Standard ACL- Continued - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] okay now in this section we'll continue with the canonical ways we have left in the previous session like we have seen some of the basic command line if you just get back to the router to command line I wrote an access list we are writing these rules in a face and then 15 is the number which I am going to say this is my standard is here denied and then hi period is 1.1 and if I use question mark it is asking me the wild-card bit now well that bit is something we need to define but before we define the wild kratts space we need to understand what is exactly well cut with or wildcard mask now why send mask is something used to match the portion and it's going to tell how many portions to match over how many portions to check where one is much match or much check if it has one represent ignore so in zero pink marks match and whereas one is ignored here so in the normal some normals some normal formula which we use for calculation of the some global alpha mask is from all 2d files that is my global subnet mask it is subtract the subnet mask so let's take an example I'm going to use 182 168 1 bar network so I want to deny the completeness of 192 168 1 1 it book or I want to match the complete network I can change okay now parameter dinner that is secondary and then I need to write the walls and mask so I'm going to assume the default subnet mask of this network is two point five two five point two five five zero and if I subtract from the global subnet mask subtract my subnet mask I am going to get a wild card box of zero zero zero two five five so I'm going try it 0.0 0.2 five five now what exactly is going to do it's going to tell how many portions of the bits you want to match now if I say deny anyways denial permitted second reading it's going to say that match all the networks whichever starts with 180 to 158 one so which means wherever there is zero you must match it should be exactly the same so if your packet is coming to the router which is for surface of 192 168 1 81 68 10.1 so it says it's going to match the first portion yes it is same second portion yes it is same and going to smash the third portion also now the third portion is not same it is 1 it is 10 so it's not matching ok so that's what exactly Walter Martin said and wherever there is to quickly find nothing but wherever there is finally once if I write them in binaries ignore ignore means it can be anything so match all the addresses whichever starts with 192 168 1 that is what it is going to tether so mass all the switchover starts is 1 into 168 1 and this portion can be anything it can be any from 0 to 255 whatever it is it doesn't matter so it's going to be 9 if I said in an if I say performing to reform it it's going to match all the disses which ever starts is 192 168 1 X X means it can be anything so let's take an example if I write the same example 182 168 1.0 and the while can mark this time I am going to write 0 dot 0 dot 2 5 5 2 5 5 this time it is going to match all the results whichever start with 1 into 168 which means it's going to deny or omit whatever we same all the results 192 168 and the third portion can be anything post position 10 minute II because of 255 and it's going to match all the switchover start with 192 168 now similarly if I take an example of the same thing 192 168 1 dot network and where I want to match I am going to write the welcomers of 0.25 5 2 5 5 by something like this now the meaning of this is it's going to match all the dresses whichever starts with 192 which means it's going to manage all the deuces whichever start is 192 and the remaining 3 portions can be anything in between 0 to 255 so the wildcard mask here is going to tell how many portions to match so whenever we are writing whenever you're writing the subnet mask which is early rise with some in math with the subnet mask tells wherever there is one that is a network wherever it is 0 that is host and when you are matching the network we generally want to match only the network portion so in case of wild animal 0 is matching and whereas host portions we don't want to match because both portions can be anything we want to ignore so we are going to say don't it can be anything ignored but match only the network portion okay so it's very easy it's going to tell what portion of the bits to checks or not to check zero means must be must be same one means ignore it can be anything now it's very simple if you're using default subnet mask just reverse the reverse 0-255 they were reverse and reverse it but don't go with the reverse kind of things probably if you're preparing for certification exams or or some scenario based questions you you may not be using the default subnet mask if you're using something like this like slash 28 to body slash 48 in that case we need to subtract from all 255 so get the welcome mark here there is going to match only the network portion bits in simple.we campus in so just remember the formula minimum you have to remember the formula and how to calculate now the final thing whenever you are writing or defining any network we need to write inverse mask in this mask is nothing but this formula we need to use for the calculation whenever you want to write in the ACL you want to match any networks but what if I want to design set decode so I will deny 182 or 68 or 1.1 where I want to deny a single post can I write a welcome mat from 0 dot 0 dot 0 dot to 5 5 if I do that what happens it's going to deny all that the switchover starts at 192 168 1 and the sports portion can be anything which means it's going to deny 1.1 1.2 1.3 1.4 1.5 all the other system to 55 now this is going to denies a complete network but not the single host which is which means this is something wrong in my scenario so to deny a single host we need to write we need to write something like this it right the one converse of 192 168 1 I to 101.1 and the wild animals will be all the toast so all zeros means exactly matches all the whole portions it has to be 180 two dot one sixty eight dot one