CCNA 2 Chapter 7: Access Control Lists

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to c10 a - chapter 7 access control is this is going to be another one of those chapters where you are going to be very happy that you were not in CCNA - last year because really the most well most or second most complicated part of this section has been pushed to CCNA 3 & 4 so still not the easiest topic in the world but we don't have to do what are called extended access control lists anymore we only have to know how to configure standard which are a lot simpler so the toughest thing we'll probably see in this chapter is possibly the wild-card mascot that can be a little hard to get your wrap your head around because you don't understand subnetting that weld and wildcard masks are also going to prove to be a little bit of a problem so we'll go over the wildcard mask we'll go over the access control is what they are what they do as we well go to the chapter so let's get started with access control list operation this is where access control lists are where you can block specific user specific networks from accessing a web site accessing a protocol accessing this side of the other so you can premier permit or deny traffic as you see fit you have a lot more options with extended access control lists but with standard you can just block an IP address from getting to such-and-such network okay so by default there's no access control list in place everyone on the network in access whatever or at least attempt to access whatever they need to okay but with access control this we could allow email and deny Tona we could a live video for certain users deny video for other users okay so you can create basically a bunch of permits or deny statements that will well do just that permit or deny traffic on your network depending on how you want to set it up do you not want a certain group to be able to access Facebook or to be able to access YouTube or Amazon you don't want them wasting time on the job or while in class that's what access control this will do and that's what we're setting up in this chapter so these access control lists are going to use packet filtering which is going to oil filter your traffic or your filter your traffic based on the contents of packets that are moving across your network you'll there will be criteria that create criteria such as the source IP destination IP and protocol or port carried within the packet so based on those things that there's a match you can either choose to permit traffic or deny traffic maybe you only want to permit traffic from a certain host so you could permit one source IP address and deny all the others okay or maybe you want to deny a certain host so you deny that host or that network and permit all the others those are rules you can set up with your access control lists okay and they are a list one particular or one single permit or deny statement would be known as a access control entry okay an AC e multiple access control entries make up your access control lists and you'll see how we create these entries in just a minute here all right so these access control lists can be applied on either an inbound port or interface or an outbound interface okay and there's well reason why you'd use one versus the other the inbound if you apply a access control list on an inbound interface the router will make a decision based on packet filtering before it looks up the destination in the routing table and then go ahead and decided from permit or denied traffic so if you have a inbound access control list you can save your router from having to do that lookup and wasting CPU cycles and the processor on the router in order to drop that packet before it ever gets looked up in the route table that's going to save you a little bit of time free up your router to do other things so hopefully the intention is to overall increase your network speed so there will be situations where you want to use the inbound if you're using an outbound then well it's already going to have gone through the routing process and be ready to be pushed out of the router okay so for instance maybe you have a PC over here who and two other networks on this side of the router okay one network is another classroom we'll say that other network is a school server that only faculty maybe should have access to if you place an outbound ACL you can apply it just for that server and this PC over here will only would not be able to access this server if you applied it on the inbound ok denying traffic from this network and well it's not going to be able to reach either one ok so there will be situations where you want to use the outbound and you want to use the inbound ok and we'll talk about where you place these access control lists later on this presentation as well there are reasons to place your access control list in one place or another so here we have our first complicated topic which is wildcard masking that you use when creating your access control lists you do need a mask along with your IP address when you're going to apply an access control this to a certain IP address or a certain network ok so what we're going to do is have this wildcard mask and to keep it as simple as possible a wild-card mask is the opposite of a subnet mask ok and a subnet mask all of your ones are considered matching bits for a network ok the opposite is true for a wild-card mask where all your zeros would be considered matching bits so for instance you can see this table here what you have all matches with all zeros only the first two are matches here first four so on and so forth so basically one zero zeros are your matching bits in a wildcard mask rather than ones they're the opposite of a subnet mask so for instance in this situation where we have a IP address of 192.168.0.0 zero we would match exact exactly as you see down here one nine two one six eight zero zero but with the wildcard mask you see it's a zero zero two five five two five five which is exactly the opposite all right so that might make your head hurt a