WEBVTT

0:00:03.060000 --> 0:00:07.140000
 Hello and welcome to this video refresher
 for the CCDA Bootcamp on classification

0:00:07.140000 --> 0:00:10.540000
 using access control lists.

0:00:10.540000 --> 0:00:13.520000
 So as a review, what is
 an access control list?

0:00:13.520000 --> 0:00:17.080000
 It is a packet identification
 mechanism.

0:00:17.080000 --> 0:00:21.880000
 So an access control list by itself
 doesn't do anything to your packet.

0:00:21.880000 --> 0:00:27.400000
 It's something that other features can
 use to classify or categorize packets.

0:00:27.400000 --> 0:00:31.600000
 So access lists can identify packets
 based on layer three and layer four

0:00:31.600000 --> 0:00:35.940000
 headers. So for example, I could have
 one access list that's matching

0:00:35.940000 --> 0:00:40.280000
 on a certain source or destination IP
 address, maybe source or destination

0:00:40.280000 --> 0:00:42.160000
 TCP UDP port number.

0:00:42.160000 --> 0:00:46.980000
 Maybe that one access list is being
 used by network address translation.

0:00:46.980000 --> 0:00:51.260000
 And so if a packet comes in and it
 matches a permit statement in that

0:00:51.260000 --> 0:00:56.060000
 access list, that means we are permitted
 to change the address, to network

0:00:56.060000 --> 0:00:57.820000
 address, translate it.

0:00:57.820000 --> 0:01:02.560000
 That exact same access list could be
 matched by an encryption statement,

0:01:02.560000 --> 0:01:04.400000
 some sort of encryption policy.

0:01:04.400000 --> 0:01:08.500000
 Now, if a packet matches that ACL and
 it matches a permit statement, that

0:01:08.500000 --> 0:01:11.120000
 means we are permitted
 to encrypt it.

0:01:11.120000 --> 0:01:14.960000
 So the access list itself has
 a permit and deny statement.

0:01:14.960000 --> 0:01:19.480000
 But what that permit and deny is doing,
 you have no idea until you can

0:01:19.480000 --> 0:01:26.000000
 find what feature or features are
 using the services of that ACL.

0:01:26.000000 --> 0:01:30.640000
 So each access list is composed of
 one or more access control entries,

0:01:30.640000 --> 0:01:34.940000
 which are signed a sequence number and
 processed in a sequential order.

0:01:34.940000 --> 0:01:47.860000
 So what that's referring to is, I could
 say, access dash list one permit

0:01:47.860000 --> 0:01:51.000000
 10 dot 10 dot 10 dot zero.

0:01:51.000000 --> 0:01:54.160000
 Zero dot zero dot zero dot two 55.


0:01:54.160000 --> 0:01:59.060000
 Now I've just created one access
 control entry in access list one.

0:01:59.060000 --> 0:02:01.240000
 I can create another
 access control entry.

0:02:01.240000 --> 0:02:04.060000
 Access dash list one.

0:02:04.060000 --> 0:02:06.580000
 So we're still in the
 exact same ACL.

0:02:06.580000 --> 0:02:12.360000
 Deny host two dot two
 dot two dot two.

0:02:12.360000 --> 0:02:19.520000
 So this is all in access list one,
 but each one of these is an access

0:02:19.520000 --> 0:02:26.900000
 control entry and a CE.

0:02:26.900000 --> 0:02:32.600000
 And you should have at least one permit
 statement, one permit a CE.

0:02:32.600000 --> 0:02:38.400000
 The reason why is because once you configure
 an access list, even if you

0:02:38.400000 --> 0:02:44.340000
 just have one entry, one line automatically,
 and you don't see this at

0:02:44.340000 --> 0:02:46.400000
 the very end, which is
 kind of invisible.

0:02:46.400000 --> 0:02:50.780000
 Is a statement that we
 call the implicit deny.

0:02:50.780000 --> 0:02:54.500000
 So you could say access list
 one permit this access list.

0:02:54.500000 --> 0:02:58.120000
 Actually, let's take the other approach
 access list one deny this host

0:02:58.120000 --> 0:03:02.920000
 access list one deny this network access
 list one deny this other host.

0:03:02.920000 --> 0:03:05.480000
 Okay. I've denied the three
 things I want to deny.

0:03:05.480000 --> 0:03:10.620000
 I'm done. Apply it to some NAT command
 or encryption command or something

0:03:10.620000 --> 0:03:13.400000
 else. Well, here's the problem.

