1 00:00:00,480 --> 00:00:04,460 In the section we're going to talk about the access control lists. 2 00:00:04,470 --> 00:00:15,660 Let's go with the ACL or will a c as access lists are a set of commands which are grouped together to 3 00:00:15,660 --> 00:00:21,420 filter the packet that enters or leaves to an interface. 4 00:00:21,630 --> 00:00:31,230 They control the flow of traffic in their work and provide security for network access access lists 5 00:00:31,260 --> 00:00:41,220 are implemented sequentially as a permit or deny statement to inbound or outbound of interface and used 6 00:00:41,220 --> 00:00:47,680 for also different purposes such as for example maybe a rough map or something like that. 7 00:00:47,730 --> 00:00:53,990 There are two types of access lists and they are standard or extended. 8 00:00:54,000 --> 00:00:59,150 And they can be used with numbers or named format. 9 00:00:59,160 --> 00:01:07,880 Please pay attention that each ACL must have a permit statement because there is an implicit denial 10 00:01:07,880 --> 00:01:10,620 rule at the bottom of each ACL. 11 00:01:10,620 --> 00:01:12,030 That's the key point. 12 00:01:13,410 --> 00:01:20,630 Anywhere you see an example for the number access list which are permitting some networks. 13 00:01:20,780 --> 00:01:27,240 And here's our configuration access list and the number. 14 00:01:27,500 --> 00:01:38,510 Then permit or deny statement and we're using and network and we are using air field named Wild Cards 15 00:01:39,110 --> 00:01:43,150 which we're going to exit mine later. 16 00:01:44,060 --> 00:01:49,130 All access lists must be identified by a name or a number. 17 00:01:49,130 --> 00:01:56,990 As I told you in the first slide and then the access lists are more common than then numbered access 18 00:01:56,990 --> 00:02:06,180 lists because you can specify a meaningful name that is easier to remember and associate with that task. 19 00:02:06,350 --> 00:02:15,080 You can reorder statements in or add statements to named access lists and name the access lists support 20 00:02:15,170 --> 00:02:24,340 the following features that are not supported by a number to access such as IP options filtering noncontiguous 21 00:02:24,430 --> 00:02:27,400 ports or TCAP flic filtering. 22 00:02:27,440 --> 00:02:28,180 All right. 23 00:02:28,190 --> 00:02:34,400 Here is how we can configure named access list to configure a name access list. 24 00:02:34,400 --> 00:02:40,550 We are typing i p access list command and we're choosing. 25 00:02:40,580 --> 00:02:49,340 If we're going to use an extended or if we're going to use a standard access that most of the time in 26 00:02:49,340 --> 00:02:56,780 this Exxon-Mobile we're using standard and I pay access list and the standard configuration. 27 00:02:56,780 --> 00:03:06,080 And we are writing the name of our access this thing here and as you can see in here under the access 28 00:03:06,080 --> 00:03:12,690 this month we are denying or permitting to sign statements. 29 00:03:12,930 --> 00:03:17,190 OK let's go ahead with the wild card mask. 30 00:03:17,700 --> 00:03:27,900 What mask is a mask of bits that indicates which parts of an IP address are available for an examination 31 00:03:27,930 --> 00:03:35,770 and determines what IP addresses should be permanent or denied in access control lists. 32 00:03:35,890 --> 00:03:44,590 What kind of mask has a reverse logic logical subnet mask as 0 in the wild card mask means to focus 33 00:03:44,670 --> 00:03:57,540 to that bet while as one means to ignoring the to when if you see is zero on the summer mask answer 34 00:03:57,540 --> 00:04:07,230 on the current mess that means we need to take care we need to focus a little bit but if we're seeing 35 00:04:07,410 --> 00:04:12,150 one that means we need to ignore that bit. 36 00:04:12,230 --> 00:04:16,770 OK I'm going to show you an example as well. 37 00:04:17,100 --> 00:04:25,020 In this access list we're seeing an accidental statement and this access list is saying and access this 38 00:04:25,410 --> 00:04:40,450 didn't number access as one per minute wandered in some way to that 16 0 0 with that wild card massacre 39 00:04:40,480 --> 00:04:46,120 of 0 0 255 255. 