Okay, Now we're going to configure some standard access list and see how they work.
So I have made up a question that we're going to solve.
I have said that PC three should be able to paying everyone,
and p C four should not be able to ping any address.
I go to my router to this access this I'm gonna create on router to
because that is the router that is closest to the source of the traffic. It is usually not always, but usually a good idea to create you access list as close to the source of the traffic that you're trying to permit or deny. Especially if you're trying to deny traffic. Because
if you prove access this close to the destination that you trying to deny traffic to, it doesn't make sense. For that traffic two transfers your whole network, get close to the destination and then get dropped. Anyways,
if you drop the traffic at the very end at the course with the destination, you're wasting bandwidth by allowing that traffic to flow through part of your network.
So the general rule of thumb is to deny traffic as close to the source as possible. So rich in this case,
BC one pc to pc three NPC four are closest to writer too. So we're gonna create this access list on louder to I go to Lincoln Fig mode
and execute the command access list. And then I hit the help feature, which is the question mark. And it is telling me that if I pick a number between one and 99 it's gonna automatically create a standard access list.
So I picked the number 10
and then I'm gonna permit PC
three's address PC trees address
10 $20.20 dollars, $20 3
Remember, standard access list. Our source based. So rather too will be checking for the source I P address in the inbound packet
coming into out or two.
So I'm gonna say permit
$20.20.20 dot three. And since this is just one address, I'm going to use a wild card. Next, it's gonna ask me for a wild card. I'm going to use a wild card off all zeros.
Next, my question stays at P. C. One and two should be able to paying everybody,
PC one and pc to the I. P s on pc one
being 10 9 10 9 10.1 slash 24
10 9 10 9 10 not two last 24.
So I go to outer too, and not allow this whole network. That's last 24 network, too,
access lists 10 permit. This is going to be my second entry
in access list. 10 on access list him
then I say 10 dot Tenn dot Tenn 10.0.0.0
and then the wild card. I care that the first octet must match. So all the bits are turned off because off bits in the wild card are the inverse of what they mean
in an I. P address in the wild card and off bit is a care bit. I care.
So I care to match the first Arquette completely. I care to match the second and the third octave completely. And I don't care what you allow. Two in the third and the fourth octet.
I can also put a remark down for this access list
access list 10. And if I hit the question Marquis
it shows me that the three options are denied. Permit all remark remark is just if you want to say something about that access list, we'll go ahead and say Remark,
Let's see if this access list exists in our running conflict. Do sure
running dash config.
Now, after creating access list, I must apply this access list
another two. I'm gonna choose to apply it inbound on this interface, which is F zero slash one.
However, if we go look at our
sure i p I and debrief new show I p i n t brief, you'll remember that we had actually not assigned f a zero slash one an i p address and we had created to sub interfaces FAA zero slash 1.10 and FX you a slash 1.20 under the main interface.
this access list on f zero slash 1.10 and 0.20. So I go into the interface first
Butera slashed 1.10 and I used the command I p access grope
and then access list number.
Any number between one and 99 1 in 1 99 and we are creating a standard access list. So our number was between one and 99 we picked 10. And then it asked me, either inbound or outbound. Now, if you look at the floor of traffic in a network diagram,
traffic will be coming inbound into this sub interface. So well applied this
access with the I P Access Group 10 in command.
Let's go do the same for the 0.20 sub interface.
and let's go see if this worked.
right up here, it's a specie. Three.
I'm going to try and ping out PC three can can it? Paying the 1 51 01 45 123 and four addresses on that 1 51 a 1 45 0 slash 29 land between water 123 and four.
Well, it can think about a one. Let's paint out or four,
and I'm pretty sure it can ping about or two in Router three. Also,
let's Try and Ping Writer to a one
and it can ping out pretty much anywhere.
PC one and PC to should also be able to ping out anywhere, since we had
permitted them access to be able to ping anywhere
so I can pay out or to a one, and I can ping the 1 50 network 1 51 01 $45.3.
