5.2.7 Packet Tracer - Configure and Modify Standard IPv4 ACLs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
configure a modify a standard IP before access-list dressing-table are one with three interfaces are one three interfaces that's rather three interfaces that rather three interfaces are three rather three interfaces three interfaces on our three rather four switches four switches for end devices for PCs for PCs Wi-Fi connectivity from pc IP f pc c and b cv from pc IPCC and pc pc a duck stop think PCC fear leader 3 pc d 4 d de 3 192 168 filthy 3 ok from pc IP pcc success now PCB 4.3 from pc IP PCB success the answer here is yes where your pings successful yes from our one paint PCC and BCD from our onepage PCC and PCB go to our wall command line interface vendor in a world P 192 168 0 D de 3 success for dealer 3 success or your being successful yes from PCC pfpc a and BC B from PCC binge PCA and PCB go to PCC desktop common prom king one eighty one sixty eight dot PC IAB others 10.3 PCB IP others 20.3 then the three success from PCC to PC a from PCC to PC a success - from PCC to PCB 20.3 the it from PCC - PCB success so the answer here is yes from our three pitch PCI and PCB from our three pink PCI PCB go to our 3 command line interface under enable the 182 or 68 10.3 success 20.3 success the answer is yes can all of the PC speak the server toward I was 65 200 250 for for example from PCB to the server pink from PCB page to apply 165 200 250 for okay be careful 209 165 to 500 250 for other success from PCB for example page the server dad stop common prom being 209 165 250 for success the answer here is yes configurable file a standard number and name it accessories configure are numbered a standard access list a standard such list filter traffic based on the source IP address only a typical best practice for standard accessories is to configure and apply the access list as close to the destination as possible for the first accessories in this activity crate standard number accessories ok standard number access least use number one remember the Reg for standard access list is from 1 to 99 and from 1300 to 1999 okay that allows traffic from all hosts on the 192 168 n0 network and all falls from the one I to was 68 when SEO network ok or mid when I to once you see a tense your network and permit when I towards you see a 27 at one and this is the embarrass mask or wildcard mask okay this is the wild-card for 24 ok for 24 to access all house on the one I to 160 I filled is your network okay and where is this network when I to 160 a 3.0 is this subnet filthy theory that zero network is placed then gigabit zero zero zero on north wing okay this is GW 0 0 1 or 3 so this is the destination this is 1 I 2 + 60 a theory that 0 24 profits ok is this network ok this is the destination and where is where are the sources sources are 10.0 and 20.0 10.0 and 20.0 sources 10 subnet and turn his head net place it on nor one gigabit 0 0 0 and gigabit 0 0 1 chickabee 0 0 0 in govt 0 0 1 ok these are all the subnets the souls when I to and CCA 1003 for 192 168 2003 4 ok this is the source and this is the destination this is the source this is the another source in the destination field okay this is the source and this is the destination a typical best practice for standard access lists is to configure and apply that service as close to the destination as possible so that's why you can configure or Mar 3 is close to the destination and look at the arouse you can configure on serial interface on our three incoming traffic or on gigabit interface on our three outgoing traffic in this case you will configure on gigabit zero zero zero angelee zero zero zero outgoing traffic on our three okay so that's why you need to configure this on your three over three router on gigabit interface outgoing traffic gigabit interface of dwelling traffic the security policy also states that an explicit deny any access control entry also I'll refer it to us access control is a statement should be present at the end of the all access lists deny any at the end okay there is an implicit deny any at the end of access list but in this case you will use explicit deny any to go two or three other enable configure terminal access list standard number one remark is only a label only a description and all are one lung capacity for the score plans access under cool and permit one eye to and 68 and 0 24 this is the wildcard mask for 24 okay now for 20 and finally deny any explicit deny any and go to interface with 0 0 0 IP access group 1 out in the fridge 11000 I'd be stash Group 1 out of going traffic it's at least one this accessories very good ok what wildcard mask would you use to on your or host on the 182 168 n0 34 network to access when I to as you see a theory that's your own 24 Network and the answer is the white car mask for the prefix 24 is 0 0 0 0 255 0 0 0 255 following Cisco's