40 00:04:46,300 --> 00:05:00,360 So what that means here is the network the and the here is the answer here is the wildcard mask what 41 00:05:00,360 --> 00:05:12,400 that so you is if we're using zero that means we need to focus to relate to pets. 42 00:05:12,410 --> 00:05:13,190 All right. 43 00:05:13,430 --> 00:05:24,670 As you can see in here I have a zero and I need to focus to one hundred and seventy two in here. 44 00:05:24,860 --> 00:05:36,720 We're another zero and we need to focus to 16 on the last two bits we have just once for the 2:55 as 45 00:05:36,780 --> 00:05:40,680 you can see in the binary version. 46 00:05:41,160 --> 00:05:44,500 And that means we need to ignore that bit. 47 00:05:44,510 --> 00:05:55,270 So this wildcard mask means for cursor everything starting with the 100 and so and if for seven to that 48 00:05:55,280 --> 00:05:56,220 16 49 00:06:00,650 --> 00:06:10,280 and so that means we are permitting everything starting with they wandered 70 to that 16 for example 50 00:06:10,300 --> 00:06:11,230 winers. 51 00:06:11,350 --> 00:06:24,220 So into that 16 1.5 maybe Whatever were you want let's go with the World Cup mask example too. 52 00:06:24,380 --> 00:06:39,140 And we have another configuration access list 50 per minute this time 192 100 and 68 8.00 outcome mask 53 00:06:39,140 --> 00:06:48,340 of 0 0 0 255 which means a zero. 54 00:06:48,860 --> 00:06:51,190 And here is the wildcard mask 55 00:06:53,970 --> 00:07:04,200 which means we need to focus the first three portions and we don't care the last portion because we 56 00:07:04,200 --> 00:07:07,160 have continuous ones in a year. 57 00:07:07,290 --> 00:07:16,830 That means this access list permits everything starting with the ones that 90 to 100 and sixty eight 58 00:07:16,910 --> 00:07:18,500 that's a lot. 59 00:07:18,510 --> 00:07:22,600 For example oh that's strong strong. 60 00:07:22,770 --> 00:07:27,040 That would be something like that. 61 00:07:27,070 --> 00:07:29,560 And we can give an example like 62 00:07:32,170 --> 00:07:36,570 63 5:06 to other Durnford for AM. 64 00:07:36,740 --> 00:07:48,220 That's an arbitrarily OK let's go with the standard IPV for access lists standard access lists perform 65 00:07:48,350 --> 00:07:56,900 packet filtering based on sound source sudras and must be implemented to other which is the closest 66 00:07:56,900 --> 00:08:08,080 to the destination address for official see numbers where it wants 99 and 1000 and 300 and one thousand 67 00:08:08,800 --> 00:08:10,780 nine hundred ninety nine. 68 00:08:10,880 --> 00:08:20,120 These range are used for standard access this configuration and this access lists are applied to interfaces 69 00:08:20,170 --> 00:08:22,710 by IPX this group command. 70 00:08:22,730 --> 00:08:30,380 As you can see in here there is an standard access this configuration we're getting into the conflict 71 00:08:30,380 --> 00:08:39,950 mode first then we are typing access lists and the number of access list and the permit or deny and 72 00:08:39,950 --> 00:08:42,090 The relate to network. 73 00:08:42,740 --> 00:08:53,430 Then we are getting into the interface mode and via implementing this access list. 74 00:08:53,600 --> 00:09:03,980 Two are related interface which means for example we Heraldo in here we are faster than 0 0 and Fester's 75 00:09:03,980 --> 00:09:13,430 0 1 and we are implementing this IP access group to inbound. 76 00:09:13,450 --> 00:09:17,450 This would be fifth the to inbound. 77 00:09:17,470 --> 00:09:26,470 Which means really we are implementing to this we are implementing this access this to this direction. 78 00:09:29,780 --> 00:09:41,300 Let's go hat in this example we have another standard access list access list for in the first month 79 00:09:41,330 --> 00:09:48,110 we are denying the Sen. 41 zeros Zeeuw. 80 00:09:48,250 --> 00:09:50,250 I'm sorry 20 0. 