1 00:00:08,844 --> 00:00:10,958 - So in this video, we're gonna take a look at 2 00:00:10,958 --> 00:00:12,794 another type of an access list called 3 00:00:12,794 --> 00:00:14,646 an extended access list. 4 00:00:14,646 --> 00:00:17,509 In a previous video, we looked at standard access lists. 5 00:00:17,509 --> 00:00:19,403 We looked at they're pretty easy to configure, 6 00:00:19,403 --> 00:00:22,635 because really all you have the ability to match on 7 00:00:22,635 --> 00:00:25,883 is the source IP address of an IP version 8 00:00:25,883 --> 00:00:28,053 four packet and that's it. 9 00:00:28,053 --> 00:00:30,729 And we saw that fundamentally, you configure the 10 00:00:30,729 --> 00:00:32,247 access list with a number. 11 00:00:32,247 --> 00:00:33,794 Do you remember what the range of numbers was 12 00:00:33,794 --> 00:00:36,044 for a standard access list? 13 00:00:36,905 --> 00:00:39,386 It was from one to 99. 14 00:00:39,386 --> 00:00:42,462 And then there was an expanded range above that. 15 00:00:42,462 --> 00:00:44,108 So you configured access-list. 16 00:00:44,108 --> 00:00:46,348 The number, permit, or deny. 17 00:00:46,348 --> 00:00:49,402 And then all you had left after that was some 32 bit number 18 00:00:49,402 --> 00:00:51,391 to match the source IP address. 19 00:00:51,391 --> 00:00:54,185 And then a wildcard mask to match against 20 00:00:54,185 --> 00:00:56,458 that 32 bit number. 21 00:00:56,458 --> 00:00:58,096 So now with an extended access list, we're gonna have 22 00:00:58,096 --> 00:01:02,263 a much broader range of things that we can match against. 23 00:01:04,072 --> 00:01:07,802 So just like a standard access list, with an extended 24 00:01:07,802 --> 00:01:10,738 access list if you wanted to, you could just match 25 00:01:10,738 --> 00:01:12,001 on a source address. 26 00:01:12,001 --> 00:01:13,759 But you've gotta lot of other things as well, 27 00:01:13,759 --> 00:01:17,926 including various fields in the layer four header as well. 28 00:01:19,612 --> 00:01:21,460 So if you want to check on anything, 29 00:01:21,460 --> 00:01:23,967 if you wanna classify or identify a packet 30 00:01:23,967 --> 00:01:26,734 on anything other than the source IP address, 31 00:01:26,734 --> 00:01:29,677 this would be your option, the extended access list. 32 00:01:29,677 --> 00:01:31,144 And notice that you can even check on 33 00:01:31,144 --> 00:01:32,614 layer four port numbers. 34 00:01:32,614 --> 00:01:35,197 So if you wanna match only on Telnet traffic 35 00:01:35,197 --> 00:01:38,281 or web browsing traffic, you've got that kind 36 00:01:38,281 --> 00:01:40,952 of flexibility with this. 37 00:01:40,952 --> 00:01:44,053 Now with a standard access list, I mentioned in the last 38 00:01:44,053 --> 00:01:46,231 video that that was ideally placed as close 39 00:01:46,231 --> 00:01:49,391 to the destination of the traffic as possible. 40 00:01:49,391 --> 00:01:51,211 Because if you place the standard access list 41 00:01:51,211 --> 00:01:53,815 close to the source and you're trying to 42 00:01:53,815 --> 00:01:57,154 prevent that source from going somewhere, 43 00:01:57,154 --> 00:01:59,913 well because you couldn't specify the destination, 44 00:01:59,913 --> 00:02:02,810 that would prevent that source from going anywhere. 45 00:02:02,810 --> 00:02:04,993 So if it was close to the source, the source wouldn't 46 00:02:04,993 --> 00:02:07,206 be able to get to legitimate resources. 47 00:02:07,206 --> 00:02:10,321 As well as not being able to get to the destination 48 00:02:10,321 --> 00:02:12,945 that you did not want it to get to. 49 00:02:12,945 --> 00:02:15,080 That's why a standard access list was placed 50 00:02:15,080 --> 00:02:17,908 as close as possible to the destination device, 51 00:02:17,908 --> 00:02:19,737 prevent the traffic from getting to it, 52 00:02:19,737 --> 00:02:22,362 just before it gets to the destination. 53 00:02:22,362 --> 00:02:25,340 That way the source can get to everything else it needs to. 54 00:02:25,340 --> 00:02:29,093 Well with an extended access list, just the opposite is true 55 00:02:29,093 --> 00:02:31,665 because we do have the flexibility of now specifying 56 00:02:31,665 --> 00:02:34,952 source and destination, ideally you would implement 57 00:02:34,952 --> 00:02:37,904 your extended access list as close to the source 58 00:02:37,904 --> 00:02:40,154 of the traffic as possible. 59 00:02:41,190 --> 00:02:42,420 And I'll show you that on the whiteboard 60 00:02:42,420 --> 00:02:43,551 in just a moment. 61 00:02:43,551 --> 00:02:47,718 So extended access lists are in the range of 100 through 199 62 00:02:48,631 --> 00:02:49,978 you should memorize that. 63 00:02:49,978 --> 00:02:52,024 And just like with standard access lists, 64 00:02:52,024 --> 00:02:56,088 there's another range of numbers that Cisco iOS recognizes 65 00:02:56,088 --> 00:02:59,970 as extended ACLs, this is called the expanded range, 66 00:02:59,970 --> 00:03:02,007 if you run out of numbers here. 67 00:03:02,007 --> 00:03:05,340 The expanded range is 2000 through 2699, 68 00:03:07,767 --> 00:03:09,850 that's 2000 through 2699. 69 00:03:14,982 --> 00:03:16,884 And like I mentioned, extended access lists 70 00:03:16,884 --> 00:03:20,392 are capable of transport header inspection. 71 00:03:20,392 --> 00:03:22,098 So an example just real quickly here, 72 00:03:22,098 --> 00:03:25,544 you know, why would it be beneficial for us to put it 73 00:03:25,544 --> 00:03:27,526 as close to the source as possible? 74 00:03:27,526 --> 00:03:30,698 Let's say we had the exact same requirement 75 00:03:30,698 --> 00:03:31,966 that we had previously. 