dot if it is one then only deny or omit whatever you say or else so when we were writing a single host the wild card match should be all zeros something like this now either we can write like this or there is one more way to write you can write for space IPS so I'll just come back in the command line reason you can write one a21 to shade 1.1 with a three-dose vulcan mask or we can write something like this okay so we are done with our wildcard mask now let us get back to our example here because we have stopped in between on the router - we stopped here while Carmack was a welcome message right here zero zero zero zero because I'm not defining a complete network I am just defining one single host and for those files and match should be all people similar way what is the second rule second to resolve so ax exists number 15 so I should not change the nimble I should not change the number so if I change the number it's going to make it as different is here so it is something like matching all the networks and I'm going to match all with the ACL 50 it can be any number but if you change it sixteen it becomes different ages so use the same number accesses 15 deny now one method either I can write 1 a 2 1 6 a 1.2 with all zeros that is one method or I can just write as ho space IP address without Vulcan marked so both are correct but I should know both options as the reason I have given both options here but both are correct and again writing the next tool access is denied I want to revive 192 168 0 network so this is my complete network so write the destination source address and then the wild-card mark 0 0 0 255 and then after that I need to get permit in now permit any is mandatory because if you are saying deny deny deny and you're not saying home to commit so in that case what happens this by default it will stop everyone so we do set denies all the users and permit all the remaining and permit is something we have many common statements so saying each and every form it is not an easy job so that the reason I am saying denied is in are based in Aziz and permit all the remaining in the last that so now to verify this access list we can use a command called show access list I can see what are the rules I have written these are the route and if you want to see the exact command line configurations we can use show running conflict if I could show them in config I can see the exact command lines what I have created now we are done with our second set where we have created an access list based on the syntax exactly the same now the last part is implementation now implementation is one of the important thing here and we need to implement right now we are implementing on the router 2 that is ways we have case and easier now implementation is done on the interface so which means now in this scenario either I can improvement on this interface which is mark L 0 by 0 interface or I can implement on s01 interface or I can implement on 0y0 intervals now deciding the right interface is the first important thing now which interface is the first question you have to ask yourself on which interface should I submit so what if I go with this interface let's try on this interface is here so if I if I implement on this particular interface what happens is now let's say one not one user is trying to communicate between on one the packets come from here it will go on this interface and this ACL says stop are some rules to check it's going to take the sorcerers and it says one god one is in the denialist it's going to simply drop the packet but the problem here is if if one not one is users also trying to communicate with through your network the same thing happens it will draw the traffic the packet goes from router one goes to outdoor to the router two sets on this interface SEO says what is the sources.list 1.1 1.1 is denied because the standard a skill it will not pick the destination it's not taking with it is going to two dots or three dots so which means implementing on the on this one interfaces it's going to impact the communication between one entry also and that is something I don't want so which means these two interfaces are not the proper interface in this scenario again in this scenario it may vary based on your scenarios if you are using different kinds of routes but in this kind of scenarios if I implement on this interface it will also stop the communication between one entry which is something I don't want so the most common implementation is done nearest to the destination illustrate this nation most your melon interfaces because this my designation and the nearest interface to the destination as something recommended when you are implementing a standard is here so now deciding the right interface is important so - in I need to go to my interface what point of this I need to go to interface since the interface 0x0 on the upper tool again so the command starts in IP access group and then the ACL member we need to tell why I'm using usual number of 15 and then there are two options you will find yes in or out now this is very important thing deciding the right direction now now here this is minus zero by zero interface so it just get back to my slide here now deciding the right direction is more important but before you decide the right direction first you should have a clear idea on what is the right direction now if you just ask yourself this is my interface is zero by zero where I am implementing the ACL now I have question like this is my direction and this is my direction I got two directions here now if I ask you this direction is whether it is in or out normally what you think so now in this it will be normally we think this is in as it is out there for EE we we think in the in general but is opposite now they do not in this is out actually this is a now when you are deciding you should not check based on reservations so normally what will think is normally with I used to think initially the same way like when when I was reading it shows initially so when a packet is coming from here we think this is the source and it is