little because we're basically flipping things around and doing an opposite what we would do in wildcard masking on a starting out wildcards subnet masking we would take any time where we match a one and drop it down right that's what we did in subnet mask any time one matches we drop it down anything else is a zero okay in your wildcard mask any zero down here that matches a one up top will be dropped down anything else will be a zero okay so I've got a zero no one here the one drops down zero and a one there the one drops down does it matter if I have a one up here in a zero down here I'm sorry doesn't matter if I have a zero up here and a one down there that doesn't matter it always has to be a one up top zero at the bottom okay one up top zero at the bottom of the wildcard mask so for instance here we have a 0 and a 1 alright that does not become a 1 it's still a 0 ok just like in subnet masking you had to match just you can only match one way if there's two ones then it drops down wildcard mask is a little different isn't that it has to be a zero in the wild-card mask one up top and then it drops down okay if it's a zero up top one in the wild-card mask that does not drop down okay we won't have to do this very often hopefully we don't have to do it at all because there is a shortcut but the basic concept is that a wild-card map is exactly the opposite of a subnet mask okay in fact here's a shortcut way to get your wildcard mask you can take your subnet mask well yeah take your subnet mask here take 255 255 255 255 subtract whatever your subnet mask is and that is going to give you a wildcard mask and that's probably the easiest way to do it okay so you're going to take to 5 5 to 5 5 to 5 5 to 5 5 subtract your subnet mask of 255.255.255.0 x' is the equivalent of all to 5 5 s are what just one address ok just one address this is all matching ok and you use this to match just one host all zeros in a wildcard mask whereas in a subnet mask all zeros would match every address in the network every address possible here is just one and the opposite is true in a wild-card map if you have 255 255 255 255 that's the equivalent of a 0 0 0 0 netmask which means it matches anything okay it covers the entire network all right so that's what you get there in your subnet mask all right so for one host for one host you'd use all zeros if you're trying to eliminate just one host in a access control list with your wildcard mask if you want to cover all hosts all host then you'd use this two five five two five five two five five two five five that represents any host okay all right so all in all wildcard mask opposite subnet mask the other thing you're going to want to know there's just one more thing you will need to be able to identify your block size for your networks okay just like you need to identify your block size for by looking at a subnet mask all right you need to be able to identify your block size with a wildcard mask and here's how you're going to be able to do it all right so I'm going to go ahead and come back up to this light so we have a wildcard mask here of 0 0 15 to 5 5 correct if I were to turn that into a subnet mask that would be to 5 5 to 5 5 to 4 D cos well 255 minus 15 to 40 all right to 40 0 all right to 5 5 to 5 5 to 40 0 is what my subnet mask would be so if I have that 240 and the third octet where I'm working okay 240 is bringing our subnet chart over I'm not going to spend too much time on this because we've already got over subnetting and I don't want to overload you again but so I've got far bit borrowed bit on opiate or okay we're at the 16th okay torchy 240 28 plus 64 plus 32 plus 16 is 240 our block size is 16 our block size is 16 we can see that here okay and we've also done over a technique that if you want to know once you have your bits borrowed here what the value is of your the decimal value is in your subnet mask for this bit you can take 256 minus this number and we get that 240 that appears in our subnet mask remember we just said our subnet mask was going to be 255 about to 40 I'm sorry 255.255.255.0 up in the subnet mask all right hopefully you're following me with this just saying all this to make sense out of the fact that in your wildcard mask because your wildcard mask is already 255 minus your subnet mask if 256 whoops this thing sliding around 256 - your subnet mask gives you the block size okay then well 255 minus your subnet mask should give you close to your block size it's your block size minus 1 so if you see this number 15 here you can take that 15 plus 1 you know your block size is 16 okay so your block sizes and subnet masking really a lot easier I'm sorry on a wildcard mask your block sizes and wildcard masking are a lot easier you can just take the octet you're working in plus 1 that is your block size so for instance the resulting range of this wildcard mask is 16 through 31 ok it's it's 16 it's 16 because this number plus one that will give you your block size which is kind of easy it's kind of easy so just think of it that way that technique will work I'm not going to spend too much time of it on it but yes this plus one all right that's your block size that is your block size see if I can find a different example here so down here we've got 255.255.255.0 which gives us a this is our subnet mask remember which gives us a zero zero three two five five well healthy borrow bits out two two five two this thing is really sliding around on you for some reason we are about 50 out the to five you does be placing a 1 here and a 1 there ok that takes us to the two five two spot look at our block size it's four okay if you add these up you will get too far too I'm just going to minimize that cuz I'm not coming back to it here's our three down here three plus one is four that is your block size so again you can take whichever octet you're working in increase that value by one that is going to be your block size okay so know that is it's really easier than sudden that mask and then trying to figure out your block size less math and well just add one you've