76 00:03:31,966 --> 00:03:35,162 Where we want R1 to be able to send packets 77 00:03:35,162 --> 00:03:37,245 anywhere other than here. 78 00:03:38,135 --> 00:03:42,478 We don't want R1 to be able to send any IP packets 79 00:03:42,478 --> 00:03:44,895 to that destination, 2.4.2.4. 80 00:03:47,567 --> 00:03:50,515 Okay well with an extended access list, 81 00:03:50,515 --> 00:03:54,188 we very well could put it right here on this interface. 82 00:03:54,188 --> 00:03:55,536 We could've put it outbound. 83 00:03:55,536 --> 00:03:59,072 Remember, an extended access list doesn't do anything, 84 00:03:59,072 --> 00:04:01,207 unless you pair it up with some sort of feature 85 00:04:01,207 --> 00:04:02,520 that's using it. 86 00:04:02,520 --> 00:04:06,162 And in the last video we talked about the IP access-group 87 00:04:06,162 --> 00:04:09,321 interface feature, that's an interface level feature 88 00:04:09,321 --> 00:04:11,463 which acted like a crude firewall. 89 00:04:11,463 --> 00:04:14,507 Like just blocking or permitting traffic. 90 00:04:14,507 --> 00:04:17,301 And the IP access group feature was directional, 91 00:04:17,301 --> 00:04:19,640 you applied it on an interface and you'd had to tell it, 92 00:04:19,640 --> 00:04:21,615 is it for packets going out the interface 93 00:04:21,615 --> 00:04:23,856 or is it for packets coming into the interface? 94 00:04:23,856 --> 00:04:27,024 Well certainly we could replicate our exact same lab 95 00:04:27,024 --> 00:04:30,612 in the last video, this time with an extended ACL 96 00:04:30,612 --> 00:04:34,236 matching a source this time of that host 97 00:04:34,236 --> 00:04:36,069 if we wanted to, 1111. 98 00:04:39,118 --> 00:04:41,568 And this time with an extended ACL, we could also match 99 00:04:41,568 --> 00:04:44,401 on the destination, which is 2424. 100 00:04:49,428 --> 00:04:51,576 And there's nothing preventing us from 101 00:04:51,576 --> 00:04:56,304 using the IP access group feature to reference that ACL. 102 00:04:56,304 --> 00:04:58,554 And the ACL would say deny. 103 00:04:59,398 --> 00:05:01,217 And then placing it outbound here. 104 00:05:01,217 --> 00:05:02,187 And it would work. 105 00:05:02,187 --> 00:05:05,047 Here's the downside to this. 106 00:05:05,047 --> 00:05:09,768 The idea is if a packet is ultimately gonna be dropped 107 00:05:09,768 --> 00:05:13,178 somewhere in the network due to some security restriction, 108 00:05:13,178 --> 00:05:16,499 does it really make sense that we should consume 109 00:05:16,499 --> 00:05:20,258 bandwidth on all sorts of cables to transport that packet? 110 00:05:20,258 --> 00:05:22,929 Consume a little bit of processing time on various 111 00:05:22,929 --> 00:05:26,040 routers and switches to look it up and forward it, 112 00:05:26,040 --> 00:05:28,721 if ultimately it's gonna be destroyed anyway. 113 00:05:28,721 --> 00:05:31,586 Because if we put our access group outbound here, 114 00:05:31,586 --> 00:05:35,526 remember only one frame can go on a wire at a time. 115 00:05:35,526 --> 00:05:38,160 So when one frame is on a wire, no other frames 116 00:05:38,160 --> 00:05:39,469 can use that wire. 117 00:05:39,469 --> 00:05:43,065 So that's time that's lost for other legitimate traffic. 118 00:05:43,065 --> 00:05:46,074 So while R1 is putting his frame right here, 119 00:05:46,074 --> 00:05:48,996 nobody else can use that cable. 120 00:05:48,996 --> 00:05:51,329 And then when switch one processes it, 121 00:05:51,329 --> 00:05:53,821 once again, that switch one's looking up that frame, 122 00:05:53,821 --> 00:05:56,303 he does not have the capability of looking up 123 00:05:56,303 --> 00:05:58,957 any other frame, so that's time that's lost. 124 00:05:58,957 --> 00:06:00,634 And then when it gets to switch two 125 00:06:00,634 --> 00:06:02,741 and then it's using up some bandwidth on this cable. 126 00:06:02,741 --> 00:06:05,072 When it gets to switch two, it's using up some 127 00:06:05,072 --> 00:06:06,478 of his processing time. 128 00:06:06,478 --> 00:06:09,514 And the finally, it's dropped right here. 129 00:06:09,514 --> 00:06:11,989 That's why they say it's better to put an extended access 130 00:06:11,989 --> 00:06:14,896 list that's going to be dropping or modifying traffic 131 00:06:14,896 --> 00:06:19,132 in some way as close to the source as possible. 132 00:06:19,132 --> 00:06:21,609 So in this particular case, it would make more sense 133 00:06:21,609 --> 00:06:24,170 for us to put our extended access list right here 134 00:06:24,170 --> 00:06:26,350 in the inbound direction. 135 00:06:26,350 --> 00:06:27,958 That way any traffic that's gonna be dropped, 136 00:06:27,958 --> 00:06:30,374 well yeah it's gonna use up a little bit of bandwidth 137 00:06:30,374 --> 00:06:33,007 on this cable, but it's not gonna bother anybody else 138 00:06:33,007 --> 00:06:35,247 in the network, it'll be dropped long before 139 00:06:35,247 --> 00:06:38,545 it consumes any resources anywhere else in the network. 140 00:06:38,545 --> 00:06:41,716 That's why an extended ACL, if you can, is best 141 00:06:41,716 --> 00:06:44,299 to place closest to the source. 142 00:06:46,890 --> 00:06:50,264 Okay so where can an extended access list look? 143 00:06:50,264 --> 00:06:53,485 What types of things can you check with an extended ACL? 144 00:06:53,485 --> 00:06:55,186 Well now you can certainly check the source 145 00:06:55,186 --> 00:06:57,436 and destination IP address. 146 00:06:58,720 --> 00:07:01,288 You can check the protocol number. 147 00:07:01,288 --> 00:07:02,854 And as a matter of fact, when you configure 148 00:07:02,854 --> 00:07:06,760 an extended ACL, you have to put something 149 00:07:06,760 --> 00:07:08,801 in the field that checks protocol. 