0:03:13.400000 --> 0:03:17.640000
 Yes, you have denied those three things,
 but there's the implicit deny

0:03:17.640000 --> 0:03:23.200000
 the invisible deny all, if you will,
 at the very end of the ACL.

0:03:23.200000 --> 0:03:27.160000
 So you've actually denied everything,
 not just the three things you want

0:03:27.160000 --> 0:03:30.880000
 to deny, but everything because stuff
 that comes in that does not match

0:03:30.880000 --> 0:03:36.300000
 line one line two or line three will
 match that implicit deny at the very

0:03:36.300000 --> 0:03:40.080000
 end. That's why they say an access list
 should have at least one permit

0:03:40.080000 --> 0:03:43.300000
 statement because you don't
 want to deny everything.

0:03:43.300000 --> 0:03:47.700000
 So what can be matched
 by an access list?

0:03:47.700000 --> 0:03:50.760000
 Well, lots of different things.

0:03:50.760000 --> 0:03:56.000000
 Some fields within an access list can
 be must be matched entirely bit

0:03:56.000000 --> 0:03:59.080000
 for bit or bit by bit.

0:03:59.080000 --> 0:04:00.040000
 What does that mean?

0:04:00.040000 --> 0:04:01.620000
 Well, let's think about this way.

0:04:01.620000 --> 0:04:05.500000
 In your IP header, let's just
 look at the protocol field.

0:04:05.500000 --> 0:04:13.260000
 Okay, we know that protocol field contains
 like six for TCP or 17 for

0:04:13.260000 --> 0:04:19.320000
 UDP. Maybe somebody says, hey,
 here's what I want to do.

0:04:19.320000 --> 0:04:21.920000
 I want my access list to do this.

0:04:21.920000 --> 0:04:25.860000
 So that protocol field,
 I believe is.

0:04:25.860000 --> 0:04:28.580000
 I'm not sure how many bits it
 is off the top of my head.

0:04:28.580000 --> 0:04:30.080000
 Let's just say it's eight.

0:04:30.080000 --> 0:04:32.140000
 It's probably even
 bigger than that.

0:04:32.140000 --> 0:04:36.080000
 All right, let's say this is the
 protocol field right here.

0:04:36.080000 --> 0:04:41.320000
 What if somebody came to you and said,
 hey, this is what I want to do.

0:04:41.320000 --> 0:04:46.720000
 I want my access list to match the protocol
 field, but here's what I want.

0:04:46.720000 --> 0:04:50.180000
 I want to match any number in here as
 long as that number starts out with

0:04:50.180000 --> 0:04:55.140000
 in binary one, one, zero, one, and
 then I don't care about the rest.

0:04:55.140000 --> 0:04:58.700000
 So any protocol number that begins with
 one, one, zero, one, that's what

0:04:58.700000 --> 0:05:00.020000
 I want to match on.

0:05:00.020000 --> 0:05:01.500000
 You can't do that.

0:05:01.500000 --> 0:05:05.880000
 So if you choose to match the protocol
 field or any of these other fields,

0:05:05.880000 --> 0:05:10.840000
 you have to put in an entire number
 and it will match just that number,

0:05:10.840000 --> 0:05:17.940000
 whether it be protocol port number destination
 port, or so on and so forth.

0:05:17.940000 --> 0:05:23.960000
 Other fields. Allow you to do wild
 carding where you can do a partial

0:05:23.960000 --> 0:05:28.180000
 match. For example, the source IP address,
 you could actually say, hey,

0:05:28.180000 --> 0:05:31.480000
 I want to match on any source IP address
 that starts with the number 10.

0:05:31.480000 --> 0:05:34.220000
 I don't care about the rest of the
 numbers, just match on those first

0:05:34.220000 --> 0:05:36.400000
 few bits. You can do that.

0:05:36.400000 --> 0:05:41.700000
 Now, just a little disclaimer here,
 the source port and the destination

0:05:41.700000 --> 0:05:46.640000
 port actually does as I think about
 it, give you the ability to match

0:05:46.640000 --> 0:05:48.880000
 on a range of numbers.

0:05:48.880000 --> 0:05:52.380000
 You can do that, but you can't
 do any kind of wild carding.

0:05:52.380000 --> 0:05:55.680000
 You can't say, hey, in the source port,
 national name source port where

0:05:55.680000 --> 0:06:00.420000
 the fourth bit is this or bit
 seven and nine are this.

0:06:00.420000 --> 0:06:01.980000
 You can't do that.

0:06:01.980000 --> 0:06:06.660000
 So what is wild carding?