going from here not is a destination here and we think this is in and that's something wrong because the problem here is the ACL is not on the Intel not on the land it is on the interface now in depending on this interface now anything coming towards the interface is in towards the interface very employment issues and anything going far from the interface is out now in my scenario in my scenario if I take this as my is this is my in this out all those remember into the routers interface if you're implementing on this interface this is in this is out because it is far from the router and similarly family pending on this interface this is in this is out so this is very important point we need to keep in mind because when we when we implement is heels we should have a proper understanding of pieces in which it out suppose if I'm listening on a 0 by 0 into this this is in this is out suppose if I am later on this in this is in this is out but anyway we are not implementing on on the interface a 0 by 0 we are implementing on X 0 y 0 right now this is my indirection this is my outer direction into the lamp into the interface out of the interface or into the router out of the output now we need to decide so the first step is we need to know the exact in and out which is correct and the next thing is you need to decide whether whether we need to implement the ischial whether in box or on board so that can be decided by is giving some packets let's say I'm sending some packets from one end to 101.1 and I am trying to send to the destination or source of 192 168 2.1 according to my skills this package should get dropped now we need to see if a packet is coming from 1.1 it goes without to one now the one says the routing table is folded back to refer to and the router 2 is going to check the routing table again it's forward back on hzw interface and it goes here now if you see the direction now if you see the direction of when it comes from this interface but it is going far from the router or coming towards the router now if it's got part from this interface then we called as out if it is coming towards because Nancy Lee right now besides it going it's far from the router which means I want my router to to draw the traffic when it is before it goes out of this interface it means our direction and st. opportunity if any packet is going out of 0x0 before you send out check this some israel do and if it matches the specific sorceress and it is in the denial is denied it if it is in the permit list permit them but something what that's something how it's going to work so deciding the right direction is very important and normally it's very simple generality and we think that it's very simple just try missing or if it doesn't work five is out but that's something not correcting you need to have any clear understanding on how it's going to forward on how it's going to how we are going to stretch the right direction so implementation part let's close out of one and then configure that for the order of - I just make a good wind up is at zero by zero I just need to say hi P axes group that's how we limit is your number is 15 that's what I have created now there are only two options in or out if you try in it is not going to work and send that any traffic going out of this interface before it goes outside it has to be checked with the ACL rules 15 now let's get back to our diagram without one but after two I can same going to my design rules 1.12 to load communication is talk right so the cages go back throughout the PC one this is my 192 168 1 dot one and I should not be able to communicate with 2.1 now you can see the replies not coming I can see when I'm sitting on one dot one and I am trying to communicate with 2.1 according to our rules now your packet is sounding for alpha 1 and alpha 2 but the router is not sending back because of the sorceress is in the Denali so the replies coming from here it says that I am NOT able to send because because there is something denying over there now whenever you see this kind of message now there are two possible cases it is interfaces down the land of this or there must be something talking on that interface fine my scenario there is an e skill which is dropping on that indicates similar way if I try some 3.1 also like in the previous case I was able to get this line so side the ping from 3.1 alpha this is must be on one piece' if you want I can check and I'm trying to paint to 1 801 which they put on one and you can see the same thing same result almost you can see the packet is coming from figures one goes sharper two and the router cool says before I'm saying I'm going to check the ACL and in that ACL 3.10 network is denied even if you drive from 0 to 3.3 3.4 any computer from here it's going to have the same result because the computer network is energy nihilist and we are getting a reply from lemon toward zero zero one but if I try to ping to 182 want to shape one load one you can see it is not impacting the communication between them because zero one the packet push two out of three ready forward starter two and the router to forward 2001 and it's not going on this interface so it's not all going on this interface if it goes on this interface then it will drop it's going from here so it will communicate without any problems so that's how the standard ratios are going to work and the major important thing we need to decide is the direction that something little bit more complicated or the actual understanding we need to have a actual understanding on the right direction and anything coming towards the router interfaces in anything going far from the interfaces out and based on that you have to decide the flow of the traffic if it is going far from the interface you have to select out if it is coming towards the interface you have to select in direction [Music]

Info

Channel: Sikandar Shaik

Views: 41,493

Rating: undefined out of 5

Keywords: ccna, ccna vdieos, standard acl, noa, acl vdieos

Id: oYXsrNQBsUw

Channel Id: undefined

Length: 21min 55sec (1315 seconds)

Published: Thu Jan 19 2017