150 00:07:08,801 --> 00:07:11,460 Now you have some choices here. 151 00:07:11,460 --> 00:07:15,284 So in the standard access list, if I go back here 152 00:07:15,284 --> 00:07:18,201 for a moment, let me just configure 153 00:07:19,380 --> 00:07:21,053 a little bit larger font. 154 00:07:21,053 --> 00:07:24,927 So we just typed, so I'll just say Standard ACL. 155 00:07:24,927 --> 00:07:27,760 You just type access-list and then 156 00:07:28,620 --> 00:07:30,137 you gave it some number. 157 00:07:30,137 --> 00:07:32,220 Typically from one to 99. 158 00:07:33,375 --> 00:07:36,312 And that's what you put right here. 159 00:07:36,312 --> 00:07:40,479 And then after that, you just simply said permit or deny. 160 00:07:43,124 --> 00:07:45,701 And that applied against any kind of IP traffic, 161 00:07:45,701 --> 00:07:47,171 didn't matter what it was. 162 00:07:47,171 --> 00:07:50,680 TCP, UDP, all IP traffic would match against this. 163 00:07:50,680 --> 00:07:53,104 And then you had your source. 164 00:07:53,104 --> 00:07:54,413 And I'll just put it underneath here 165 00:07:54,413 --> 00:07:56,334 'cause I sort of run out of room. 166 00:07:56,334 --> 00:07:57,917 Your wildcard mask. 167 00:08:00,904 --> 00:08:02,779 Now with an extended access list, 168 00:08:02,779 --> 00:08:06,279 I'm gonna abbreviate it here a little bit. 169 00:08:08,494 --> 00:08:12,077 So with an extended ACL, you're still gonna 170 00:08:13,641 --> 00:08:17,241 start with access-list and then a number. 171 00:08:17,241 --> 00:08:20,768 So both of these are considered numbered access lists. 172 00:08:20,768 --> 00:08:24,935 In this case, it's probably gonna be 100 through 199, 173 00:08:27,046 --> 00:08:30,916 is most likely the range that you're gonna put right here. 174 00:08:30,916 --> 00:08:33,501 And you're still gonna say right after that, 175 00:08:33,501 --> 00:08:35,334 either permit or deny. 176 00:08:36,829 --> 00:08:39,773 But now there's a new field you have to put in 177 00:08:39,773 --> 00:08:43,773 before you put in your source and your wildcard. 178 00:08:46,179 --> 00:08:50,346 This right here, you have a choice of a variety of things. 179 00:08:53,170 --> 00:08:56,753 Basically what goes right there is imagine, 180 00:08:57,676 --> 00:08:59,328 well it's just better to show it to you 181 00:08:59,328 --> 00:09:00,981 than try to describe it. 182 00:09:00,981 --> 00:09:03,641 'Cause I'm not exactly sure what logic they use there 183 00:09:03,641 --> 00:09:07,808 for that, but let me just demonstrate it real quick. 184 00:09:09,372 --> 00:09:11,205 Access-list 101 deny?. 185 00:09:13,474 --> 00:09:16,756 Okay so you can deny all IP packets 186 00:09:16,756 --> 00:09:18,565 if that's still your desire. 187 00:09:18,565 --> 00:09:19,870 So you gotta put something here. 188 00:09:19,870 --> 00:09:22,953 You could deny IP or you could select 189 00:09:24,149 --> 00:09:26,399 a protocol that IP carries. 190 00:09:27,425 --> 00:09:31,092 For example, TCP, that's protocol number six 191 00:09:32,780 --> 00:09:34,871 in the IP header field. 192 00:09:34,871 --> 00:09:38,021 UDP, right, that's protocol number 17, 193 00:09:38,021 --> 00:09:41,455 so by selecting one of these two things, 194 00:09:41,455 --> 00:09:45,671 you are now having it match on this field right here. 195 00:09:45,671 --> 00:09:49,362 By selecting IP, you're ignoring that field. 196 00:09:49,362 --> 00:09:51,585 And you're just saying, all IP packets. 197 00:09:51,585 --> 00:09:55,668 So all of these other things here, other than IP, 198 00:09:56,852 --> 00:10:00,879 all this other stuff match up with various numbers 199 00:10:00,879 --> 00:10:03,840 that go into this protocol field right here. 200 00:10:03,840 --> 00:10:05,632 And there's a lot more things that go in here 201 00:10:05,632 --> 00:10:07,693 than just what you see, so if there's a particular 202 00:10:07,693 --> 00:10:09,870 protocol that you know of that's not in this list, 203 00:10:09,870 --> 00:10:12,058 but you do the number of the protocol, 204 00:10:12,058 --> 00:10:15,980 you can just select the number instead. 205 00:10:15,980 --> 00:10:18,156 And then once you select that and you have to put something 206 00:10:18,156 --> 00:10:20,606 there, then you can put your source and your wildcard. 207 00:10:20,606 --> 00:10:22,496 And once again, maybe you say, well I don't care 208 00:10:22,496 --> 00:10:24,330 about the source, all I really wanna match on 209 00:10:24,330 --> 00:10:26,784 is where these packets are going. 210 00:10:26,784 --> 00:10:28,402 Okay well if you don't care about the source, 211 00:10:28,402 --> 00:10:30,460 just put the keyword any. 212 00:10:30,460 --> 00:10:33,720 And then after the source and the wildcard, 213 00:10:33,720 --> 00:10:35,846 I'm gonna go ahead and continue on here. 214 00:10:35,846 --> 00:10:38,563 I'm just gonna wrap the line around. 215 00:10:38,563 --> 00:10:40,858 Then optionally, so I'll put that in brackets 216 00:10:40,858 --> 00:10:44,608 and it says optional, source layer four port. 217 00:10:48,023 --> 00:10:50,542 And then you would have the destination 218 00:10:50,542 --> 00:10:52,042 IP and a wildcard. 219 00:10:54,650 --> 00:10:58,817 So the source layer four port, depending on the direction 220 00:11:00,160 --> 00:11:03,569 of the traffic, that could be difficult to match on. 221 00:11:03,569 --> 00:11:05,884 But let me show you a use case where you might 222 00:11:05,884 --> 00:11:08,582 decide you wanna do that. 223 00:11:08,582 --> 00:11:10,845 So let's say we had this topology right here. 224 00:11:10,845 --> 00:11:12,614 I'll just make it real simple. 