WEBVTT 0:00:02.700000 --> 0:00:08.020000 Hello, in this video I'd like to do a review of standard access lists. 0:00:08.020000 --> 0:00:14.940000 So a standard access list is purely used to filter or match on traffic 0:00:14.940000 --> 0:00:18.620000 based on the layer three header and specifically within the layer three 0:00:18.620000 --> 0:00:22.540000 header, the only thing it can check is the source IP address. 0:00:22.540000 --> 0:00:26.200000 Now this might sound extremely limiting at first, but there's some features 0:00:26.200000 --> 0:00:31.820000 where the source IP address and nothing else. 0:00:31.820000 --> 0:00:36.840000 For example, at the CCNA level, you don't get into this feature, but you 0:00:36.840000 --> 0:00:38.640000 can Google it if you're interested. 0:00:38.640000 --> 0:00:42.340000 There's a feature that you get into at the CCNP level called policy based 0:00:42.340000 --> 0:00:47.100000 routing. You see in normal routing, when a packet comes in, we check the 0:00:47.100000 --> 0:00:49.860000 destination IP address only. 0:00:49.860000 --> 0:00:52.700000 And based on the destination IP address, we go into the routing table 0:00:52.700000 --> 0:00:56.440000 and then we say, okay, if the match is in the routing table, we'll send 0:00:56.440000 --> 0:00:57.680000 out where it needs to go. 0:00:57.680000 --> 0:01:02.660000 Policy based routing actually gives you the ability to match on the source 0:01:02.660000 --> 0:01:05.400000 IP address of where traffic came from. 0:01:05.400000 --> 0:01:09.020000 And then force that packet to go one direction or another based on your 0:01:09.020000 --> 0:01:10.960000 selection, based on the source. 0:01:10.960000 --> 0:01:16.280000 So this would be a prime use case for a standard access list. 0:01:16.280000 --> 0:01:21.720000 Now when you're configuring numbered access lists. 0:01:21.720000 --> 0:01:27.320000 So a numbered access list, you start out at global configuration level 0:01:27.320000 --> 0:01:32.000000 and you actually type access dash list. 0:01:32.000000 --> 0:01:35.340000 And then you provide a number right here. 0:01:35.340000 --> 0:01:39.760000 Depending on what number you select, there's certain ranges of numbers. 0:01:39.760000 --> 0:01:42.120000 And that's what we're going to get into now that if you select a number 0:01:42.120000 --> 0:01:46.100000 from this range, for example, if you select a number from one to ninety 0:01:46.100000 --> 0:01:52.300000 nine, at that point before you even go any further, Cisco iOS knows it's 0:01:52.300000 --> 0:01:54.160000 going to give you standard access list. 0:01:54.160000 --> 0:01:58.820000 It's only going to give you the options that a standard access list would 0:01:58.820000 --> 0:02:02.620000 do. You're not going to see the options of some of the other access lists. 0:02:02.620000 --> 0:02:09.060000 Now be aware that standard access list numbered access list actually have 0:02:09.060000 --> 0:02:10.180000 two different ranges. 0:02:10.180000 --> 0:02:12.720000 This is the normal range right here. 0:02:12.720000 --> 0:02:15.960000 There's also something called the expanded range. 0:02:15.960000 --> 0:02:22.340000 Meaning, hey, if you were a huge Internet service provider, something, 0:02:22.340000 --> 0:02:26.420000 and they're well known for having sometimes hundreds and hundreds of lines 0:02:26.420000 --> 0:02:28.980000 of access list is crazy access list. 0:02:28.980000 --> 0:02:32.120000 You might run out of them if all you had was one through ninety nine to 0:02:32.120000 --> 0:02:36.280000 pick from. Well, luckily, you can go into the expanded range, which is 0:02:36.280000 --> 0:02:39.780000 thirteen hundred through ninety ninety nine. 0:02:39.780000 --> 0:02:44.020000 That gives you a lot more standard access list you can configure. 0:02:44.020000 --> 0:02:49.960000 General rule of standard access list is they should be applied nearest 0:02:49.960000 --> 0:02:51.800000 to the destination. 0:02:51.800000 --> 0:02:58.900000 Why is that? Well, if I have a host right here, router one, router two, 0:02:58.900000 --> 0:03:02.560000 router three, and then here's the destination. 0:03:02.560000 --> 0:03:06.220000 And let's say these routers also have some links going off somewhere else. 0:03:06.220000 --> 0:03:09.780000 Let's say my objective was I want this host. 0:03:09.780000 --> 0:03:13.540000 Let's just call him host a to be able to get to wherever he pretty much 0:03:13.540000 --> 0:03:17.420000 wants to go. I just don't want him going to that server. 0:03:17.420000 --> 0:03:19.240000 Don't want him going to the server. 