Cisco Router Access-Lists Part 1 (Fundamentals): Cisco Router Training 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to cisco router training 101 my name is dawn Crawley I'm from sound training net where the Seattle washington-based publisher of learning resources and provider of accelerated training for IT professionals this time we're going to talk about cisco router access list this is part one of a three part series in this video we'll cover the fundamentals so we'll be covering things like standard access control lists and how to apply them and just some of the fundamentals of access control lists it's based on chapter 11 in my book The Accidental administrator cisco router step-by-step configuration guide the book is not required but if you'd like to get a copy to follow along it's available through the usual online resellers including wws on training net slash bookstore our software version is cisco iOS version 15.1 the basic concepts that we're going to cover go way back in the iOS version so even if you're using an older version say even 11 most of what we're going to talk about will apply there are some enhancements in more recent versions of the iOS and I'll try to point those out as we go through the training so as I mentioned this is part one and we're gonna cover the fundamentals including standard access control lists in part two I'll go over extended access lists object groups and named access lists and in part three we'll cover ipv6 access lists for you so as I said this is part one and here are the prerequisites for this lesson you'll need unrestricted privileged mode access to a cisco router and very important that you have an understanding of IP addressing including subnets dotted decimal notation insider notation before you get into this if you're not comfortable with that then watch our video on IP addressing and get comfortable with it and then come back to this video equipment software requirements 1 cisco router the one I'm using is a Cisco model 1941 you'll also need a computer for your management workstation connected to one interface on the router a console cable and terminal emulation software such as putty which is the one I'm using you could also use terror terms cure CRT or even hyper terminal if you'd prefer here's your disclaimer this video is provided solely as a courtesy to you our viewer there are no guarantees whatsoever do not attempt these procedures on a production router without first testing them for security and suitability in a lab environment performing these procedures may open your router the public Internet and subject your network to attack so make sure you have current backups and take precautions including data encryption and additional access controls to protect sensitive data as usual and always good advice so what exactly is an access control list well it's really very simple it's a sequential list of permit and deny conditions or statements that are known as access control entries and you apply them to a router interface typically you might apply it to logging function or a VPN tunnel or something else but but it's a way of identifying a traffic flow it's a way of saying I want to recognize and either permit or deny traffic that originated in this subnet this network or this host and with an extended list you can do more than that but it's still a way of identifying a traffic flow and permitting or denying it now a couple of things to think about first of all the list is read in sequential order from top to bottom until a packet matches an entry and once the packet matches an entry then testing stops so as soon as there's a match nothing that comes after the match is read let's take a look at this video and you'll see what I mean take a look at the access list and you'll notice that we have three statements denying access from particular networks now I'm not going to get into the syntax right now we'll do that in a minute but right now just know that that this access list denies any packets from the 10 Network the 20 network or the 30 network you'll notice that the fourth line in the list permits packets from host 3000 dot 1 which is on the 30 subnet or the 30 network the one that is denied in the line right above it here's what's going to happen a packet will come in we've got an animation for you so take a look at this the packet comes in from 30.00 dot 1 first it's permitted again it's permitted but now because it matches the deny statement at 30.000 it never gets to the line that permits it so the packet is dropped just like that so it's very important to understand the ordering of lines in an access list and we'll go over this again in a moment but for right now understand that it's important to go from most specific to most general and the problem with the list that you're looking at right now is the it does the exact opposite it go from most general where it denies an entire network to most specific where it tries to permit an individual node or host but because it denies that network it never gets to the line preventing the host and the packet is dropped now a couple more things that you need to understand about access control list there is an implicit deny any at the end of every access control list so if a packet doesn't match any of the entries in the list it is dropped now here's the way to think about this anything that is not explicitly permitted is implicitly denied so if you don't have a line in a list explicitly permitting a particular traffic flow it's gonna get dropped now a lot of people will put a permit any statement at the end of the access list and if that's what you want to do if you want to permit all traffic other than that which have explicitly denied then that's great some people say well should you just always do that and the answer is no it just depends on what you want to do but it's very important to remember that if a packet doesn't match any of the entries in the list it has dropped and when you're troubleshooting one of the first things to do is to look at the access control us and see if maybe that's where the problem is next thing you need to know about