225 00:11:12,614 --> 00:11:16,956 Here's a PC, here's a server, here's a router in the middle. 226 00:11:16,956 --> 00:11:19,393 We'll just put a line through 'em. 227 00:11:19,393 --> 00:11:22,143 And let's say this PC is 1.1.1.1. 228 00:11:23,317 --> 00:11:25,567 And this server is 2.2.2.2. 229 00:11:27,332 --> 00:11:31,082 Okay, and let's say that this PC is trying to 230 00:11:32,637 --> 00:11:37,044 issue some sort of web browsing connection. 231 00:11:37,044 --> 00:11:39,544 So HTTP session to the server. 232 00:11:41,154 --> 00:11:43,432 Okay so we know that in this direction, 233 00:11:43,432 --> 00:11:46,606 if we look at the traffic in that direction, 234 00:11:46,606 --> 00:11:48,773 source IP will be 1.1.1.1. 235 00:11:49,636 --> 00:11:52,158 Destination IP will be 2.2.2.2. 236 00:11:52,158 --> 00:11:54,991 Layer four protocol will equal TCP 237 00:11:57,084 --> 00:12:00,063 because we're talking about HTTP. 238 00:12:00,063 --> 00:12:03,896 And then down here, the source TCP port number 239 00:12:06,146 --> 00:12:08,988 will be, we have no idea. 240 00:12:08,988 --> 00:12:11,623 And then the destination TCP port number 241 00:12:11,623 --> 00:12:13,290 will be 80 for HTTP. 242 00:12:15,074 --> 00:12:18,506 So notice that when traffic is being initiated 243 00:12:18,506 --> 00:12:21,503 from whoever is starting the conversation, 244 00:12:21,503 --> 00:12:24,095 remember that the layer four source port number, 245 00:12:24,095 --> 00:12:27,198 most of the time not always, is what we call 246 00:12:27,198 --> 00:12:28,818 an ephemeral port number. 247 00:12:28,818 --> 00:12:32,101 We have no idea what it's gonna be at layer four. 248 00:12:32,101 --> 00:12:35,051 This device says, okay I've got a tab open 249 00:12:35,051 --> 00:12:38,128 in Internet Explorer or a tab open in Google Chrome. 250 00:12:38,128 --> 00:12:41,051 So in order to keep track of this as an individual 251 00:12:41,051 --> 00:12:44,176 unique TCP session, I'll just come up 252 00:12:44,176 --> 00:12:46,211 with some random port number. 253 00:12:46,211 --> 00:12:48,695 And then if I open up another tab in Google Chrome 254 00:12:48,695 --> 00:12:51,651 or another tab in Internet Explorer, well the 255 00:12:51,651 --> 00:12:53,832 destination port number will be the same because 256 00:12:53,832 --> 00:12:55,392 they're both going to HTTP. 257 00:12:55,392 --> 00:13:00,209 So I need to come up with another unique random port number. 258 00:13:00,209 --> 00:13:02,136 So if you are trying to match on this traffic 259 00:13:02,136 --> 00:13:04,950 going from left to right and you're trying to match on 260 00:13:04,950 --> 00:13:09,779 the source TCP port number in this field right here, 261 00:13:09,779 --> 00:13:11,900 that would be next to impossible. 262 00:13:11,900 --> 00:13:13,967 Because there's really no way you could predict 263 00:13:13,967 --> 00:13:15,927 what it would be. 264 00:13:15,927 --> 00:13:18,054 But we're matching on the source port number, 265 00:13:18,054 --> 00:13:21,289 would be possible, is in the return traffic. 266 00:13:21,289 --> 00:13:23,487 Because if we think about when that server is responding 267 00:13:23,487 --> 00:13:26,987 back in that HTTP response, now the source 268 00:13:28,454 --> 00:13:32,621 will be 2.2.2.2, destination's going back to that host. 269 00:13:33,502 --> 00:13:36,972 Layer four protocol is still TCP. 270 00:13:36,972 --> 00:13:40,555 But get this, the source TCP port is now 80 271 00:13:42,541 --> 00:13:46,708 because it was going to 80 and now 80 is responding back. 272 00:13:47,664 --> 00:13:51,273 And the destination TCP port is whatever 273 00:13:51,273 --> 00:13:53,233 that random port number was. 274 00:13:53,233 --> 00:13:56,799 So technically if you said, well I wanna block Telnet 275 00:13:56,799 --> 00:14:00,311 sessions from this host to this PC, 276 00:14:00,311 --> 00:14:03,258 most of the time the way people would do that 277 00:14:03,258 --> 00:14:06,307 is they would create their extended access list. 278 00:14:06,307 --> 00:14:10,513 They would apply it inbound, right there on that interface, 279 00:14:10,513 --> 00:14:12,784 and what they would be blocking would be 280 00:14:12,784 --> 00:14:16,562 the IP information and the destination TCP port of 80 281 00:14:16,562 --> 00:14:18,236 because we can match on that. 282 00:14:18,236 --> 00:14:21,807 But theoretically if you wanted to, you could still 283 00:14:21,807 --> 00:14:25,494 kill this connection, prevent it from completing, 284 00:14:25,494 --> 00:14:29,077 by instead putting the access group command 285 00:14:30,356 --> 00:14:34,467 on this interface in the inbound direction 286 00:14:34,467 --> 00:14:36,534 and then matching on this. 287 00:14:36,534 --> 00:14:39,534 And matching on a source port of 80. 288 00:14:40,390 --> 00:14:41,510 Now you might think to yourself, 289 00:14:41,510 --> 00:14:43,730 well why would I wanna do that? 290 00:14:43,730 --> 00:14:45,947 Well, here's a particular reason. 291 00:14:45,947 --> 00:14:49,895 Let's say that I'm the person who's in charge of this server 292 00:14:49,895 --> 00:14:53,168 and I say well this particular web server 293 00:14:53,168 --> 00:14:56,285 is only for people in my payroll department. 294 00:14:56,285 --> 00:14:58,980 Nobody else in my company should even be trying 295 00:14:58,980 --> 00:14:59,912 to get to this web server. 296 00:14:59,912 --> 00:15:01,178 As a matter of fact, they shouldn't even know 297 00:15:01,178 --> 00:15:03,009 that it exists. 298 00:15:03,009 --> 00:15:05,697 So anybody who's not in payroll, 299 00:15:05,697 --> 00:15:09,696 I wanna block them if they try to get to this web server. 