0:06:06.660000 --> 0:06:09.840000
 So when you apply a wild card,
 well, think about this.

0:06:09.840000 --> 0:06:11.140000
 Think about a subnet mask.

0:06:11.140000 --> 0:06:14.740000
 I've got an IP address
 and a subnet mask.

0:06:14.740000 --> 0:06:16.000000
 Was that subnet mask due?

0:06:16.000000 --> 0:06:19.280000
 Well, the subnet mask by itself
 does absolutely nothing.

0:06:19.280000 --> 0:06:22.700000
 It's a tool that matches
 against something else.

0:06:22.700000 --> 0:06:25.820000
 It matches against, in this
 case, an IP address.

0:06:25.820000 --> 0:06:32.220000
 So if the subnet mask says 255, 255,
 zero, zero, that means as far as

0:06:32.220000 --> 0:06:37.140000
 this IP address is concerned, the first
 two octets are important to me.

0:06:37.140000 --> 0:06:39.540000
 The last two octets
 I don't care about.

0:06:39.540000 --> 0:06:42.020000
 That's how a subnet mask works.

0:06:42.020000 --> 0:06:44.100000
 Now in a subnet mask.

0:06:44.100000 --> 0:06:47.660000
 If I had two 50 oops,
 let's go back to that.

0:06:47.660000 --> 0:06:55.000000
 If I had 255 dot 255 dot zero, zero, zero,
 we know that routers and switches

0:06:55.000000 --> 0:06:59.320000
 see everything in binary right so that
 translates to one, two, three,

0:06:59.320000 --> 0:07:01.160000
 four, five, six, seven, eight.

0:07:01.160000 --> 0:07:09.240000
 One, two, three, four, five, six, seven,
 eight, followed by all zeros.

0:07:09.240000 --> 0:07:13.000000
 Okay, so when we take our IP address,
 let's just take a simple IP address

0:07:13.000000 --> 0:07:18.040000
 of one dot three dot 50 dot 70.

0:07:18.040000 --> 0:07:29.100000
 Well, if we convert that into
 binary and we line it up.

0:07:29.100000 --> 0:07:34.960000
 So we can stop here because in a subnet
 mask, this is saying, look, match

0:07:34.960000 --> 0:07:40.560000
 one for one. Any bit that's a one in
 the subnet mask has to match exactly

0:07:40.560000 --> 0:07:42.760000
 in the actual IP address.

0:07:42.760000 --> 0:07:46.200000
 So as far as subnet masks are concerned,
 it says, Hey, all these bits

0:07:46.200000 --> 0:07:49.740000
 here are matched by
 one bits up here.

0:07:49.740000 --> 0:07:51.960000
 So all these bits are
 important to me.

0:07:51.960000 --> 0:07:54.120000
 These are all networking bits.

0:07:54.120000 --> 0:07:59.520000
 A wild card mask is kind of like just
 the opposite of a subnet mask.

0:07:59.520000 --> 0:08:04.780000
 So in a wild card mask, if I want to
 say, Hey, I want to match on, let's

0:08:04.780000 --> 0:08:10.580000
 just take that same address again
 one dot three dot 50 dot 75.

0:08:10.580000 --> 0:08:15.000000
 If I want to say, Hey, I want to match
 on any packet where the first two

0:08:15.000000 --> 0:08:18.020000
 bites are one dot three.

0:08:18.020000 --> 0:08:24.100000
 Well, in a wild card mask instead of
 ones, meaning match this zeros mean

0:08:24.100000 --> 0:08:28.400000
 match this. So I would say, all
 right, match all eight bits.

0:08:28.400000 --> 0:08:32.540000
 One, two, three, four, five, six, seven
 match all eight bits in that first

0:08:32.540000 --> 0:08:36.620000
 octet. The first octet
 has to exactly match.

0:08:36.620000 --> 0:08:43.160000
 That pattern right there,
 one match all eight bits.

0:08:43.160000 --> 0:08:45.180000
 In the second octet.

0:08:45.180000 --> 0:08:49.400000
 Which has to match that pattern.

0:08:49.400000 --> 0:08:52.500000
 That's three. And then
 the remaining octets.

0:08:52.500000 --> 0:08:54.940000
 We don't care about.

0:08:54.940000 --> 0:08:59.160000
 So our wild card mask that would say,
 Hey, match the first two octets

0:08:59.160000 --> 0:09:04.920000
 would look like zero dot zero
 dot two 55 dot two 55.

0:09:04.920000 --> 0:09:08.400000
 It's just an inverse
 of a subnet mask.