recommended best practices on which rather would you place this access list on r3 ok r3 from which interface would you place this access list in what direction would you apply it you can apply on serial interface or also on gigabit interface with close to the destination is gigabit interface the answer here is gigabit zero zero zero be zero zero zero the access list should be apply it going out gigabit zero zero zero outgoing traffic on earth 3 ok if you will apply the access list on serial interface you will also block the access to this another learn not only this land also you will block the access to this another land ok show comments to verify go to r3 and show list ok it's at least one the three entries also you can use show IP access list ok in the same result show IP interface gigabit 0 0 0 ok-hee of divine access this is number one and show running country when you go to 0 0 0 IP access group 1 space and this is the absolute least to see the accessory is number 1 in its entirety with all access control entries which come on would you use okay you will use show access list common show access list what comma would you use to see where the Exorcist was apply it and in what direction should I be interfacing of it 0 0 0 or show running config or also show IP interface show all interfaces and go to yoga with 0 0 section and you can see the placement of the access list that's the access list from PCA comma front page PCC from PCA pink PCC PCC IP address is theory de 3 go to PC I think 233 success is permitted that is okay where the pain successful yes from PC big pink PCC from PC vaping PCC pink 38 192 168 0 ddr3 success is permitted being successful as well is yes ok shoot pings from BCD to PCC be successful ok pink from BCD to PCC being 180 160 a cheerleader 3 destination host on Rachael ok this is expected because the configuration of the access control list so the answer here is now the pings should not be successful trying the big verifies that the access list is working very well from our one prong big pieces his IP address again ok from our one big PCC enter enable pin PCC 180 160 a cheerleader 3 ok you for on unreachable was the pink successful explain now the pings failing when you pay for the rather it uses the closest interface to the destination it solves others the ping had source others of 10111 the exit leads to her three only allows the 180 168 n 0 and 180 168 27 at once access okay when you pink from r1 to BCC the source address of r1 is the serial 0 1 0 / 1 this is the solved serial 0 1 0 / 1 C they are 0 1 0 / 1 the source is 10 1 1 1 this is the source and the destination is PCC but r3 only permits this network in this another network turns your network and 2008 word 10111 is not permitted so that's why the pink is unbreakable shorts is list one you can go to r3 so access lists the specified access list number 1 and you can see 4 matches for this entry another four matches for this another entry for the night entry 9 matches ok for Pink's successful to turn city to 1004 being successful to 20 0 and the nivel of snide packets or nine beings computer name at a standard access list grey the name at stellar access list that conforms the following policy a low traffic from all house or when a to 160 a 40.0 24 network access to a your host on one eye to 168 10.0 34 network okay the source is 40.0 and the destination is 10.0 okay 40.0 is splice at PCB this is the subnet or are three gigabit 0:01 are three you have eight zero zero one and this is for the network on 81-68 40.0 24 network this is the source and this is the destination also only a Yahoo host PC access to 182 168 10 0 network also PCC can access 182 168 10 0 network so this is the another source and this is the destination okay remember is a standard access list standard accessories should be place it close to the destination ok permit husband 81 68 field either 3 ok permit PCC when I do 160 I feel Dida 3 is PCC so that's why you will use the host keyword only permit the house not the subnet only this cost cost 30 degree okay I know traffic from host 1 81 68 40.0 ok so that's why you will use permit 1 each 168 4.0 wildcard mask for 24 per fix ok this is the source this is there another source and this is the destination the destination view okay this is one source this is the another source the food source is 181 60i 40.0 subnet and another souls is PCC host and this is the destination this subnet when H was you see a 10-0 okay place the access list close to the destination so you can use our one close to the destination and on our one you can use gigabit interface or going traffic to place the access list close to the destination serial interface you can also configure the hazardous on serial interface but it's not close to the destination is not so close and also if you will configure the access list on serial interface you will also block access to this another