300 00:15:09,696 --> 00:15:13,697 Now here's the thing, I want to know if anybody 301 00:15:13,697 --> 00:15:16,504 in the company is trying to get to the web server. 302 00:15:16,504 --> 00:15:18,574 I wanna keep some statistics on that. 303 00:15:18,574 --> 00:15:21,733 So I actually, on the web server, wanna have some 304 00:15:21,733 --> 00:15:26,257 program running that's tracking all incoming HTTP requests 305 00:15:26,257 --> 00:15:28,157 regardless of where they're coming from. 306 00:15:28,157 --> 00:15:31,591 Now if they're not coming from payroll, I wanna kill 'em. 307 00:15:31,591 --> 00:15:34,531 So when the web server goes to reply to those requests 308 00:15:34,531 --> 00:15:37,736 from HR or marketing or engineering, 309 00:15:37,736 --> 00:15:39,402 I want the router to stop that. 310 00:15:39,402 --> 00:15:43,080 I want them stopped, but I do want them to get to the server 311 00:15:43,080 --> 00:15:45,970 so my software program can track that information. 312 00:15:45,970 --> 00:15:48,848 And so I can see, hey Joe over there in marketing 313 00:15:48,848 --> 00:15:51,188 keeps trying to bring up this payroll website. 314 00:15:51,188 --> 00:15:53,572 He's not even supposed to know that it exists. 315 00:15:53,572 --> 00:15:55,170 Why is he trying to do that? 316 00:15:55,170 --> 00:15:57,973 And now I can do some investigation. 317 00:15:57,973 --> 00:16:00,525 But if I block that traffic inbound on the router, 318 00:16:00,525 --> 00:16:02,675 the server never even would've received it. 319 00:16:02,675 --> 00:16:05,150 There would be no way for me tracking the statistics 320 00:16:05,150 --> 00:16:07,360 or accountability or anything like that. 321 00:16:07,360 --> 00:16:09,954 So that might be one reason why you might 322 00:16:09,954 --> 00:16:12,459 want the traffic to get to the destination 323 00:16:12,459 --> 00:16:14,800 and kill it on the return path. 324 00:16:14,800 --> 00:16:16,587 So just an idea, I don't know if anybody 325 00:16:16,587 --> 00:16:18,533 out there in the actual real world does that, 326 00:16:18,533 --> 00:16:20,783 but that was an idea I had. 327 00:16:23,389 --> 00:16:25,733 So you can see, you can also match on the 328 00:16:25,733 --> 00:16:28,554 source and destination TCP or UDP port numbers. 329 00:16:28,554 --> 00:16:32,387 You could even match on the TCP control flags. 330 00:16:36,126 --> 00:16:38,520 An example of matching on the TCP control flags 331 00:16:38,520 --> 00:16:41,288 and this is going a little bit more higher 332 00:16:41,288 --> 00:16:44,232 than the CCNA level, but I like to explain, you know, 333 00:16:44,232 --> 00:16:46,911 why they made these things like this. 334 00:16:46,911 --> 00:16:49,774 So we know that in every TCP session before 335 00:16:49,774 --> 00:16:53,397 any TCP data is transferred, the endpoints have to verify 336 00:16:53,397 --> 00:16:55,097 their existence right? 337 00:16:55,097 --> 00:16:57,349 And there's something that happens at the beginning 338 00:16:57,349 --> 00:17:01,948 of every TCP session, what do we call that process? 339 00:17:01,948 --> 00:17:04,876 That's called the TCP three way handshake. 340 00:17:04,876 --> 00:17:07,533 So the initiator sends a TCP SYN, 341 00:17:07,533 --> 00:17:10,743 we get a SYN plus an ACK and then an ACK. 342 00:17:10,743 --> 00:17:14,014 Now at that point, all of the other TCP traffic 343 00:17:14,014 --> 00:17:16,329 that goes back and forth is always gonna have 344 00:17:16,329 --> 00:17:17,816 the ACK bit set. 345 00:17:17,816 --> 00:17:20,083 Everything in either direction 'cause they're both 346 00:17:20,083 --> 00:17:22,727 gonna be acknowledging each other on every single TCP 347 00:17:22,727 --> 00:17:24,928 segment that flies back and forth. 348 00:17:24,928 --> 00:17:28,761 So sometimes what people do, is they say well, 349 00:17:29,627 --> 00:17:32,460 I only want to allow TCP sessions. 350 00:17:34,049 --> 00:17:36,660 Maybe you say okay, this part of my network 351 00:17:36,660 --> 00:17:39,342 is the safe and secure part of my network. 352 00:17:39,342 --> 00:17:41,056 This is the part of the network that should be 353 00:17:41,056 --> 00:17:43,258 initiating TCP sessions. 354 00:17:43,258 --> 00:17:45,335 They should always be starting this way. 355 00:17:45,335 --> 00:17:47,501 So if traffic's always starting this way 356 00:17:47,501 --> 00:17:49,674 and I don't want this side to initiate, 357 00:17:49,674 --> 00:17:51,858 this side is maybe the public internet. 358 00:17:51,858 --> 00:17:53,973 And I don't want traffic coming in from the public 359 00:17:53,973 --> 00:17:56,935 internet if it's being initiated from the internet. 360 00:17:56,935 --> 00:17:59,838 It should just be in response to something in my company. 361 00:17:59,838 --> 00:18:02,066 Well if it's always being initiated here, 362 00:18:02,066 --> 00:18:05,018 that means every single TCP segment coming from this 363 00:18:05,018 --> 00:18:08,663 direction will always have the ACK bit set won't it? 364 00:18:08,663 --> 00:18:12,051 This will be the only frame, the very first TCP segment 365 00:18:12,051 --> 00:18:13,779 will have the SYN bit set. 366 00:18:13,779 --> 00:18:18,510 After that, everything else will have the ACK bit set. 367 00:18:18,510 --> 00:18:21,105 So I could say, okay I'm gonna apply my access list 368 00:18:21,105 --> 00:18:24,965 inbound right here and I'm only gonna allow TCP 369 00:18:24,965 --> 00:18:27,767 segments that have the ACK bit set. 370 00:18:27,767 --> 00:18:30,427 If the ACK bit is set, that means these guys are 371 00:18:30,427 --> 00:18:33,350 responding to something that was initiated here. 372 00:18:33,350 --> 00:18:36,346 If they try to initiate something with a SYN, 373 00:18:36,346 --> 00:18:37,942 that will be dropped. 