81 00:09:52,080 --> 00:09:58,930 That means everything beginning with this 10:41 20 and something like that. 82 00:09:59,090 --> 00:10:11,540 If the second statement we're poor meaning the host then 12:56 to any that 5 in here R.K. access list 83 00:10:11,540 --> 00:10:13,100 rules are implemented. 84 00:10:13,230 --> 00:10:21,920 The international security issue as you as I told you in the first statement we're also denying discipled 85 00:10:21,920 --> 00:10:23,300 this as you can see. 86 00:10:23,510 --> 00:10:32,590 So the traffic will be blocked even if we type discipled this with a permit statement in here as is 87 00:10:32,690 --> 00:10:37,770 consider the New Year there there's a conflict between two rules in this example. 88 00:10:38,240 --> 00:10:44,690 Let's take a look at another configuration example on a topology now on rather one. 89 00:10:44,690 --> 00:10:53,730 We are defining an access list standard access list and we are denying the host to that 5. 90 00:10:54,210 --> 00:10:54,850 OK. 91 00:10:54,890 --> 00:10:57,280 This guy will be denied. 92 00:10:57,980 --> 00:11:01,980 And we're permuting any other traffic. 93 00:11:02,020 --> 00:11:15,670 Ok then we are getting into the interface mode interface gig 0 0 which is here and we are implementing 94 00:11:15,700 --> 00:11:19,570 the access list to inbound. 95 00:11:19,760 --> 00:11:23,030 That means in that in this direction. 96 00:11:23,030 --> 00:11:28,080 So PC to will be denied. 97 00:11:28,080 --> 00:11:37,190 For example what if it wants to communicate with the PC Wan to that the standard access list configuration 98 00:11:37,190 --> 00:11:45,910 for example as you know access list one denying the host 2.6 for this example which is the right thing 99 00:11:46,550 --> 00:11:50,210 then the access list one is Poorman thing. 100 00:11:50,350 --> 00:11:54,640 Any we are permitting any other things. 101 00:11:54,810 --> 00:12:04,040 So if you want to added this configuration we are typing the show Oxus list command and we are seeing 102 00:12:04,040 --> 00:12:13,000 the sequence number in here as you can see skirt's number 10 is denying this holes and sequence number 103 00:12:13,030 --> 00:12:15,990 20 is permitting anything else. 104 00:12:16,340 --> 00:12:18,880 So if you want to edit it we are typing. 105 00:12:18,890 --> 00:12:30,410 I pay taxes and standard one then note 10 which means we are letting this through. 106 00:12:30,840 --> 00:12:39,110 And we are typing in denying holes down 41 to that five maybe. 107 00:12:39,110 --> 00:12:40,000 All right. 108 00:12:40,170 --> 00:12:47,620 This is how that is to provide the access list to where the standard Access is configuration. 109 00:12:47,670 --> 00:12:56,190 We can use the show access lists command and we can also use the Sharpy interface and the related interface 110 00:12:56,190 --> 00:12:56,800 command. 111 00:12:56,940 --> 00:13:05,500 And we can see that if there is an embargoed or outbound access was applied to that interface. 112 00:13:06,540 --> 00:13:14,610 Let's go ahead with the extended IP for access lists extended access list performs packet filtering 113 00:13:14,610 --> 00:13:22,650 based on Sarsour address destination address protocols and the port numbers Itzig. 114 00:13:22,710 --> 00:13:29,970 It's good that the extent of the ACLU are implemented rather which is closest to source address for 115 00:13:30,020 --> 00:13:39,360 f and c and here's the range that we can use for the extended access lists extends access lists are 116 00:13:39,530 --> 00:13:41,120 Pletcher interfaces. 117 00:13:41,130 --> 00:13:50,510 BI I picked this group name number in and out statements as well as in the standard access list and 118 00:13:50,500 --> 00:14:00,810 there is the configuration example access lists this time 100 which is in this range as you can see 119 00:14:01,490 --> 00:14:19,940 is the name the TZP traffic which is coming from this sarce and going to this destination for the ports 120 00:14:20,180 --> 00:14:26,890 it Khune to 23 which is the telnet part. 121 00:14:26,930 --> 00:14:38,450 I can also read this statement in here Access is 190 TCAP same thing same thing say it coolant too I 122 00:14:38,450 --> 00:14:43,470 can write the porticos names start protocols names as well directly. 