0:03:19.240000 --> 0:03:23.660000 Well, if I created a standard access list, let's just say he is one dot 0:03:23.660000 --> 0:03:24.680000 one dot one dot one. 0:03:24.680000 --> 0:03:35.980000 So if I said access dash list one, deny that host deny him. 0:03:35.980000 --> 0:03:38.200000 Now, remember there's that implicit deny. 0:03:38.200000 --> 0:03:41.500000 So if I just did that one line, everything else is going to be denied 0:03:41.500000 --> 0:03:45.460000 to. So I'm going to want to create another line of this. 0:03:45.460000 --> 0:03:54.220000 Access dash list one permit anyone else. 0:03:54.220000 --> 0:03:59.500000 Okay. Now, remember the access list itself, the permit or deny statement. 0:03:59.500000 --> 0:04:02.800000 You don't know what that's doing unless you actually have some feature 0:04:02.800000 --> 0:04:05.480000 that you can see that's using the access list. 0:04:05.480000 --> 0:04:08.200000 So we're going to talk about that feature in just one moment, but I'm 0:04:08.200000 --> 0:04:11.680000 going to take that feature and I'm going to apply it right here. 0:04:11.680000 --> 0:04:13.460000 I'm actually going to break this rule. 0:04:13.460000 --> 0:04:16.480000 This rule says it should be applied as close to the destination. 0:04:16.480000 --> 0:04:18.360000 Well, what happens if I don't do that? 0:04:18.360000 --> 0:04:22.940000 What if I say, Hey, for all traffic coming in this interface, let's inspect 0:04:22.940000 --> 0:04:24.840000 it against his access list. 0:04:24.840000 --> 0:04:26.060000 Well, here's the problem. 0:04:26.060000 --> 0:04:30.440000 Yes, that PC is not going to be able to get to that server, but he's also 0:04:30.440000 --> 0:04:32.200000 not going to be able to get anywhere else. 0:04:32.200000 --> 0:04:35.220000 He's not going to be able to take any of these other links because he's 0:04:35.220000 --> 0:04:36.200000 going to be dropped. 0:04:36.200000 --> 0:04:42.700000 That's why it's actually better to apply that access list right here in 0:04:42.700000 --> 0:04:45.940000 the outbound direction as close to that server as possible. 0:04:45.940000 --> 0:04:49.560000 That way that guy can pretty much have free access to get wherever he 0:04:49.560000 --> 0:04:53.140000 wants until he gets right here. 0:04:53.140000 --> 0:04:56.600000 If he tries to go out that interface, now he's blocked. 0:04:56.600000 --> 0:05:00.000000 So this was the destination he was trying to get to, and we applied it 0:05:00.000000 --> 0:05:03.700000 on the interface as close to that destination as we possibly could. 0:05:03.700000 --> 0:05:08.360000 That's a general rule of standard access lists. 0:05:08.360000 --> 0:05:12.920000 There's no way to check the destination address or port numbers. 0:05:12.920000 --> 0:05:16.880000 So once again, standard access list, that's all it's looking at. 0:05:16.880000 --> 0:05:23.380000 So we looked at the configuration of it, access dash list, just as a review. 0:05:23.380000 --> 0:05:27.980000 So there's there's three ways you can configure this. 0:05:27.980000 --> 0:05:32.040000 Access dash list. 0:05:32.040000 --> 0:05:37.760000 Pick a number between one and 99. 0:05:37.760000 --> 0:05:40.760000 Then put it either permit. 0:05:40.760000 --> 0:05:42.740000 Or deny statement. 0:05:42.740000 --> 0:05:47.160000 Okay, now let's go down here. 0:05:47.160000 --> 0:05:49.520000 Here's my three options. 0:05:49.520000 --> 0:05:52.240000 One, two, three. 0:05:52.240000 --> 0:05:57.240000 If I'm trying to permit or deny a specific network or a subnet, like maybe 0:05:57.240000 --> 0:05:59.200000 the 10.75 network. 0:05:59.200000 --> 0:06:04.560000 I could say permit or deny 10.75.00. 0:06:04.560000 --> 0:06:07.580000 And now I need to apply a wildcard mask. 0:06:07.580000 --> 0:06:14.720000 So that wildcard mask will say, hey, any packet has a source address. 0:06:14.720000 --> 0:06:16.980000 Where the first two octets. 0:06:16.980000 --> 0:06:20.260000 Match 10.75. That's a match. 0:06:20.260000 --> 0:06:23.460000 Hey, feature, whatever you're, whatever is using this access list, you 0:06:23.460000 --> 0:06:26.280000 can do what you need to do. 0:06:26.280000 --> 0:06:29.500000 Now, let's see, I'm trying to match a specific host address. 0:06:29.500000 --> 0:06:35.660000 I want to match all 32 bits in the IP address, like maybe 10.75.1.1. 0:06:35.660000 --> 0:06:39.100000 Well, I could put a wildcard mask of this. 0:06:39.100000 --> 0:06:42.920000 That'll work. That wildcard mask says, Hey, all 32 bits are important 0:06:42.920000 --> 0:06:45.880000 to me. I could certainly do that. 0:06:45.880000 --> 0:06:52.080000 Or. Alternatively. 