374 00:18:37,942 --> 00:18:40,021 Because the ACK bit won't be turned on there. 375 00:18:40,021 --> 00:18:42,257 And that's called an established session. 376 00:18:42,257 --> 00:18:45,772 A TCP established session is one that has the ACK bit set. 377 00:18:45,772 --> 00:18:48,023 So that's how sometimes people use those control flags. 378 00:18:48,023 --> 00:18:51,024 They say match on any TCP session as long as 379 00:18:51,024 --> 00:18:53,232 the ACK bit is turned on. 380 00:18:53,232 --> 00:18:57,399 And that's one way of enforcing that kind of thing. 381 00:18:59,246 --> 00:19:00,437 Okay and so we've already looked 382 00:19:00,437 --> 00:19:03,187 a little bit at configuring this. 383 00:19:04,925 --> 00:19:07,554 So let's just do a quick lab on this. 384 00:19:07,554 --> 00:19:09,708 I'm gonna use the exact same topology that we used 385 00:19:09,708 --> 00:19:13,161 in the previous lab for the standard access list. 386 00:19:13,161 --> 00:19:14,851 And like I said, whenever you're working up a lab 387 00:19:14,851 --> 00:19:17,528 for yourself at the very beginning, 388 00:19:17,528 --> 00:19:20,522 you should always identify what your objective is, 389 00:19:20,522 --> 00:19:24,607 what you're trying to accomplish with this lab. 390 00:19:24,607 --> 00:19:28,274 So in my objective, I'm gonna write up here. 391 00:19:29,778 --> 00:19:33,278 Objective, test extended ACL functionality 392 00:19:35,749 --> 00:19:39,249 by denying any Telnet traffic sourced from 393 00:19:42,665 --> 00:19:46,415 the 1.1.1.x/24 subnet destined for 394 00:19:50,997 --> 00:19:53,580 the 2.4.2.0 subnet and allowing 395 00:19:57,455 --> 00:19:59,930 all other traffic types. 396 00:19:59,930 --> 00:20:01,219 So that's what I'm gonna try to do. 397 00:20:01,219 --> 00:20:03,636 That's gonna be my objective. 398 00:20:06,169 --> 00:20:08,708 Alright so let's think about this. 399 00:20:08,708 --> 00:20:10,259 First of all, let's go ahead and create 400 00:20:10,259 --> 00:20:11,995 what the access list is gonna look like. 401 00:20:11,995 --> 00:20:14,134 And then we'll figure out where we want to apply it. 402 00:20:14,134 --> 00:20:18,282 So we'll say, access-list and typically I'll just 403 00:20:18,282 --> 00:20:20,886 use the first number there, 100. 404 00:20:20,886 --> 00:20:24,627 And I want to deny and I'm talking about Telnet traffic. 405 00:20:24,627 --> 00:20:26,928 Now remember, I have to put something right here. 406 00:20:26,928 --> 00:20:29,835 I either put IP, now if I put IP, 407 00:20:29,835 --> 00:20:31,836 that's gonna deny everything. 408 00:20:31,836 --> 00:20:34,956 If you put IP in this field, at that point you've lost 409 00:20:34,956 --> 00:20:38,795 the ability to match on any layer four information. 410 00:20:38,795 --> 00:20:42,575 Once you put IP right here, Cisco iOS at that point, 411 00:20:42,575 --> 00:20:44,974 won't give you any ability to match on 412 00:20:44,974 --> 00:20:46,470 any layer four stuff. 413 00:20:46,470 --> 00:20:48,682 So if I wanna match on, on layer four information, 414 00:20:48,682 --> 00:20:51,092 I have to figure out what's the layer four protocol. 415 00:20:51,092 --> 00:20:52,394 Well in this case, it would be TCP. 416 00:20:52,394 --> 00:20:54,880 'Cause Telnet is carried in TCP. 417 00:20:54,880 --> 00:20:57,944 And then in my source, I will put the subnet. 418 00:20:57,944 --> 00:21:00,878 And I have to put a wildcard mask that matches that. 419 00:21:00,878 --> 00:21:05,045 And then I put the destination in the wildcard mask. 420 00:21:06,732 --> 00:21:09,399 And then here, I could put EQ23, 421 00:21:11,830 --> 00:21:14,330 because Telnet is TCP port 23. 422 00:21:17,297 --> 00:21:19,544 Now if I just leave it like that, 423 00:21:19,544 --> 00:21:22,674 wherever I apply this, everything will be dropped. 424 00:21:22,674 --> 00:21:24,719 Because remember, at the end of every access list, 425 00:21:24,719 --> 00:21:27,551 is that implicit deny all that you can't see. 426 00:21:27,551 --> 00:21:29,914 So now I need to create one more line 427 00:21:29,914 --> 00:21:32,121 that will permit everything else. 428 00:21:32,121 --> 00:21:35,914 IP from any source to any destination. 429 00:21:35,914 --> 00:21:38,107 So that's how my access list could be created. 430 00:21:38,107 --> 00:21:40,727 Now we said the best way to do this is to place 431 00:21:40,727 --> 00:21:43,220 it as close to the source as possible. 432 00:21:43,220 --> 00:21:47,039 So I think we should place that access list 433 00:21:47,039 --> 00:21:49,706 inbound right on this interface. 434 00:21:52,615 --> 00:21:55,698 So I'll say, access-group 100 inbound 435 00:21:58,212 --> 00:21:59,819 and that's where I'm gonna put it. 436 00:21:59,819 --> 00:22:03,986 It's actually IP access group to be technically precise. 437 00:22:04,822 --> 00:22:06,464 So that's what I'm gonna do. 438 00:22:06,464 --> 00:22:08,700 So in order to test this to begin with, 439 00:22:08,700 --> 00:22:11,144 I need to enable a couple of these routers, 440 00:22:11,144 --> 00:22:14,745 R4 and maybe one other device for Telnet. 441 00:22:14,745 --> 00:22:16,978 Which means I have to go into my VTY lines 442 00:22:16,978 --> 00:22:18,802 and configure some passwords, so let me do that 443 00:22:18,802 --> 00:22:19,885 on R3 and R4. 