WEBVTT 0:00:03.260000 --> 0:00:06.620000 Hello and welcome to this video where we're going to do a review of extended 0:00:06.620000 --> 0:00:12.440000 access lists. So we already know that access lists are a packet classification 0:00:12.440000 --> 0:00:17.900000 tool that many features can reference if the feature is wondering, am 0:00:17.900000 --> 0:00:21.240000 I allowed to do what I want to do on a packet or am I not allowed to do 0:00:21.240000 --> 0:00:23.020000 what I want to do on a packet? 0:00:23.020000 --> 0:00:27.820000 An extended access list allows you to filter traffic based on the layer 0:00:27.820000 --> 0:00:31.680000 three and or layer four headers. 0:00:31.680000 --> 0:00:37.740000 And both the source and destination port numbers can be checked. 0:00:37.740000 --> 0:00:42.080000 As well as the source and destination IP addresses. 0:00:42.080000 --> 0:00:47.940000 Now the range of extended access list is from 100 through 199. 0:00:47.940000 --> 0:00:50.920000 But if for some reason you run out of those numbers, there also is an 0:00:50.920000 --> 0:01:01.200000 expanded range for extended ACLs, which is two hundred two thousand through 0:01:01.200000 --> 0:01:07.800000 26 99. That is the expanded range to give even more extended access list 0:01:07.800000 --> 0:01:09.200000 should you need them. 0:01:09.200000 --> 0:01:14.680000 And like I mentioned, this is capable of not only inspecting the layer 0:01:14.680000 --> 0:01:19.380000 three IP header, but also the layer four header such as your TCP your 0:01:19.380000 --> 0:01:26.160000 UDP headers or even some headers within like your OSPF or EIRP headers. 0:01:26.160000 --> 0:01:29.000000 So where can we look lots of places? 0:01:29.000000 --> 0:01:32.820000 We can certainly look at the source and destination IP addresses. 0:01:32.820000 --> 0:01:34.980000 We can look at the IP protocol. 0:01:34.980000 --> 0:01:39.580000 We can also look at UDP and TCP source and destination port numbers, control 0:01:39.580000 --> 0:01:45.380000 flags and more. So how do we configure this? 0:01:45.380000 --> 0:01:48.720000 Well, the configuration is very similar to a standard access list. 0:01:48.720000 --> 0:01:54.920000 Let me just go ahead and demonstrate it here. 0:01:54.920000 --> 0:01:59.780000 So access dash list 100. 0:01:59.780000 --> 0:02:05.340000 Now because I've done that, if I do a question mark, I still have permitted 0:02:05.340000 --> 0:02:11.000000 deny. Now with a standard access list, after saying access list one permit, 0:02:11.000000 --> 0:02:14.420000 the very next thing would have been your source IP address you want to 0:02:14.420000 --> 0:02:20.720000 match on. Here we get to match on either all IP packets. 0:02:20.720000 --> 0:02:26.400000 So I could say IP or I could filter in a little bit more. 0:02:26.400000 --> 0:02:32.480000 I could match on all IP packets that have OSPF as the protocol type or 0:02:32.480000 --> 0:02:39.740000 TCP as a protocol type or UDP or any protocol number between zero and 0:02:39.740000 --> 0:02:43.740000 255. So let's say I want to match on TCP. 0:02:43.740000 --> 0:02:46.460000 Now let me pause here for a second. 0:02:46.460000 --> 0:02:49.720000 If you said in your mind, here's my objective. 0:02:49.720000 --> 0:02:53.420000 I want to filter out telnet packets. 0:02:53.420000 --> 0:02:59.640000 Well yes, telnet packets are carried ultimately by the IP protocol. 0:02:59.640000 --> 0:03:05.940000 But if you say permit IP, now you've lost your ability to match on TCP 0:03:05.940000 --> 0:03:08.240000 or UDP port numbers. 0:03:08.240000 --> 0:03:12.200000 If I want to match on telnet, I need to match on a TCP port number because 0:03:12.200000 --> 0:03:15.240000 telnet is TCP port 23. 0:03:15.240000 --> 0:03:17.100000 So I need to match on the port number. 0:03:17.100000 --> 0:03:22.740000 So rather than selecting IP, I would want to select TCP, which will now 0:03:22.740000 --> 0:03:27.420000 give me the ability as I go along here to match on source and or destination 0:03:27.420000 --> 0:03:29.480000 TCP port numbers. 0:03:29.480000 --> 0:03:33.460000 All right, TCP. Now I'm going to select the source of where the packets 0:03:33.460000 --> 0:03:35.420000 coming from. Maybe I say, you know what? 0:03:35.420000 --> 0:03:37.320000 I don't care where the packets coming from. 0:03:37.320000 --> 0:03:39.860000 I just want to match on where it's going to. 0:03:39.860000 --> 0:03:41.640000 So my source will be any. 0:03:41.640000 --> 0:03:47.480000 I could match on the source TCP port number, but I'm not going to do that. 0:03:47.480000 --> 0:03:50.020000 So now I'm going to go to the destination. 0:03:50.020000 --> 0:03:56.320000 Maybe I want to I want to only permit pack only permit people to telnet 0:03:56.320000 --> 0:03:59.000000 to the 777 host. 0:03:59.000000 --> 0:04:03.000000 So I'll say host 777. 0:04:03.000000 --> 0:04:05.500000 So you see right here with a standard access list. 0:04:05.500000 --> 0:04:09.640000 I couldn't I couldn't specify source and destination. 0:04:09.640000 --> 0:04:11.340000 I could only specify source. 0:04:11.340000 --> 0:04:13.260000 Here I can do both. 0:04:13.260000 --> 0:04:17.680000 And if I don't care about one, I just put any into the other field. 0:04:17.680000 --> 0:04:21.360000 If all I cared about was a source and not the destination, I would have 0:04:21.360000 --> 0:04:24.440000 put any in the destination key field. 0:04:24.440000 --> 0:04:29.900000 And now I can say, all right, since I want to match on telnet, I want 0:04:29.900000 --> 0:04:33.360000 to exactly match on a given port number. 0:04:33.360000 --> 0:04:39.600000 So I'll say EQ. Now, if I know what the port number is for telnet, I can 0:04:39.600000 --> 0:04:41.060000 just type it in right here. 0:04:41.060000 --> 0:04:43.320000 I could type in EQ 23. 0:04:43.320000 --> 0:04:46.340000 Or if it happens to be one of the ones here in this list, which telnet 0:04:46.340000 --> 0:04:50.200000 is. I could just say EQ telnet. 0:04:50.200000 --> 0:04:55.600000 So that is how you configure an extended access list. 0:04:55.600000 --> 0:05:00.380000 And then the way you apply it is the exact same thing with the IP access 0:05:00.380000 --> 0:05:02.880000 dash group command. 0:05:02.880000 --> 0:05:09.160000 So that concludes this video on the configuration of extended access lists.