loan not only to this learn also to this another law so that's why it's better to use gigabit interface of going traffic okay interface gigabit zero zero zero interface Giga BTUs here zero out okay name it asunder access list IP answer slist a standard because it's a standard Oxley's ignited user name do not use a number permit host PCC permit sublet 40.0 and place interface gigabit 0/0 out on our one over one gigabit zero zero out all wrong okay enter enable configure terminal IP elses - list the standard branch - office - policy take a sensitive to get the score to get the points on the score other permit halls PCC permit halls 182 160 a 303 303 in this PCC permit 182 and 6840 that's hero while Cal mask okay permit the subnet for the dot 0 and okay at the end of these two lines there is an implicit deny any remember that implicit deny any at the end of these two lines and in place on DVT or 0 0 outgoing traffic configure terminal in configure terminal interface 11000 IP access - group and use this name branch of his policy the same name branch office policy okay it's - be careful undergo ok incomplete comment I forgot the direction out outgoing traffic very good exit following Cisco's recommended best practices on which rather would you place the success list our one close to the destination and which interface would you place the success list in what direction you can beat zero zero out over one okay gigabit zero zero zero the accessories should be apply it going out if you will apply this access list on serial interface over one you will block access to 20.0 network and turn that your network look at the first access control entry in the access list this this is the first access control entry what is another way to write this okay another way to write this is the following firm eight 182 160 a 33 okay and the white card is this zero zero zero zero okay okay this is for example this is the prefix this is the subnet mask and this is the wildcard mask for example 424 prefix the subnet mask is this two-bit five eighty five eighty five zero in the wild-card is the inverse this but for host the white car is purely to and the subnet mask is this 255 and all obviously the inverse is zero zero zero so that's why I'm using this another example for filthy the subnet mask is this and the impulse is this 252 plus 3 is 255 255 plus 0 255 0 plus 255 255 very good 35 access-list go to a 1 and show axis - list this is the answer slist the name and the entries is there any difference between this accessory is over 1 and the accessory is on or 3 okay go to our 3 show the access list this that's at least go to our 1 this is the access list okay the answer is there is no line filthy with deny any other one there is no line filthy with a deny any other one it is imply it if they're explicit denied any access control entry is present it can be logged and the number of matches for the access control entry condition can be be with with show access list okay on deny any you can see the matches for implicit deny any you cannot see matches okay should I be the v 0 V 0 0 0 over 1 so I'd be interface gigabit 0 0 0 and you can see here I would widen access this branch of his policy from go abroad of PCCP IP address of pca from pcc ping to pca go to PCC IP address of pca is 10.3 okay 10.3 success very good is permitted where the paying successful yes there's the access control entry to ensure that only PCC homes it's really how it works is 182 and 68 and 0:24 metal you must do an extended paint and use the gigabit zero zero address on r3 as your source pink pc is IP hours okay from our three gigabit zero zero zero this is the source gigabit zero zero zero one or three pink PC a go two or three enter enable pink other protocol IP under target IP address PC a this is the target when I 268 10 3 5 enter enter extended comment yes source interface ok the source is gigabit 0 0 0 / 3 0 8 0 0 0 1 or 3 theory that one only to 168th you needed 1 enter ok enter enter enter enter enter enter destination hall on Rachel so this is expected because only PCC is permitted and not the subnet only PCC where the paint successful no pink from what I do as you see I told you that your network to one age once you see I tend that's your network from PCV pink PCIe from PC DP PCA okay 10.3 success very good one of the pings successful yes now modify on standard access list attempt to ping the server to arrive a cease-fire 200-250 for from pca from BCA pin to the server pink two or nine 165 200 250 for under not is that the pink is not successful tripping fails the access control is another one is blocking Internet traffic from returning to PCA okay the pink from PCI to server the Elco pink can reach the server but the echo reply from the server to PCI is not permitted because accessories is configurate honor one another way to see these is on simulation mode okay show or not edit filters only use