444 00:22:25,845 --> 00:22:29,595 Line VTY 04 and we'll just say, password INE. 445 00:22:30,977 --> 00:22:34,187 I'll type in the full command for you. 446 00:22:34,187 --> 00:22:35,775 Okay now if I try to Telnet to the device 447 00:22:35,775 --> 00:22:38,960 I'll have to supply a password of INE. 448 00:22:38,960 --> 00:22:43,043 And in router four, I'll do the exact same thing. 449 00:22:46,928 --> 00:22:49,928 Okay and now I will go to router one 450 00:22:51,093 --> 00:22:54,885 and verify that I can ping and Telnet both devices. 451 00:22:54,885 --> 00:22:58,865 So let's try router three first, 2323. 452 00:22:58,865 --> 00:23:01,532 Ping 2.3.2.3, yes I can ping it. 453 00:23:03,050 --> 00:23:06,116 Let's see if I can initiate a Telnet session to it. 454 00:23:06,116 --> 00:23:06,949 Yes I can. 455 00:23:07,840 --> 00:23:09,980 Okay, now let's verify I can do the same thing 456 00:23:09,980 --> 00:23:11,730 to router four, 2424. 457 00:23:15,391 --> 00:23:17,723 Ahh, we still have our access list 458 00:23:17,723 --> 00:23:19,722 from the previous lab on the switch, 459 00:23:19,722 --> 00:23:22,487 that's why that is not working. 460 00:23:22,487 --> 00:23:25,219 So I need to go to switch two. 461 00:23:25,219 --> 00:23:28,238 Review question, what is the command I type, 462 00:23:28,238 --> 00:23:30,691 I wanna delete this access list, but I don't remember 463 00:23:30,691 --> 00:23:33,180 what the number was that I configured. 464 00:23:33,180 --> 00:23:35,621 Other than doing show run, we could always do show run, 465 00:23:35,621 --> 00:23:37,870 what other command could I type in to view 466 00:23:37,870 --> 00:23:41,684 what access lists are currently configured on this box? 467 00:23:41,684 --> 00:23:45,351 Well hopefully you said show IP access-list. 468 00:23:48,007 --> 00:23:50,382 Okay so it's access list one. 469 00:23:50,382 --> 00:23:52,879 Now another thing I wanna figure out. 470 00:23:52,879 --> 00:23:55,740 Clearly this access list is being used 471 00:23:55,740 --> 00:23:58,462 by the IP access-group command. 472 00:23:58,462 --> 00:24:02,629 Which is on some interface and that's why my ping failed. 473 00:24:03,824 --> 00:24:07,069 But this does not show me which interface 474 00:24:07,069 --> 00:24:09,819 has that IP access-group command. 475 00:24:10,942 --> 00:24:12,440 Any ideas as to what show command 476 00:24:12,440 --> 00:24:14,607 I could issue to see that? 477 00:24:16,187 --> 00:24:17,837 Well what I would start by doing is looking 478 00:24:17,837 --> 00:24:19,827 at my topology diagram. 479 00:24:19,827 --> 00:24:23,551 Clearly wherever it is, it's not on this interface. 480 00:24:23,551 --> 00:24:25,530 'Cause this interface would be irrelevant, 481 00:24:25,530 --> 00:24:26,982 that would never prevent the traffic. 482 00:24:26,982 --> 00:24:29,029 So it's either gotta be on fast ethernet 010 483 00:24:29,029 --> 00:24:32,555 or fast ethernet 0-4, one of those two. 484 00:24:32,555 --> 00:24:34,888 So I'm gonna check those. 485 00:24:34,888 --> 00:24:37,555 You can do the show IP interface 486 00:24:39,394 --> 00:24:42,481 and then fast ethernet 0/10. 487 00:24:42,481 --> 00:24:46,548 And what you're looking for in here, is this section. 488 00:24:46,548 --> 00:24:48,727 So this says that on this interface there are 489 00:24:48,727 --> 00:24:50,996 no access lists applied. 490 00:24:50,996 --> 00:24:55,221 So let's take a look at the other interface. 491 00:24:55,221 --> 00:24:59,670 And there we go, outgoing access list is one. 492 00:24:59,670 --> 00:25:03,982 So technically I don't have to delete access list one. 493 00:25:03,982 --> 00:25:07,395 All I really have to delete is the access group command 494 00:25:07,395 --> 00:25:09,008 that's actually on this interface. 495 00:25:09,008 --> 00:25:11,412 'Cause once I remove that, the access list won't even 496 00:25:11,412 --> 00:25:13,167 be used by anything. 497 00:25:13,167 --> 00:25:17,334 So interface fast ethernet 0/4 no IP access-group one, 498 00:25:20,125 --> 00:25:23,958 and it says it's outgoing, so it would be out. 499 00:25:24,993 --> 00:25:27,601 Now I'm gonna ahead and delete the access list. 500 00:25:27,601 --> 00:25:29,711 Let me show you one other very important 501 00:25:29,711 --> 00:25:31,794 point about access lists. 502 00:25:33,492 --> 00:25:35,163 First of all, let's take a look at the current 503 00:25:35,163 --> 00:25:36,995 access list, I think it's pretty short. 504 00:25:36,995 --> 00:25:40,160 I think it's only got like two lines in it. 505 00:25:40,160 --> 00:25:41,438 Okay yeah, so it's got two lines. 506 00:25:41,438 --> 00:25:44,078 Let me just add two random lines 507 00:25:44,078 --> 00:25:48,245 so I can show you what I'm about to demonstrate here. 508 00:25:49,986 --> 00:25:52,554 Just gonna make something up. 509 00:25:52,554 --> 00:25:54,471 And that's good enough. 510 00:25:55,405 --> 00:25:59,719 Okay so let's take a look at my access list. 511 00:25:59,719 --> 00:26:01,592 Okay there it is. 512 00:26:01,592 --> 00:26:04,445 Now let's say I said, oh this line was a mistake. 513 00:26:04,445 --> 00:26:06,043 I didn't mean to put that in there, 514 00:26:06,043 --> 00:26:07,732 I wanna get rid of that line. 515 00:26:07,732 --> 00:26:10,735 Alright so let's get rid of it here. 516 00:26:10,735 --> 00:26:13,390 Alright that should do it, Enter. 517 00:26:13,390 --> 00:26:16,099 Okay now remember where the access list was, 518 00:26:16,099 --> 00:26:18,490 it was sort of right below my rip stuff right? 