access control is as the list must be applied in order for it to have an effect in other words if you don't apply it to an interface then it's just floating around out there not doing anything and it'll have no effect at all look over the syntax on that in a moment now there are two types of ipv4 access control lists first is the standard access control list and they're numbered 1 through 99 or there's an expanded range that was supported starting with version 12.04 through 1999 and I'll talk more about those numbers in a moment but just know that if you use a number between 1 and 99 or 1300 and 1999 that tells the router that you're working with a standard access control list and a standard access list acts only on the source IP address for filtering doesn't look at anything else only where the packet came from now the extended access control list that we're going to cover in the second part of this video series is numbered 100 through 199 or 2000 through 26 99 and unlike a standard access control list which acts only on the source IP address for filtering an extended list can filter based on the source IP address the destination IP address protocol type or port number or any combination of those so you have a lot more granularity with an extended list than you do with a standard list sometimes people say well should you just always use the extended list and the answer again is no it just depends on what you want to do a lot of times a standard list is sufficient and why makes things more complicated so if you can use the standard if you need it use the extended a couple more rules for access control lists first of all one list per type per Direction per interface and a lot of people get kind of confused on that but here's the thing you can have one standard list that's the type per Direction inbound or outbound on say interface Gigabit Ethernet 0/0 you could have another list of the same type in the same direction on another interface but you can't have two lists of the same type in the same direction on the same interface now the number of the list we talked about that a moment ago and here's the deal on the number of the list the number identifies the type it's the range actually so if it's within the range of 1 to 99 or 1300 through 1999 it's a standard list and if it's within the range of 100 through 199 or 2000 through 26 99 it's an extended list and here's the deal on the numbering within the range there's no significance to the number there's no priority it's merely a label that tells the router what type of list it is so there's no difference between access list N and access list 25 they're both standard lists one doesn't have any particular priority or significance over the other and the same thing with extended there's no difference between say 110 and 2500 they're both extended list 1 has no significance over the other here's the syntax for a standard access control list and you'll do this in global configuration mode so your prompt will say config and then you'll use the command access - list you'll specify the number in this case I just used the traditional one through 99 but you could also do the expanded range if you wanted then a permit or deny statement and that's exactly what the name implies you're either going to permit traffic you'll allow it or deny it you're gonna block it then the source IP address and the source IP address could be either a full classful network it could be a subnet or it could be an individual node and then the wildcard bits and the wildcard bits is really just another way of expressing the subnet mask and what we do for the syntax on wildcard bits is we invert the actual mask so for example to permit traffic from the one ninety two dot one sixty eight dot one dot 0 slash 24 subnet will use the statement access - list 10 this is just any number 1 through 99 permit because we want to allow that traffic 192.168.1.0 that's the subnet ID or the actual that's a full classful network ID and then the inverse mask now if you think about it a traditional 24-bit mask in dotted decimal notation would be 255 dot 255 dot 255 dot 0 but when we're expressing it for the wild-card bits in an access control list we use an inverse mask so everywhere where there's a 255 we replace it with a 0 and everywhere where there's a 0 we replace it with a 255 so our inverse mask is 0 0 0 255 now I'll explain this in more detail in a moment but we're also inverting the bits so anywhere where there's a 1 we change it to a 0 anywhere that there's a 0 we change it to the one in the in the mask now let's do another example if you want to deny traffic from the 120 5.00 slice 16 network you'd use the statement access - list 5 again any number between 1 and 99 deny because we want to block it 125 G Rho dot 0 that's the network address and then the inverse mask well normally a 16-bit in subnet mask would be expressed as 255.255.0.0 we simply flip it and express it as 0 dot 0 dot 255 dot 255 now let's talk a little bit more about the wild card or the inverse subnet mask what it does is it identifies the matching bits in an IP address so if we have say a slash 24 that means that we want to operate only on the first 24 bits of that address and we don't care about the last 8 if we're dealing with a standard Class C traditional Class C address then we want to act on the first 24 bits the wild cards are used in router access lists and some routing protocols such as OSPF and EIGRP and as I mentioned it's simply an inverse of the corresponding subnet mask here's what it looks like in binary and this is what you really need to understand if you want to really grasp the the meaning of this and if you're working on a CCNA this is gonna be very helpful the inverse of the corresponding subnet mask means that the ones in the actual mask are inverted to zeros in the wild card an actual 24-bit mask a slash 24 of 255.255.255.0 becomes 24 ones followed by 8 zeros right in binary well a wild card inverts it they invert the ones changing MIDI zeros and that ends up with 24 zeros followed by 8 ones and if you do the math that equals 0 0 0 255 and that tells the