ICMP only use ICMP traffic here go to PC a ping to web server Tornai 165 200 250 4 after play increase the speed okay the beef can reach the server but the echo reply is not permitted under one okay you can see again the elk or ping can reach the server but the reply is not permitted because access list is configured under one okay real-time very good okay management has decided that traffic that is returning from 2 RI 165 202 24 27 network should be allowed with full access to the 180 168 n 0 24 network management also wants accessories on her others to follow consistent rules the night any access control entry should be placed at the end of all access lists you must modify the branch of his policy at least over one you will modify this access list you need to permit the pink to internet also add an entry at the end deny any explicit deny any at the end you will add two additional eyes to this access list there are two ways you could do this option one issue are no IPS at least a standard branch of his policy comment in global configuration mode this would remove the asset list from the rather when the access list is gone you could retire the world access list option two you can modify access control lists in place by adding or deleting a specific lines within the access list itself this can come in handy especially with accessories that are long the retyping of the world access list or cutting and pasting can easily lead to eros modifying specific lines within the access control list is easily a completion for this activity use option two recommended modify first show the access list click on our one show our - list - this ok this is the name and two entries okay first and are the accessories configure terminal IP access - list is standard branch office policy okay first enter the access list configuration mode standard access list configuration mode standard name add accessories configuration mode very good now you have two lines Tang and 20 if you will add new lines at the end you will use higher numbers the Tang and 20 ok so that's why you will use family and fold they add 30 per minute - or 965 200 to 24 and wild card for ok remember this is the this subnet is this subnet on edge router and the subnet is here okay - and I 165 200 - 24 - hon I 165 200 - 24 and the prefix is 27 if that prefix is 27 the subnet mask is 224 and obviously the wild card will be 31 because to 24 plus 31 is 255 okay 31 very good enter and at the end explicit denying for the line then I N and now repeat show access list and you will see four entries very good now do you have to apply the branch office policy to the gigabit interface home r1 k equal to r1 showrunning coffee gigabit zero zero zero already place the access list is already placed on gigabit zero zero when you double zero zero so it's not necessary to configure this again so the answer here is no the I beyoncé's group branch of his policy out common is still place or in gigabit interface does the access list from BCI ping the server from PC a ping the server PPC a pink to the server to an I was 65 200 250 for success where the pink successful yes as you can see standard access lists are very powerful and work quite well why would you ever have the need for using extended access list standard access lists can only feel thereby sit on the source address they allow or deny everything all protocols and services extended access list while harder to write are very good for complex networks where you may need to allow traffic for only certain lire for ports to have access to networks while denying others in addition standard sleaze must be applied as close to the destination as possible this allows unnecessary traffic to use network bandwidth extended at certain lists can block traffic close to the source this prevents unnecessary traffic from traveling to the destination where it is blocking more typing is typically required when using name and accessories as opposed to a number it access lists why would you choose a name and access lists over-elaborate the first reason is that using name and accessories gives you the ability to modify specific lines with within their accessories itself without retyping the entire list newer versions of iOS allows nabrit accessories to be modified just like Namath access lists second having a name and access list is a good best practice it helps to document the purpose of the access list with a descriptive name 100% thank you very much you
Info
Channel: Christian Augusto Romero Goyzueta
Views: 1,847
Rating: undefined out of 5
Keywords: ensa, enterprise networking, security, automation, ccna, version 7, ccna 7, acl, access list, standard, standard access list, named standard acl, access control list, named, numbered, name, number
Id: EqO3aVUe3Aw
Channel Id: undefined
Length: 44min 13sec (2653 seconds)
Published: Wed May 20 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.