got it okay so that's something you might be asked to do by looking at a subnet wildcard mask you might be asked to give the range of the network based on the wildcard mask and you can see okay it's going to be block size of four so I'll just take the networking no that's my block size and I can I can figure out the range based on that okay all right moving on so there are any other questions about wildcard masking just bring them up in class we can discuss it more but at a base level just take your subnet mask take two five five two five five two five five two five five subtract your subnet mask you'll get your wildcard mask okay all right so here talked about how okay how your wildcard mask is of course reversed so a two five five two five five two five five two five five would be equal to a quad zero in terms of subnet masking so if we wanted to create an access list that permits everything okay it just permeates everything remember in our routing tables we create a default static route of quad zero quad zero to catch any traffic that's the same thing that you see here it's a quad zero with a wildcard mask of all 255 which basically is like another quad zero because it's the opposite of a subnet mask so this access list would permit anything covers all IP addresses okay just like your quad zero quad zero would down here if you only want to permit a specific host okay it's the opposite situation oh I'm sorry the other the other part of this is that when you're creating your access was if you don't want to have to write out this quad zero to 5 5 to 5 5 to 5 5 you can just write out any in its place and that's going to shorten the process for you okay so that permits any IP address if you just type in any or this it's exactly the same so once you get used to it you might as well just type any because that's going to be shorter all right and then down here the opposite you've got permitting 192 168 1010 you would only want to permit that one single IP address so you have a 0 0 0 0 out here as your wildcard again which would be equal to a 2 5 by 2 - 5 X - 9 5 - 5 5 subnet mask which would give you just one host ok so if you don't want to have to write out this quad 0 wildcard mask you can write in access list our maid host then whatever that host IP address is and you don't have to write out this wildcard mask at the end okay so those are some shortcut key words that you can use you don't have to you can it's an option and it's probably going to make things a little faster as you configure your devices to use either any or host okay so those your key word examples here they were explained on the previous slide but I kind of just used this previous slide to give you an example of wildcard mask versus subnet mask but yeah here's where the concept was introduced of using host instead or using any instead of using your wildcard okay and we're introducing a lot of concepts when you haven't gone through the commands yet we will in just a second so here we have some general guidelines for creating or ACL well you can see the rules down here which are you have one ACL per protocol per direction per interface so what that means is well let's say we have I don't know one interface over here okay you can have a access control list for ipv4 let me see how I want to wear this you can have an access control list on one port for ipv4 inbound and ipv4 outbound on that same port let's say we just have one port over here you can also have a access control list for ipv6 inbound and ipv6 outbound alright for let's hold the four I guess per port is how many access control is so two for ipv4 one inbound one out them two for ipv6 one inbound one outbound that's all you can have per interface okay so that's going to be somewhat important I guess you'll probably see a test question or two on that alright so if you add two interfaces like they say on this router you would have a total of eight one interface would be a total four in one per protocol and one in down one out down okay that's a total of four that you get there some more rest practices a base of your ACLs on the security policy of your organization so you meet organizational guys guidelines prepared description of what you want to do you can even make description remarks in your access control list once you start doing extended ones which we don't happen to cover in this course you can use a text editor we saw last class how you can use notepad to create shortcuts for yourself if you're going to create access control lists and have access control entries that you want to have as reusable you could save them to some type of text file and just you know paste them in like we did last week with our what for what what did we do that for VLANs with our VLANs that we did last week texture access control lists on a development network before you implement them on a network production network you don't want to implement your access control list in the middle of the heavy flow workday and then all sudden something goes wrong and you have a million phone calls coming in people trying to get to this or that website access this or that protocol or email whatever you want to probably apply it in it but you definitely want to apply it in a test environment first or maybe off-hours and test it yourself before implementing it into a or on a production network because things could go wrong you never know so those are your best practices here we have asylum where you want to place your access control lists and then as I stated before we don't do that extended access control list but those X extended access control lists are typically placed near the source and standard are typically placed near the destination and here's basically why your standard apps of control this filter based on source IP only okay doesn't filter based on a specific protocol or port number or anything like that you're just basically blocking all traffic from a source IP address okay so let's say you got your source here and you've got your destination all right I want to block this source or this IP