519 00:26:18,490 --> 00:26:20,671 Let's look at my access list now. 520 00:26:20,671 --> 00:26:24,104 Alright so it's right below the rip configuration, 521 00:26:24,104 --> 00:26:26,770 right around there, let's see. 522 00:26:26,770 --> 00:26:28,437 And oh, where is it? 523 00:26:30,107 --> 00:26:30,940 It's gone! 524 00:26:30,940 --> 00:26:33,139 That is the point I want to make. 525 00:26:33,139 --> 00:26:37,264 With a numbered access list, when you delete any 526 00:26:37,264 --> 00:26:42,031 of the lines, it deletes all of them all at once. 527 00:26:42,031 --> 00:26:43,815 Very important point. 528 00:26:43,815 --> 00:26:47,437 So in hindsight, what I should've done is if I really 529 00:26:47,437 --> 00:26:49,305 want to delete just this one line, 530 00:26:49,305 --> 00:26:51,886 I should have copied this entire access list 531 00:26:51,886 --> 00:26:55,990 into a text editor like WordPad or Notepad or something. 532 00:26:55,990 --> 00:26:59,573 Deleted the line there and then when I knew 533 00:27:00,618 --> 00:27:02,388 that nobody was on my network, 534 00:27:02,388 --> 00:27:05,267 'cause I'm gonna have a temporary security hole here 535 00:27:05,267 --> 00:27:07,142 by doing this for like a second or two, 536 00:27:07,142 --> 00:27:11,278 so like six AM in the morning or three AM in the morning, 537 00:27:11,278 --> 00:27:15,116 log in to this device, delete the entire access list. 538 00:27:15,116 --> 00:27:16,319 'Cause that's the only way you can do it. 539 00:27:16,319 --> 00:27:18,792 Delete it all and then very quickly copy and paste in 540 00:27:18,792 --> 00:27:20,283 the revised version. 541 00:27:20,283 --> 00:27:22,759 That would be the only way to do it. 542 00:27:22,759 --> 00:27:24,831 I shouldn't say that's the only way to do it. 543 00:27:24,831 --> 00:27:29,029 There are more complicated ways, but at the CCNA level, 544 00:27:29,029 --> 00:27:33,355 that's what they want you to take away from this. 545 00:27:33,355 --> 00:27:35,164 Okay so now that I've done that, 546 00:27:35,164 --> 00:27:37,556 let's go back to router one. 547 00:27:37,556 --> 00:27:41,408 He should now be able to do his ping to router four, he can. 548 00:27:41,408 --> 00:27:42,901 He should now be able to do his Telnet 549 00:27:42,901 --> 00:27:45,808 to router four and he can. 550 00:27:45,808 --> 00:27:49,975 Alright so now let's go ahead and implement this access list 551 00:27:51,733 --> 00:27:53,834 and I'm gonna do it inbound on switch one 552 00:27:53,834 --> 00:27:57,667 on his fast ethernet 0/1 interface. 553 00:28:02,902 --> 00:28:05,652 Okay so access-list 100 deny TCP, 554 00:28:08,497 --> 00:28:12,063 the source subnet from where the traffic's gonna come from. 555 00:28:12,063 --> 00:28:16,230 The destination subnet of where the traffic's going. 556 00:28:17,601 --> 00:28:21,169 And you can see here if I do a question mark, 557 00:28:21,169 --> 00:28:23,581 there's actually quite a few things here I could do. 558 00:28:23,581 --> 00:28:25,313 You can even do a time range. 559 00:28:25,313 --> 00:28:28,541 But you could say I wanna match on any port numbers 560 00:28:28,541 --> 00:28:30,581 that are greater than a certain port number. 561 00:28:30,581 --> 00:28:33,533 Or less than a certain port number. 562 00:28:33,533 --> 00:28:35,328 But in this particular case, I wanna match on 563 00:28:35,328 --> 00:28:39,144 a specific port number, port number 23 which is Telnet. 564 00:28:39,144 --> 00:28:42,154 So I'm gonna say equal, match only packets on 565 00:28:42,154 --> 00:28:43,758 this given port number. 566 00:28:43,758 --> 00:28:47,304 So I'll say EQ and then if I do the question mark, 567 00:28:47,304 --> 00:28:49,232 actually you can see, it already is aware. 568 00:28:49,232 --> 00:28:53,033 I could type EQ Telnet, that would work. 569 00:28:53,033 --> 00:28:57,813 A little hint though, when you take the CCNA exam, 570 00:28:57,813 --> 00:29:01,088 they will expect you to know a lot of these port numbers. 571 00:29:01,088 --> 00:29:04,262 Not all of them, this is a monstrous list here. 572 00:29:04,262 --> 00:29:06,140 Let me tell you what some of the port numbers 573 00:29:06,140 --> 00:29:08,603 are that you should have memorized going into the exam. 574 00:29:08,603 --> 00:29:10,306 At least as far as TCP is concerned. 575 00:29:10,306 --> 00:29:12,889 You wanna know that BGP is 179. 576 00:29:13,907 --> 00:29:17,324 You want to know that FTP uses 20 and 21, 577 00:29:19,478 --> 00:29:21,145 those are important. 578 00:29:22,148 --> 00:29:25,148 You wanna know that SMTP is port 25. 579 00:29:28,845 --> 00:29:32,012 You wanna know that Telnet is port 23. 580 00:29:33,493 --> 00:29:35,871 And you wanna memorize that web browsing 581 00:29:35,871 --> 00:29:37,454 or HTTP is port 80. 582 00:29:39,316 --> 00:29:41,823 Definitely wanna make some flash cards for yourself 583 00:29:41,823 --> 00:29:44,823 and memorize those TCP port numbers. 584 00:29:47,786 --> 00:29:49,330 And now I'm just gonna create my second line 585 00:29:49,330 --> 00:29:52,914 permitting everything else, okay great. 586 00:29:52,914 --> 00:29:54,845 And now I need to apply the access list. 587 00:29:54,845 --> 00:29:59,186 So I will go on to my fast ethernet 0/1 588 00:29:59,186 --> 00:30:02,006 and apply that with the access group command 589 00:30:02,006 --> 00:30:04,089 in the inbound direction. 590 00:30:05,673 --> 00:30:07,590 IP access-group 100 in. 591 00:30:10,493 --> 00:30:13,545 Okay so to test this now, router one should still be able 592 00:30:13,545 --> 00:30:16,962 to Telnet and ping to router three, 2323. 593 00:30:23,580 --> 00:30:24,957 And he can. 594 00:30:24,957 --> 00:30:29,124 He should still be able to ping router four, 2424. 595 00:30:31,854 --> 00:30:35,660 And he can, but he should no longer be able to Telnet 596 00:30:35,660 --> 00:30:38,604 to router four, and he cannot. 597 00:30:38,604 --> 00:30:40,687 Destination unreachable.