00:28:31,459 applied to either one of these interfaces, 545 00:28:31,459 --> 00:28:34,347 so it should be able to ping in and then get a reply back. 546 00:28:34,347 --> 00:28:37,597 So from router one let's ping 2.3.2.22. 547 00:28:41,083 --> 00:28:43,620 No problem, I should even be able to ping 548 00:28:43,620 --> 00:28:46,620 this interface right here, 2.4.2.22. 549 00:28:50,574 --> 00:28:54,074 And I can, but if a packet tries to go out 550 00:28:55,008 --> 00:28:58,125 on this wire with a source address of 1111, 551 00:28:58,125 --> 00:29:00,978 now the access group feature should match that 552 00:29:00,978 --> 00:29:03,561 and it should be filtered or denied. 553 00:29:03,561 --> 00:29:06,728 So I should not be able to ping 242.4. 554 00:29:10,470 --> 00:29:12,111 And I cannot. 555 00:29:12,111 --> 00:29:14,491 These U's, the reason I'm getting these 556 00:29:14,491 --> 00:29:16,408 U's here, right here... 557 00:29:20,668 --> 00:29:24,143 That is a result of receiving what's called 558 00:29:24,143 --> 00:29:26,310 ICMP unreachable messages. 559 00:29:27,370 --> 00:29:30,620 So I sent an ICMP echo request to 2424. 560 00:29:32,651 --> 00:29:35,176 It was blocked by the switch, who has the access list 561 00:29:35,176 --> 00:29:37,366 and the access group security feature. 562 00:29:37,366 --> 00:29:39,821 And the switch responded to me saying, 563 00:29:39,821 --> 00:29:42,411 that is unreachable, you can't get there, 564 00:29:42,411 --> 00:29:44,476 and that's what that is. 565 00:29:44,476 --> 00:29:48,352 So that concludes this video on standard access lists 566 00:29:48,352 --> 00:29:50,417 and pairing them up with a security feature 567 00:29:50,417 --> 00:29:52,834 known as the IP access group.