address maybe the whole network from reaching let's say PC three we want the PC want to be able to communicate with the server over here but we don't want to be able to communicate with PC three if I well place a deny a statement or good yeah the nice statement in my access control lists over here closest to the source well you're denied access to anywhere essentially okay you're not going anywhere but within the local network because you've denied access to this source IP address if you places closest to the destination let's say I want to block it from PC three I place that access control list outbound for g00 here meaning that only network that a PC one can access is the network with PC three on it okay and I've done my job I can still get to the server I'm still good to go all right if I had the same type of situation come up and well I have an extended access control list okay here's why I want to place it closer to the source because I can kill unnecessary traffic before it's routed through r1 before it's routed through r2 we for us we're out of through r3 I'm taking up unnecessary bandwidth if I'm trying to communicate with PC three and that's just going to be killed anyway if I can kill it earlier than later then that makes my network more efficient okay so I can place an extended access control that's extended access control list can filter based on source IP destination IP protocol port number so for my extended access control is I can place it right here before it even gets routed on our one I can do an inbound access control list on G zero zero saying any any traffic with a source IP address from this network and a death deny destination IP address to this network I'm going to deny okay that's what I'm going to do so I can place that right here I've done my job anything headed for this network is not going to make it and I haven't had to forward it out r1 to r2 to r3 before that decision gets made I freed up my network a little bit everything's running more efficiently so extended access control lists will allow you to do that standard or not so that's why you'd place extended typically closer to the source you don't need to have any unnecessary traffic traveling over your network your standard closer to the destination because you don't want to block access to something you don't mean to block access to okay okay so that third is restated placement of your access control is extended to the source standard destination I don't know how you really want to remember that but extend it to the source standard to the destination okay and here we have just another example standard access control displacement so you want it closest to the destination this is pretty much the exact same thing I just said but if you placed it before it got to r3 r3 it would be well any network attached to our three would be inaccessible from over on the left side in this ten network if you place it on the outbound of our three towards network 30 here then you've only denied access to this network which is probably what you intended you still can communicate with the 31 network here and you're all good so again closest to the destination for your standard access control list placement and those rules were access control as the standard ones are going to be most important to us because we are going to configure standard we are not going to configure extended okay now we're going to talk about actually creating these access control lists only standard like I mentioned before we don't have to do extend it anymore which again we're a lot more complicated standard still not super easy but not so bad so the first thing we have is a numbered ipv4 access control list your numbered list I'm not sure that's the way you want to go about making them most of the time name lists really I think make the process a bit faster so anyway the number of this you're going to have to know how to make anyway and how you're going to well make that is with this access list command you're going to number that list whatever number you want it to be okay so we have access list 10 here and then you're going to state what you want to do do you want to permit traffic you want to deny traffic or do you want to make a remark okay a remark is just going to be a note to yourself that you typically place to remind yourself when you look at your running config what you created this access list for it might not be always that apparent that this access list is permit hosts from the yada-yada network okay when you place this remark in here you do your show running config and in this access list it's going to tell you what your intention was when creating this list okay so we have the first access control list entry up here to access list 10 permit the 192 168 n 0 network and again there's a wildcard mask which is 0 0 0 255 again we can flip that if you want to think about it like a subnet it's 2 5 5 2 5 5 2 plus x 0 instead so you're permitting the 192.168.1.0 network all right that's what this entry would do if you left it unaltered now you might ask yourself why am I just permitting this network what does that do for me if I just permit it there is something called an implicit deny message at the end of each one of your access list statements you don't even have to type in if you make any kind of access list the last entry without you typing anything in or the last thing that happens is it denies everything else that you don't mention in this list so if you permitted just this network this statement will permit this network only then deny everything else at the end okay so that's that implicit deny at the end of your access list so again this access list entry would permit this network and deny everything else okay we can also go in here we'll go no access list if you want to remove that access list all right if you did a show access list you can see that access list here it's going to permit Yatta Yatta wildcard bits here and then okay if you wanted to remove it no access list like we were saying all right if you wanted to create it again there's a