123 00:14:43,610 --> 00:14:46,400 For example telnet for example. 124 00:14:46,670 --> 00:14:55,040 Then the same thing as the standard Access is that I'm getting into the interface mode and am typing 125 00:14:55,040 --> 00:15:05,980 the IP access group number of days sale and inbound or outbound as the direction and here is the same 126 00:15:06,010 --> 00:15:17,130 text as we can see the access list and access number permit or deny the protocols named sources rest 127 00:15:17,170 --> 00:15:24,080 and the wild card of the source then the port operator and source port. 128 00:15:24,160 --> 00:15:32,030 And the answer is destination and destination wild card pool operator and the destination port. 129 00:15:32,030 --> 00:15:43,180 Again you get to it better by this example in here as you can see here with an access list configuration 130 00:15:43,180 --> 00:15:54,850 which is an excellent one in the first stateman access is 100 is permitting the TCAP traffic coming 131 00:15:54,850 --> 00:15:56,060 from 132 00:15:59,300 --> 00:16:10,640 this number by díaz wild card which means everything beginning with these three portions. 133 00:16:10,640 --> 00:16:14,370 And via the net we are permitting this through a big way. 134 00:16:14,410 --> 00:16:21,440 It's going through this horse directly. 135 00:16:21,590 --> 00:16:32,270 I can also use in your sound San Juan one of four with a wildcard mask of 0 0 instead of here. 136 00:16:32,450 --> 00:16:35,620 But I can also use force for simplicity. 137 00:16:35,610 --> 00:16:46,580 HOST The host keyword and the host IP address with an equivalent of W W W port. 138 00:16:46,810 --> 00:16:47,720 OK. 139 00:16:47,870 --> 00:16:57,890 That means actually permit TCAP traffic from this guy from this network to port 80 which is the HTP 140 00:16:57,890 --> 00:17:06,530 port on the host 10 1 1 and 2 or 4 OK. 141 00:17:06,730 --> 00:17:08,770 Let's go ahead with the second. 142 00:17:10,470 --> 00:17:13,420 Is 100 per minute. 143 00:17:13,470 --> 00:17:26,010 IP this guy is permuting the traffic from this network while it's going through this network. 144 00:17:26,290 --> 00:17:27,520 OK. 145 00:17:27,580 --> 00:17:36,950 Permit the traffic for on this network slushed 24 to that network slashed two and four. 146 00:17:37,030 --> 00:17:48,370 OK let's go ahead with this third denied teensy piece ok from the 147 00:17:51,260 --> 00:18:02,610 host this time again as you can see that any year I'm using the one that my 268 that won that one with 148 00:18:02,610 --> 00:18:16,000 the 0 0 0 0 wildcard mask which means actually this IP address I'm focusing all of these bets and the 149 00:18:16,010 --> 00:18:29,670 destination will be what 10 on one to another of to four a cool and to £23 which is town and Port. 150 00:18:29,770 --> 00:18:30,380 OK. 151 00:18:30,550 --> 00:18:37,980 And denying the terminal traffic sourced by this destination is here. 152 00:18:39,210 --> 00:18:43,090 OK let's go with the fourth one in the fourth step. 153 00:18:43,090 --> 00:18:48,430 We're using another D-Nice statement from the this. 154 00:18:48,570 --> 00:18:59,800 Horst to this first there is a missing statement and there may be in here there is a 0 0 0 0 as well 155 00:19:01,060 --> 00:19:05,570 within a cube of to 80 which means air support. 156 00:19:05,590 --> 00:19:12,670 And in the last statement we are seeing and access at least 100 per minute. 157 00:19:12,750 --> 00:19:24,140 IP any any and this any key word means if you want to match all sources or all destinations subs to 158 00:19:24,230 --> 00:19:33,130 the entire source or destination elements of command with keywords any Let's go with another configuration 159 00:19:33,130 --> 00:19:34,570 example. 