router to match the first 24 bits the last 8 could be anything here's another example this time let's do a 23 bit mask so the actual mask is a slash 23 in dotted decimal notation it would look like this 255.255.255.0 in binary it's 23 ones followed by 9 zeros as you can see in the example the wild card sliced 23 is simply 23 zeros followed by nine ones or 0.01 255 and again we match the first 23 bits the last nine could be anything let's do one more example here's a 27 bit mask so the actual mask in dotted decimal is 255 255 255 - 2 4 or 27 ones followed by 5 zeros so the wild card is what do you think if you said 27 zeros followed by five ones you're exactly right or 0.003 one if you're not sure where that 31 came from pause the video and do the math on the binary in the wild card and you'll see it it matches the first 27 bits and the last five can be anything now here's a shortcut that you can use to figure out what the wild card actually is the inverse mask you just subtract the actual mask from 255.255.255.0 if we have a 24 bit mask the actual mask would be 255.255.255.0 when we subtract it from that string of 255 s we end up with 0 dot 0 dot 0 dot 255 here's another one 255.255.255.0 subtract it from that string of 2 5 5s and you end up with 0 dot 0 dot one dot 255 and finally here's the last example the 27 bit mask that we showed you in the previous slide this time our actual mask is 255.255.255.0 4 subtract it from the string of 255 s and you end up with 0 dot 0 dot 0 dot 31 so it's really pretty simple if you want to just do a quick shortcut this doesn't show you the theory behind it but sometimes you're in a hurry get a configuration done I get that and so this is a quick way to knock it out and make it work now there's really good news because on newer versions of the iOS the Cisco IOS now supports the use of cider notation instead of the inverse subnet mask so now you can and it looks like this started with version 15 of the iOS I haven't been able to find documentation that says exactly when Cisco turned it on but I have some routers running version 12 they don't support it another router version running version 15 and it does so however regardless you can check it out and see I'll show you how to do this when we do the demo in a moment you can on a router that supports it use a slash 24 instead of 0.0025 5 or slash 27 instead of 0 dot 0 dot 0 about 31 so it makes it much simpler and Cisco has been trying to improve the usability of the iOS and this is a good example of that now here's the syntax of an IP standard access control list here you can see we have three deny statements access list ten deny and then we have three different networks and I followed that with access list 10 permit any because if I didn't do that the fact that I have three deny statements in there actually all I need is one because that would then deny all traffic without a permit any at the end now as I mentioned earlier the order of entries is very important here's an example of going from most general to most specific and how it won't work notice that this particular access list access list 10 denies the 192.168.0.0 subnet or network and then there's a permit statement permitting a particular host that is on the denied network well it's never gonna get to the permit statement because as soon as a packet from host 192.168.0.1 hits the list it'll be denied at that first line so you have to invert it and do it this way so we do access list 10 permit host 192.168.0.1 we put the most specific statements first followed by the most general and that one will work on newer versions of the iOS this again is from version 15 the router will actually complain if you try to go from most general to most specific it'll throw off an error like this saying that the access rule can't be configured at a higher sequence number as it's part of the existing rule at sequence number 20 now you may not see the sequence numbers but they're there and I'll show you that when we do the demo in a moment you can see the access lists that are available on your router with a command in global configuration mode access - list space question mark if you have say an old 2501 router that's got say the enterprise feature set on it that router is going to support not only tcp/ip it's gonna support IP x SPX decnet appletalk and several other older legacy protocols and and you can see those access lists are supported on that particular router newer ones pretty much limited to I ipv6 and a couple of other things and somewhat related now once you created an access list it does no good until you apply it to an interface and in order to do that we go into interface configuration mode so first we go into configuration mode global configuration mode then we go to interface in this case G 0/0 then once we're at that interface we use the command IP access - group the number of the list and then in or out and this is important in or out is from the perspective of the router a lot of people get confused about this but just remember that if it's going away from the router then its outbound and if it's coming toward the router it's inbound again in or out is from the perspective of the router I'll show you that in a in a slide in a moment so let's work through this exercise together and then I'll do some demonstrations on a live router for you our objective here is to deny members of the sales land access to the R&D land but to allow access to the internet and managers and we want to allow all other networks full access to all other networks in other words all we want to do is block sales from getting to R&D now this is kind of a goofy network that would allow the internet into R&D but they have their reasons I'm sure so again what we want to do is block sales from getting to R&D so let's see how we might do this first of all remember that we're dealing with standard access controllers and a standard access control list filters based on what remember it's only the source IP address so all we can look at is where is the traffic coming from so that would say that we need to do something with the sales land right so let's