different way to do it with the remark okay so access list ten you to make the remark that this is going to permit hosts from said network 191 six eight ten zero and then you're going to actually make the entry for the permit okay the permit statement so access lets an permit blah blah blah same permit we made up here it's just now we're going to have this remark in there okay and we do a show running config includes big include access with ten we can see those things here there's the remark does an tree made so that's a very very simple access list okay this slide is going to show us how we would apply that access list to an interface so we make the access list first in this case we're making access list one from same-same network work fermenting here okay so we make the access list then we go to the interface we want to apply the access list to serial zero zero zero in this situation and which direction do we want to apply it to on the interface you want to apply it to outbound draft traffic or inbound traffic ok so IP access - Group outer in we're going to choose out here ok so that's how you do it just IP access group whichever access list you want to use and then inbound or outbound on that interface remember that standard access list can only be applied to source IP addresses and typically for a standard s access list you want to put that access list as close to the destination as possible whereas with an extended access list you want to place it as close to the source as possible so what we would have done here if we had created this access list in the current topology is we permitted the ten network over here it can go ahead and go out because we permitted it everything else would be denied so gee the 11 network over here that network attached to g0 one is not going to be allowed out that way it will be denied that that access ok there was another network over here though we could reach it it just can't go out serial zero zero zero alright and we did pretty much place the list closest to the destination I don't know what else is over here but as far as our equipments concerned our topology we did place the access was closest to the destination as possible here we have an example where we want to deny a specific host in a network ok so first we've got no access list one that's going to remove the access list that's going to remove the access list that removes it from the access list entries there's no oh no access lists list anymore so we'll have to reassign it to the interface again as you'll see down here for serial zero zero zero alright so we erase the access list we've got access list 1 we're creating again after erasing it in this situation we're going to deny the host ok and if you're going to make multiple what you typically will make multiple access list entries for one access list ok you want to make your host statements come first your host of entries come first then your network entries because if if you don't the device is going to rearrange them that way anyway the device lists host access list entries first and then network range access list entries second ok our network second you'll see that in a troubleshooting slide that we have a little further down the list okay so we deny this host alright and then we permit everything else from the network also remember there's an implicit deny at the end which means well we're going to permit everything in this network but this host and deny basically everything else ok because at the end we don't have to type it in but there's a deny any any statement deny anything ok so that's what we got here then we go back to the serie of the interface access group one IP access group one outbound same place we put it before and in this situation we've denied PC one but anything else in this network we'll just use your imagination and I've imagined there's some other things in this network in they would be able to communicate out serial 0/0 here we have a situation where our intention would be in this situation not to let pc1 communicate anywhere outside of the local network over here ok so we just want to deny it the ability to get to the router and get off the network okay so in this situation in the previous situation PC one could still communicate with anything else that wasn't out serial 0/0 can communicate with this network over here okay the Levin network but in our current situation we don't even want it communicating with the eleven Network we don't want to communicating anywhere so we would again no access let's one removing that access ELISA we it just made access list one deny the host so same thing we wrote before deny host blah blah blah that which is PC one okay and because we wrote host in here we don't have to have a wildcard mask remember that host is as good as having a wildcard mask of zero zero zero zero zero zero zero zero yes that's four zeros so we don't need to write out the wildcard mask over here and we're permitting anything else so anything else from within this network yes can get out but host 1010 is not going to be able to we apply it to the gigabit zero zero okay that um and that's an inbound access list that we be creating blocking PC one okay all right so that's a little gone numbered access list we have named next so named access list if you're going to have multiple entry list is going to be the way to go it's going to save you time because you don't have to type in access list some number over and over and over again you just have to create the access to the name by typing in IP access list we're using standard only in this situation or in our class I should say so we type in IP access with standard then the name of the access list after pressing enter then you would go ahead and your C or your prompt here change to config standard named access list and you start making your permit denial mark entries in that access list okay you still apply the access group the same is just instead of using a group number you would use a group name so let's take a look at how that's going to be a bit different so here