ACL Foundations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

23 hours 18 minutes
Video Transcription
Hello and welcome back to ice in the one interconnecting Cisco networking devices. Part one. This episode 61 to a. C. L Foundations. Eye in Trenton Urinal beer structure For this course, the last video, one of the six and 6.1 overview of some pretty sensible questions.
Look, it's your mind thinking in this episode I'm recovering. What an A C L is what a basic number list is
and how the matching logic works for I p packets
and learning objective of the concepts. We're gonna look at the State of number list in this lesson, and then we're gonna get the matching logic A. C L will use
so quick pre assessment here. Which of these do you think would fall into a standard numbered list?
Give me a few seconds.
All right. It is 12 and 42. You'll see here in a second where the actual ranges are for the numbered list with standardless versus the extended lis.
When a seals and access control list. And it does exactly let it controls who has access the air placed in the flow of traffic, meaning that
they are place,
you know which way the package they're going. So depending on what kind of list you have, because the standard list of source I p and extended the few other ones, um,
you can place them on the ingress or egress. Interface of a router. Meaning, Let's say the flow of traffic is here. You know, this way
and this if you want to place it in here, and this would be routed one.
This is ingress. This is egress.
Or inner out is how you're gonna sit up on a Cisco router.
so ingress would would work very well, because the there would be less waste of resource is because the router wouldn't actually process that packet and make a routing decision on the egress side,
it would actually make a routing decision. Now, there are reasons to do this and you'll see on the extended A seal list why you do that?
Um, in a standard list,
you're not gonna want to. Uh, so the action is you're gonna have our dropper permit.
You're gonna say, you know a guy Everyone from this land is okay. Except for this guy. We want to drop that one packet. One i p from him
So the way top down processing works
is you have a rule one rule to rule three rule for,
let's just say this is a drop any down here.
This is permit
tend at one dot x dot eggs,
Um, et cetera, et cetera.
So what is gonna go? Is this gonna go here? Is going to be okay. Do I match this? No. Do I match this? No. Match this. Okay, check. We match here. We're gonna stop right there. That is gonna go through the next one, and eventually it's That's why we have that drop any packet or that. Drop any rule because it will match at last rule, no matter what. Because there's a drop any
removed to the
All right. So
the standard number list is one through 99 1301 99 and standard numbered or standard A C l's they match. Outsource. I p meaning.
I mean exactly that. I guess the extended number is 100 through 1 99 and 2000 through
26 99.
These imagine source I p destination I p source and destination port.
And there's a few other options, but we're not gonna cover those nice and you won.
So the cool thing about this is you're talking source. I pee on a standard numbered list. You would want a place that is close to the destination as possible. So you don't have inadvertent,
like loss of packets because if you play set on the router, that would be his default gateway. It would never get anywhere. I would never get off the network.
But if you place it all the way at server where you wouldn't want that I p than it would block it, it would go everywhere. But that one server The problem with this is, if you know that it's gonna be blocked a server than all the routers along the way had to make that round decision of waste. The resource is too
made routing decisions for that packet that's gonna be dropped.
The cool thing about the extended numbered list is it matches on that destination. I piecing place it on that default gateway router. And you could say OK, anyone from this i p trying to go to this destination i p Let's drop it, drop the packet. You know, we don't want it. Um,
it was really good organizations to cure a debt with less computing power. Russ Resource on the routers,
so named a C. L's is the same thing as standard extended, Except for they don't use those numbers. And you can actually name it something meaningful, which is
key. That's awesome. Siegen. Name it. You know, access toe router water Server one still like that only allows certain groups. And the thing is, when you will see here in a minute when we set the standard number list, all the standard number lists are putting his global configuration commands,
meaning we need to access list 10. Permit any,
um, like that when you do a named a C L, which will hit open the next lesson,
you do the name list, and then it puts you into a namelist sub command or high. Like if you go into configuration terminal or the global config,
and you do interface F A 00 puts you into the interface. So command mode, it does the same thing with the named a. C L.
It's your standard numbered list. What a gun that matches on your source. I p as could be configured with those new, unique numbered commands Meanies Global Command. But you, the number is unique to that a c l
and likely to top now processing It's gonna stop. What's the matches found in a list. So if you have a permit, any in the top and then you have a bunch of really specific rules below that,
those don't matter because everything will match Permit any. So you gotta be thinking about that when you go through your examine, you know, figure out
what would match each line when your trouble shooting a seals in the exam.
Like I said, every a C l is an implicit or implied deny all statement at the end. Um, and I'm gonna show you why it's good to place when yourself, Um,
because if you have a just if you had the implied denial, you can't actually see a count on how many matches it's made.
If you put a denial statement at sea and yourself, then you can actually see how many times that's a match. And you see honey packets were dropping.
Um, so you're gonna want to place the standard numbered list near the destination I think I would explain a little bit. Why? Because it matches on that source I p. And they're like I said, if you place that on the first router that that PC meets the default gateway default router, it's just gonna drop every packet.
there's never even get off the network. Would you place it near the destination than taken route to the rest of the Internet except for that one server or that one network you're trying to block?
So the standard way of doing
the Sisko Ryo Estrada configures willing to access list space and then you're going to choose a unique number for your access list one through 99 1300 through 1 99 you're gonna do a perimeter deny statement which will, you know, permit the packet or deny the packet, and then your matching parameters I'll show you here in minutes
is gonna be the next slide
you can match on hosting. Imagine a sub net
and for that right now. So, like I said, matching exact an address you could put in a full I pee before address a little block that were permit that one I p address
so the host keyword. You might not have to use the newer versions of Iowa's allowed the command to have the host command or the host parameter in there, but it will actually remove it when you place it into the running or the start of config was using. The older IOS is it's no longer used. It's redundant if you have a
you know, using a 32 7
or what you can do is you can match a group of addresses with a wild car mask.
So let's say you have a slash 24 network, meaning that the 1st 3 octet it's are the network portion. The fourth I tat is the host portion.
You can do a 000 to 55. So what that means is the zeroes mean match on this?
Um, this octet and the 2 55 means don't worry about this. Ignore this actor.
Uh, so we don't have to necessarily get in too much of the binary math of this right now. Thankfully, most networks that you're gonna be dealing with, they're already sudden it it and it's gonna be a whole sub net, you know, deny. Here you can, you know, explicitly allow certain devices.
So, like I said, the 2 55 means ignoring us like Tet, and zero means compared this octet. So the quick way to find your wild card mask if you have a really submitted network is do the 2 55 minus that sudden, that mask.
You know, um, that will give you your welcome. Ask for it.
So if you're a match any by P, just do the any statement at the end. So it's kind of three ways of matching an address. You can match an exact address, a group or submit,
and then you can match any I p
and quick post assessment here. Which of these would match and deny Tenn dot to 0.0.3 dot five. So think about it 1st 2nd try and do the math. Um,
all right.
It would be the deny any
and the deny tender attitude. A 0000 to 54 activity five.
Remember, the bottom one would match, but it permitted it does not deny it, and the top one would match, But it would not
tonight, it would permit it
and the next up. So we're actually gonna go on to configure Standard A CEO. It's going to be real simple. I'm gonna have a live lad. Diagram will get to do a little quick refresher and rip routing.
I don't have a good lesson for years,
and, as always, you guys had questions. Need help. Feel free to shoot the message. Otherwise, think from Washington. This lesson for the senior next one.
Up Next

This course will enable students to understand virtualization and cloud services, and network programmability related to LAN, access and core segments.

Instructed By