start by creating an access control list that blocks access from the sales land so our access list 10 and I just picked a random number between 1 and 99 access lists 10 deny then 10.3 dot 0 dot 0 with an inverse mask of 0 dot 0 dot 255 dot 255 because that's a slash 16 and if you're kind of confused on that go back and watch the previous part of this video until you feel comfortable with it now is that gonna do the trick well no because we're gonna deny everything else and remember part of the objective is to allow all other access so we have to add an access list 10 permit any statement in order to allow all other traffic now does that do it well no because we even applied it to an interface yet so take a look at the router it's got 4 interfaces and on which one do we want to apply the access control list only ones gonna do the job which one do you think it is well if you said interface Gigabit Ethernet 0/0 you'd be right so we'll use the command IP access group 10 to apply it but we still have to figure out whether it's going to be in or out and what do you think is it in or out remember it's from the perspective of the router so traffic going away from the router would be outbound traffic coming toward the router would be inbound we're gonna put it on interface Gigabit Ethernet 0/0 that's the one connected to R&D so traffic flowing through that interface toward the Rd subnet would be outbound so the command is IP access - group 10 out I'll let that sink in for just a moment all right let's do a demo here and show you how to set up an access control list so first thing we need to do is find out about the state of the router let's do a show IP interface brief command just to find out its IP address and there you can see the outside address is 192.168.1.2 a ping to it from the pc so let me open up PowerShell and let's try that ping so we'll pin 192.168.1.0 get a response so there we do get a response what we want to do is just block it so let's go back to the router interface take a look at the see if there's any access list configured so we'll do the commands show access list nothing there so we'll go into global configuration mode configure terminal abbreviating it con 50 let's do the command access - list space question mark just so you can see the access listed are available in this router and pretty much what you'd expect let's do access list 10 deny 192.168.1.0 and then our inverse mask which is 0 dot 0 dot 0 dot 255 and is that gonna do the trick well we still need to permit other traffic so let's do access - list 10 permit any now I could by the way have just as easily done the statement access - list 10 deny 192.168.1.0 and put a slash value on it let me show you what I mean if I put a question mark there you can see that it now supports a slash value Sider notation for the wild-card bits but that's new and older routers even not very old routers don't support that so just be aware that we'll go ahead and delete that line and let's do the command do show access list so you can see the list there in the router notice there that you can see the sequence numbers 10 and 20 and every time I add a new line to the list it's gonna increment it by 10 we don't need to add any more and in fact if we go try the ping right now let's see what happens so we'll go back to our PowerShell use the up arrow to repeat the command and what's that it's working why is it working I thought we just created an access list denying it well if you said the reason it's working Don is because you didn't apply it to an interface you're absolutely right so let's go do that so if I look at my output from show IP interface brief up above I can see that I want to configure interface Gigabit Ethernet 0/1 so let's do that interface G 0 / 1 then I'm going to use the command IP access group 10 to match the number of the list and then in or out what do you think well the answer is in because it's coming toward the router right now I'm trying to ping from outside coming in so I want to use inbound I want to block inbound traffic apply that and now let's go back to PowerShell and try the ping again let's see what happens and look at that destination net unreachable so success I reset the terminal to clean things up but if you want to remove the access list and use you have to just use the know version of the command so let's go back to configuration mode and we use the command no access list ten and that removes the entire list if I use the command do show access list you can see that it no longer exists now if I take a look at the interface you can see that the access group is still on the interface let's do that let's do do show run then I'm gonna use a pipe filter and do section interface so we just look at the interface section and right there under interface Gigabit Ethernet 0/1 you can see that the access group is still applied to the interface it's just not having any effect right now because we remove the access list and to show you what I mean let's go back and try that pin again and this time it works now it is possible to modify access control this without deleting the entire one if you're working with named access lists which we'll cover in our next video in part two of this three-part series on access lists so again in cisco router access list part two we'll be covering named access lists in addition we'll also go over extended access lists and object groups if you'd like more information we have it available online at our website at www.logfurnitureplace.com training net slash videos and the companion book is the accidental administrator cisco router step-by-step configuration guide it's available through the usual online resellers and at www.ciminobenham.com crawley i'll see you next time
Info
Channel: soundtraining.net
Views: 98,958
Rating: undefined out of 5
Keywords: it training, router and, access-list, router installation, cisco, access-control list, ccna, routers, Router, ccna cisco, cisco router training, Access Lists
Id: SfrDdkZZCzM
Channel Id: undefined
Length: 26min 32sec (1592 seconds)
Published: Wed Jun 05 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.