0:09:08.400000 --> 0:09:12.160000
 Now the one thing that's kind of interesting
 about wild card masks, especially

0:09:12.160000 --> 0:09:14.860000
 when so wild card masks are
 used by several things.

0:09:14.860000 --> 0:09:18.680000
 If you've done some of the OSPF labs,
 you've seen how with OSPF with your

0:09:18.680000 --> 0:09:21.780000
 network statement, you have
 to apply a wild card mask.

0:09:21.780000 --> 0:09:27.620000
 With access lists, you apply wild card
 masks, but wild card mask usage

0:09:27.620000 --> 0:09:30.180000
 with access lists.

0:09:30.180000 --> 0:09:34.300000
 Gives you a lot of flexibility that
 you don't have with subnet masks.

0:09:34.300000 --> 0:09:39.500000
 And here's why. With a subnet mask, the
 rule of a subnet mask when applied

0:09:39.500000 --> 0:09:45.280000
 to a route or an IP address is that the
 series of ones has to be contiguous.

0:09:45.280000 --> 0:09:49.820000
 And at some point they stop and
 you have a series of zeros.

0:09:49.820000 --> 0:09:53.360000
 So these are your networking
 bits, right?

0:09:53.360000 --> 0:09:56.120000
 You can't have a subnet mask
 that looks like this.

0:09:56.120000 --> 0:09:58.760000
 That's not allowed.

0:09:58.760000 --> 0:10:01.060000
 That's not a valid subnet mask.

0:10:01.060000 --> 0:10:06.660000
 But a wild card mask, as far as it
 relates to access lists, you can.

0:10:06.660000 --> 0:10:09.140000
 You could have a wild card mask.

0:10:09.140000 --> 0:10:12.580000
 That's some zeros.

0:10:12.580000 --> 0:10:19.080000
 Like that. You could have a wild
 card mask that looks like that.

0:10:19.080000 --> 0:10:24.360000
 Now very rarely would you see a wild
 card mask that looks like that.

0:10:24.360000 --> 0:10:28.500000
 But if I gave you some address down
 here, some dotted decimal address,

0:10:28.500000 --> 0:10:34.040000
 this would be interpreted as, all right,
 as far as the first bite is concerned,

0:10:34.040000 --> 0:10:35.720000
 match all the bits.

0:10:35.720000 --> 0:10:37.540000
 They all have to match exactly.

0:10:37.540000 --> 0:10:39.320000
 Same thing as to the last bite.

0:10:39.320000 --> 0:10:41.200000
 They all have to match exactly.

0:10:41.200000 --> 0:10:44.560000
 Of the third bite, I don't
 care what they are.

0:10:44.560000 --> 0:10:46.840000
 Since that's ones, I don't
 care what they are.

0:10:46.840000 --> 0:10:51.140000
 And of the second bite, the first
 two bits have to match.

0:10:51.140000 --> 0:10:53.680000
 Second two bits can be
 anything you want.

0:10:53.680000 --> 0:10:55.660000
 These bits have to match.

0:10:55.660000 --> 0:10:57.820000
 And this is anything you want.

0:10:57.820000 --> 0:11:02.580000
 So you can start to imagine the flexibility
 and power you have using a

0:11:02.580000 --> 0:11:05.120000
 wild card mask with
 an access list.

0:11:05.120000 --> 0:11:09.360000
 You can match on any bit
 in your 32-bit sequence.

0:11:09.360000 --> 0:11:17.500000
 All right, at a high level.

0:11:17.500000 --> 0:11:22.980000
 There are three main types of
 IP version 4 access lists.

0:11:22.980000 --> 0:11:25.900000
 There are numbered access lists.

0:11:25.900000 --> 0:11:29.920000
 Which go into the standard and extended
 ranges, and we'll talk about that

0:11:29.920000 --> 0:11:31.700000
 in upcoming videos.

0:11:31.700000 --> 0:11:34.400000
 And there are named access lists.

0:11:34.400000 --> 0:11:36.960000
 I guess there's two
 named and numbered.

0:11:36.960000 --> 0:11:40.060000
 Both have the options of either
 standard or extended.

0:11:40.060000 --> 0:11:45.220000
 And depending on which you select standard
 or extended determines what

0:11:45.220000 --> 0:11:51.300000
 fields in the IP and TCP and UDP headers
 you can actually match on.

0:11:51.300000 --> 0:11:58.800000
 So that concludes this video on
 an introduction to access lists.

0:11:58.800000 --> 0:12:00.540000
 I hope you found it enjoyable.