we have the creation of IP access list standard and the name will be no access okay no access we are now going to type in deny host law permit any instead of having to type in access list ten deny hosts yadda-yadda access list ten permit any we don't have to type that anymore okay it knows what access list we're in so we're just making our permit deny remark entries without having to type in access list over and over again and that's going to save you some time hopefully so that's how named access list would work you're just going to get into this new prompt by typing IP access list standard or extended we're only doing standard in our class then the name of the access list and you'll go ahead and make your entries and when you're done exit at access list when you want to apply it you're going to go into the interface just like you would before type in IP access group and instead of a number you'll type in a name and save inbound or outbound okay a couple things here before I leave this slide your access list name does not need to be capitalized here you can make it all lowercase all uppercase next case you want to be really annoying but it is case sensitive so you want to make sure you use the right case because when you type it in and try to apply it to an access group or an interface then you need to use the same case there it probably is a good idea to make them all capitals they will stand out more that whale in a that way in the configuration so so probably a good idea to make them all Capitol just so they stand out a bit more also there's no spaces in your access lists names that's why you see an underscore here so if you need to make a space just use the underscore and that will suit your needs so no spaces inter access lists and in a our case and they are case sensitive all right so and they can be alphanumeric it can be numbers or letters so we'll move on moving on to modifying access please the way you maybe don't want to do it you can well go into your show running config copy your access list paste it into a text editor okay and then you could go in and remove the access list go to your text editor copy it then paste it in with your Corrections and you'd go from there okay sounds like a lot of work because the kind of is so there is a different technique you can use X you make your access list if you do a show access list you'll see the number your access list is given you don't have to create that number yourself it's something that happens automatically so for instance we have 10 denied blah blah blah 20 permit blah blah blah okay that is created automatically for you if we go in and we edit your access list by name so when we created the access list we just had access list one block access list to block out there okay we didn't use a named access list but it still has the name one okay that's its name so we can go back in and type in IP access - list standard one okay that's what the name would be in the name is one so we can get into that list and once we're into that knew that prompt for a standard access-list standard named active access list I should say we can say we don't want any ten so go no ten ten gone okay then we can create a new 10 10 deny host this host instead and we're good to go alright so we have that there don't if we go to show access list again you'll see your new entry there so you can remove that numbered list all right so also if you wanted to make another entry between those two you can see they give you some room between 10 and 20 hopefully don't make need to make 9 edits in between them or more than 9 because well it's going to be tough but if you create an initial access list and you you notice that ok I needed to put in something else between the two just use a numbering scheme to place one between the two or before 10 or whatever number you need in this situation we have a need to deny another host we denied the 10 host we need to do a deny the 11 host as well ok so we'll go back into that named list alright type in the number but it comes between the two any number it could be 15 12 whatever and make your entry and that entry will appear between these two access lists entries ok access lists are read from top to bottom ok and as soon as a match is found in an access list it it stops it doesn't go through the whole list like a routing table as soon as a match is found it stops okay which is why you need to create things this way kinda if you had this permit network 192.168.1.0 up top it would see that and if there's a match which covers 192.168.1.2 n it would just stop there and permit everything it would never make it down to these deny edge entries here okay would never make it to the deny entries that's why we need these deny entries first so we can see to deny ten then deny eleven and permit everything else okay again if this permit was up top it would permit everything and it would never even look bolete beneath that it would see that the traffic is a match for this permit entry and so it would stop looking through your access list all right so that's how access lists are looked through it looks for a match as soon as it finds a match it's going to stop looking at top to bottom okay verifying we can do a show IP interfaces and see that your outgoing access list is blank it's there I'm not I don't mean it's a blank I mean it is listed as one we can do our short IP interfaces for a named access list that name will come up you also have a show access list which will show you the list that you have created so you can verify which interfaces it's on verify what the list is and how it was created and you can see that all there okay so that's what we have here all right let me go back one slide you may have noticed here that you've got a 15 before your 10 here okay that's because the iOS will reorder your hosts access list entries use a special hat hashing function basically it'll go ahead and do what it needs to based on this hatch hashing function to make it so that it can process these entries as efficiently as possible so Possible's your host