160 00:19:34,570 --> 00:19:45,280 Create an access list that will per math this subnet for TCAP sessions OK. 161 00:19:45,590 --> 00:19:55,920 Create an access list that will deny telnet sessions to actually these costs for this host. 162 00:19:56,030 --> 00:20:08,970 Create an access list that will permit any IP traffic R.K. access this while wandering one will permit 163 00:20:11,530 --> 00:20:13,620 to TCAP sessions 164 00:20:17,030 --> 00:20:22,610 from this network. 165 00:20:22,610 --> 00:20:23,920 From this subnetwork 166 00:20:27,000 --> 00:20:28,830 to any destination. 167 00:20:29,350 --> 00:20:36,380 OK as you can see here the wildcard mask is 0 0 0 15. 168 00:20:36,550 --> 00:20:45,120 This time for slushed 28 OK Slish 20. 169 00:20:45,160 --> 00:21:07,980 It means 255 2:55 255 and 240 to convert this guy to a wildcard mask we can use 0 0 0 and 55. 170 00:21:08,120 --> 00:21:09,140 OK. 171 00:21:09,660 --> 00:21:20,310 So if we add all these guys to each other the end result will be to worth to you for 255 and 250 five. 172 00:21:20,400 --> 00:21:21,320 OK. 173 00:21:21,540 --> 00:21:32,550 In the second we are writing it denies access is one on one denying TZP from any source. 174 00:21:33,910 --> 00:21:47,040 To the destination was this guy with equal and Port of 23 which means tell that and in the third statement 175 00:21:47,110 --> 00:21:55,690 we are creating an access that will permit any IP address Trevitt which is access this 100 on one permit 176 00:21:56,020 --> 00:22:00,980 IP any Annie. 177 00:22:01,000 --> 00:22:05,350 Here is another configuration example for you. 178 00:22:05,490 --> 00:22:15,330 Arcade's saying as a block just tell that traffic coming from PC one and going to PC to OK this guy 179 00:22:16,970 --> 00:22:19,270 will be our source. 180 00:22:20,560 --> 00:22:30,420 And here will be our destination or other one I'm running an external access list. 181 00:22:30,710 --> 00:22:44,570 Oxus is one or one denied TZP host from PC Wan to PC to with the equivalent of telnet. 182 00:22:45,030 --> 00:22:53,670 And as I told you in our first slide we should have at least one spermine statement for each access 183 00:22:53,670 --> 00:23:02,460 list and I'm writing the access this 100 percent IP any any which is permitting any other traffic from 184 00:23:03,670 --> 00:23:05,430 different from the sky. 185 00:23:05,500 --> 00:23:09,460 And we're also implementing these IP addresses. 186 00:23:09,520 --> 00:23:15,850 I'm sorry this access to the E-Man direction of the first Internet 0 1 187 00:23:18,590 --> 00:23:21,110 25 extended access configuration. 188 00:23:21,110 --> 00:23:29,320 We can use the sure access list command as you can see and we can display them and we can also use your 189 00:23:29,320 --> 00:23:34,350 IP interface and the related interface name as well. 190 00:23:35,930 --> 00:23:39,640 Let's go with the IP version 6 to 8 sales. 191 00:23:39,710 --> 00:23:41,730 We can't just use name. 192 00:23:41,750 --> 00:23:51,050 The ACL for the IP version 6 that works and we have the similar logic with IP version for extended ACL 193 00:23:51,650 --> 00:24:00,680 but any year we don't have any wildcard mask and we are using the IP version 6 traffic filter command 194 00:24:01,040 --> 00:24:04,200 to apply to access list to do later. 195 00:24:04,200 --> 00:24:12,770 The interface is the configuration example and we are type in first I perversions 6 axis lists for this 196 00:24:12,770 --> 00:24:23,360 time and the name of Texas is we have just named a scale for IP version 6 and we are denying more a 197 00:24:23,360 --> 00:24:29,270 host with an IP address of this and with an IP address of this. 198 00:24:29,270 --> 00:24:34,930 And this guy will be our source with the destination of this IP address. 199 00:24:34,940 --> 00:24:44,840 And we are permitting any other traffic and to implement this as safely to our interface. 200 00:24:44,840 --> 00:24:49,320 We are using IP version 6 traffic filter command. 201 00:24:49,370 --> 00:24:55,340 Instead of using IP access group command in RPV for a sales.