0:06:52.080000 --> 0:06:56.020000 I could say. Host. 0:06:56.020000 --> 0:07:04.060000 10.75.1.1. So if you proceed an actual host address with the word host, 0:07:04.060000 --> 0:07:08.640000 that's exactly the same thing as if you had 0, 0, 0, 0 as your wildcard 0:07:08.640000 --> 0:07:11.000000 mask after the host address. 0:07:11.000000 --> 0:07:16.060000 Now, the last thing, what if I want to match on any source address? 0:07:16.060000 --> 0:07:17.620000 I don't care what it is. 0:07:17.620000 --> 0:07:19.240000 Well, I could do this. 0:07:19.240000 --> 0:07:21.920000 I could just put some fake address in here. 0:07:21.920000 --> 0:07:24.780000 And I could do this. 0:07:24.780000 --> 0:07:32.100000 Right, because with that wildcard mask, that's saying, I don't have to 0:07:32.100000 --> 0:07:33.700000 match any of these things. 0:07:33.700000 --> 0:07:34.720000 So I could put anything in there. 0:07:34.720000 --> 0:07:39.620000 And if I have that means match anything or what people usually do. 0:07:39.620000 --> 0:07:41.900000 Is they actually just use the keyword. 0:07:41.900000 --> 0:07:50.560000 Of any. Access list one permit any. 0:07:50.560000 --> 0:07:55.220000 So those are the three ways you can configure a standard access list. 0:07:55.220000 --> 0:08:01.720000 And you can use the show IP access dash list. 0:08:01.720000 --> 0:08:06.760000 Or show run include access list to verify the presence of access list 0:08:06.760000 --> 0:08:08.520000 in your configuration. 0:08:08.520000 --> 0:08:14.040000 Now. Let's say that. 0:08:14.040000 --> 0:08:20.360000 What my objective is is I want to block or permit packets. 0:08:20.360000 --> 0:08:22.280000 Based on my access list. 0:08:22.280000 --> 0:08:25.680000 Okay, so maybe I've got one access list over here that I'm using for, 0:08:25.680000 --> 0:08:27.540000 you know, what should I encrypt? 0:08:27.540000 --> 0:08:29.000000 What should I not encrypt? 0:08:29.000000 --> 0:08:32.580000 I got another access list over here for what package should be applied 0:08:32.580000 --> 0:08:42.040000 to that. And which one should be not natted. 0:08:42.040000 --> 0:08:45.840000 Well, you create your access list exactly the same way. 0:08:45.840000 --> 0:08:48.480000 It's just the feature that's going to use that access list. 0:08:48.480000 --> 0:08:53.480000 Is the IP access dash group command. 0:08:53.480000 --> 0:08:57.480000 So your access list is already done. 0:08:57.480000 --> 0:08:59.760000 So let's say we've done that. 0:08:59.760000 --> 0:09:02.680000 Access dash list. 0:09:02.680000 --> 0:09:11.240000 One. Permit. Twenty dot twenty dot twenty dot zero zero zero zero zero 0:09:11.240000 --> 0:09:13.200000 zero zero zero two fifty five. 0:09:13.200000 --> 0:09:18.720000 Okay. Now if I go to my gigabit zero slash one interface and I say IP 0:09:18.720000 --> 0:09:22.120000 access dash group one. 0:09:22.120000 --> 0:09:25.100000 Which here is referencing that one. 0:09:25.100000 --> 0:09:27.200000 And if I say in. 0:09:27.200000 --> 0:09:31.340000 That means if any packet is received from the cable if any packets coming 0:09:31.340000 --> 0:09:33.320000 inbound this interface. 0:09:33.320000 --> 0:09:38.520000 If that packet. If the first three octets match twenty twenty twenty I 0:09:38.520000 --> 0:09:41.000000 am permitted to forward that packet. 0:09:41.000000 --> 0:09:43.040000 I will receive it. 0:09:43.040000 --> 0:09:47.020000 If the packet has anything that's not twenty twenty twenty it will match 0:09:47.020000 --> 0:09:52.580000 my implicit my invisible deny all and it will be filtered. 0:09:52.580000 --> 0:09:56.280000 Or I could apply in the outbound pack outbound direction for packets I'm 0:09:56.280000 --> 0:10:03.100000 about to transmit out onto the cable. 0:10:03.100000 --> 0:10:08.040000 And if you want to see if the access group command has been applied anywhere. 0:10:08.040000 --> 0:10:11.140000 You can do the show IP interface command. 0:10:11.140000 --> 0:10:13.680000 And they'll tell you there's a lot of output in that command but it'll 0:10:13.680000 --> 0:10:16.540000 tell you. Well let's just take a look at that so you can see what it looks 0:10:16.540000 --> 0:10:28.100000 like. So let's just create a standard access list here. 0:10:28.100000 --> 0:10:35.740000 Okay now let's go to an interface. 0:10:35.740000 --> 0:10:43.620000 IP access dash group one in. 0:10:43.620000 --> 0:10:49.900000 Okay so now if we do show IP interface gig zero one. 0:10:49.900000 --> 0:10:56.140000 Notice right here it says inbound access list is one. 0:10:56.140000 --> 0:10:59.320000 If I'd applied it in the outbound direction. 0:10:59.320000 --> 0:11:02.980000 We would have seen something right here. 0:11:02.980000 --> 0:11:07.380000 So that concludes this video on the monitoring and configuration of standard