entries can be rearranged on you okay you should always have your denies and permits together but your your host entries can be rearranged on your on you your network entries will not so whatever order you put your network entries in they'll stay in there but your hosts entries in your access control lists can be rearranged so that's something to be aware of um let's see what else we got here we when you're looking at your show access lists you can see how many matches you have for a deny or permit okay so it shows you your matches here you can see that this person is trying to do things they shouldn't be so it might be something you want to look into alright it gets even more specific when you use extended range extended access control that's and that you can see exactly what protocol they're trying to access they shouldn't be trying to access all right and if you use the command clear access list counters for a certain access list you can clear out that counter for matches all right so you've got that here so we only did it for one we have a couple matches for this named entry no access for matches there haven't done it for that' that that no access access control list maybe we should just call them ACLs that no access ACL has not been cleared so it still has four matches down here okay we also have something called access class ok so when you're applying an access list to either SSH or trip I should just say you're vty lines you're checking you're applying your access list of ety lines you're going to use the access class command rather than access group we've been using access group on your real interfaces ok on a virtual interface like these ety lines you're going to use access class instead so that's what you type in the creation of the list is just the same ok what do you want to permit what do you want to deny but when you apply it to a vty line you going to use excess class okay so when you do that certain whoever you permitted will be presented with the ability to login when they try to SSH or telnet they weren't permitted are given that ability then well connection is going to be refused ok so again that's access class that you would use access class all right um and that is configuring your access control list we've got troubleshooting then we're done so here we go the implicit deny at the end of your access list okay I mentioned this before you have an implicit deny denies any other traffic at the end of your list in there that here's how they're going to give you an example for that when you make an access list entry that says permit IP this rent network range 191 to say 10 0 I'm going to permit that network when you make that entry access control or access list 1 or ACL one is going to permit that network and deny everything else it would be the same as writing this in access list permit that network then deny anything is the exact same thing okay it will have the exact same effect we don't need to write in this implicit deny it is there already we don't need to worry about it ourselves ok so again in any access list this deny any is already automatically entered in the bottom why that make why that's very important is if you just try to make that access list it denies one device and you don't permit anything everything's going to be denied ok so you need to have some type of permit otherwise you're denying all traffic in an access list ok so a general rule is you're your host statements should go before your network statements in this specific scenario in fact we talked about this example a little bit ago as well that if you denied this entire network okay then try to permit a host from that network is going to look at this deny the whole network entry and never get to the host part it looks for the first match sees it and then it's done looking for access control list entries okay so as soon as there's a match it will say deny all right I'm denying doesn't matter I know I don't know that there's a permit host entry down here I don't care I found a match it did not said deny so I'm denying so what you need to do instead is make your hosts entry first and then deny the network afterwards that way if the host comes in trying to get access it'll say okay I got a match it says permit good anything that doesn't match the host it'll drop down and find that deny entry and you'll be good to go there okay so that is very important so here you see that you can configure a host statement after a range statement if there is no conflict you can if you want but typically your host statements are rearranged before your network statements anyway so you should be fine should be fine either way so it will be a little different is that your running config is not going to show what you think it will perhaps when it shows you your access list okay in this example here we have the creation of your access list access +1 deny deny deny network ranges okay then you have a bunch of host entries which is fine because these hosts don't conflict with the network statements up here our network entries I should say if they did then you get an error message okay like we saw in the previous example back there when you do a show running config you'll see how your host entries are first and then your network entries or network range entries are second that's just the way that your router is going to look through these access control lists okay so it reads hosts first reads network ranges second as we go down we can see that even though we entered in the hosts ranges in a certain order they aren't in that order at first okay there's a hashed sequence that it happens and it just helps the device search through the access control list as quickly as possible your network range will be listed in order okay but your host ranges might not in here so it's always going to be host first network or range second okay but if you do copy your running configuration to your startup configuration your host range should reset reorder itself well at least it will reorder the numbers correctly this sequence will change to this sequence down here notice the IP addresses haven't changed okay the host seven changed but the sequence numbers have okay so that's just the way that the router will be able to search through these access control entries for the access control list most efficiently so that's why it's going to reload that way okay hopefully that's clear so hosts first network second networks will be in the order that you entered them hosts will not be they'll be rearranged so that the router can look through them as quickly as possible and if you copy your running config to start up and reload the router it will actually change the entry numbers okay so that's something you'll see as well so here we have the routing process and ACLs because some general things about the routing process as a come excessive frame and checks the MAC address to see that the destination MAC address matches the router if it does it's going to strip off the frame information and test that frame against the ACL and the inbound interface okay if the AEA still exists on if in a sales this it'll be tested against that packet and if there's a match it'll either permit or deny based on that match of course if it's permitted it's permitted if it's denied is dropped okay so if it's accepted it's checked against the routing table and they determine a destination interface okay we know that if there is no entry in the routing table for a packet then it will be dropped okay and basically it's just going to be checked against the outgoing interface if it has the nacl to the incident HDL exists and it's pretty uh it says permit is emit permit match then it will encapsulate a new layer to frame and send it on out if it doesn't match then well it's going to be dropped so that's pretty much what's going to happen accepts the frame make sure the MAC address is okay checks to get against the inbound access control list whether it's to be permitted or denied if it is then it's going to look up the routing table entry determining the outgoing interface and it's going to test the access control list of the outgoing interface if one exists and permit or deny based on that capsulate a new new layer to frame and send it on its way okay so there's a bit that goes on basically you're checking on the indigo incoming and outgoing interfaces so more troubleshooting let's take a look at what might be wrong with this on r3 we have an access list it's going to deny all traffic from 192 168 Devon dot 10 well what does that access is going to do not just denying the 10 network okay or the 10 hose that I think would be it's going to deny everything because remember there's that implicit deny if you just make an access control list with one entry that says deny one item you don't permit anything else it will deny everything ok so this list would deny everything instead you'd need to make that list with a permit any after it then it will permit everything but this host that you're looking to deny ok so again that's an implicit deny problem you need to remember that that is something that exists okay moving on so our other problem we have a security policy that says the 11/0 network should not be able to access the 10 0 net work ok so this network s 2 network pc 2 network should not be able to access this one over here and we have the access control is set up correctly but it's on r1 hmm so usually we're in r1 here if we apply that to an interface on r1 and we're just trying to deny access to the oh we're so out trying to deny access to the 10.0 an hour okay that's fine the access control list is set up fine that way okay but I'm guessing the interface they apply to is not correct so they're going to apply it to interface Gigabit Ethernet 0 1 inbound so well that means that not only are you denying the 11 0 network access to 10 zero you're denying it access to anything ok you're blocking on 0 0 1 which means it's not going to be able to pass that interface at all where you should or you should apply that to is the outbound interface on G 0 0 closest to the destination remember standed act standard standard standard access control lists are supposed to be closest as close to the destination as possible so you'd want to put that on G zero zero here instead of inbound on G zero one it would be outbound on G zero zero which would be correct okay outbound on G zero zero is what you'd want so that would take care of that I'm guessing we'll see that in the next yep entry when we go to IP access group blah on this guy we type in IP access group law on that guy and we're good to go okay moving on and here it looks like we just have a basic IP addressing error we're only supposed to allow PC one SSH access to r1 but we've made this access class with a standard with a named access list PC one - SSH but when we created that access list we mistakenly put in one nine two one six eight ten one instead of one nine two one six eight ten ten so to correct that we can go back into that named access list just go into IP access list standard and then the name the name in the situation being PC one - - SSH we'll type in no 10 because 10 was the entry and made it make a new 10 10 permit hos 1 I 2 1 2 2 8 10 10 instead of 10 1 and we should be good to go there and it looks like everything would be operational from that point and that would be it and once it under later that is it for chapter 7 so again like I was saying it's a little lighter than it used to be we used to have to do extended access list don't have to we just do standard now wildcard mask we talked about that earlier so that might feel a little tricky at first but it's just the reverse just the reverse of a subnet man so we've got some situations or techniques to deal with that we'll discuss it more in class hopefully this video helped for Chapter seven
Info
Channel: CeeJayII
Views: 17,461
Rating: undefined out of 5
Keywords: CCNA, CCENT, ACADEMY, cisco, network, acl, access control lists
Id: N0XV7DmJzqU
Channel Id: undefined
Length: 64min 21sec (3861 seconds)
Published: Mon May 08 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.