And that, too. And I see it's replying, so I'm picking just fine. Let's go do these pings from PC to and test out
so I can ping the 1 51 1 45.0 network or 0.4 on that 0.0 network.
less test and see if I can ping the 202 102 100 dot
11 address on Router one,
and I can ping that. Also.
there is an implicit deny statement
at the end of every access list.
So which means since I have not permitted, I'm looking at my running configuration. Since I have not permitted router force address for going out, it should automatically be denied.
So let's go out off. I mean Let's go to P C four. Since I have not permitted PC four out, it should automatically be denied.
So let's try that out.
I'm getting a message for my default Gateway saying the destination host. It's unreachable. I should not be able to paying any off the 200 addresses either.
And again it says destination host unreachable, telling me that there really is an implicit deny statement at the end of my access list.
So now if I look at my access list should
access list, I see that the permit to permit statements had matches against them,
and I do not have matches against the deny statement because it does not. It does not show,
but it is implicitly there.
However, if I go ahead and type it in
access list 10 deny any I add 1/3 entry to my access list. Should
This is just a remark that doesn't count. So my last entry or my third entry in my access list is the deny any
and if I say do show
I see the deny entry exist over here.
If I start pinging from P C. Four again,
1 50 dot wanna won about $45
one, for example. Again, it says Destination host unreachable.
Now, if I look at Max's listen router to,
I will see matches against that. Deny any entry,
and I have four matches
I usually like. Typing this end is not too much work because I want to see matches against my deny any statement because if this counter this match counter increments rapidly for me, I had to endure that. Somebody's trying to
do a denial of service attack on my network and hence this counter. If redo this command over and over again, we'll start implementing rapidly
Let's go get out running Configure again
that stroll down to my access list. What happens if I take away this last entry in the access list?
let's take it away. No access less. 10. Deny any
and I checked my running config again
that the whole access list is gone.
So as soon as the router red No access list. 10. It didn't bother reading the rest of the command and just got rid of the whole access list because of this issue. So school created named access list. So now if I type in i p
So if I type and I'd be access list and hit question mark, I see two options either extended a standard and I'm going to pick the standard option.
Then I need to give it a name that's Nemetz ccn a and hit Enter since it say's access list name.
And now you see, I'm in a separate consideration mode, a sub configuration mode here I can permit and deny adding delete entries without taking away the whole access list. So this is much better
I can do my commands over again. I haven't been note pad and I can simply copy and paste.
So I permitted her stry.
I said, Permit host three. The statement permit
2020 $20.30.0 dot 0.0 can also be replaced since its one address that were permitting with a keyword host $20.20 dollars, $20 3 Personally, I don't like doing it that way.
It's a matter of personal preference. I'd rather type and permit $20.20 dollars $20 t
and then 0.0 dot 0.0.
So let's go look at our access list
by saying Do show, run!
So I should have the same effect
ruthless access list that I had with the previous one because
The only difference is that now I get to go into a sub configuration mode and do my permit and deny statements
and name my access list from CONFIG mode.
Now I need to change that access group command under fast Internet zero slash 1.10 and 20 Do show
config. See, it still has that old command we put in previously I p access group 10 in. I need to remove that
i n t f zero slash 1.10
no, I p access group
And then I need to do the Command i p access group and this time used the name access list, which was C CNN
and then again inbound.
I do the same for interface at zero slash 1.20.
my access group number 10
and add my access group name CC and A.
This should work exactly the same way. Let me send a bunch of pings from each one of these
so this one should not work. And it's saying destination host unreachable.
Gonna go to P C three
PC. One should also work.
I'm gonna send a pain
to NPC. One should also work.
So I send pings from PC to and now from P C one
and I go check my access list on
router to by saying show access list and I see matches against each one of my entries telling me that this access list is working.
if I go under the access list configuration mood, I'd be access list
standard to see an A and I take away the last statement, which is the Deny, any statement And I said no deny any,
and then I checked my running config.
you will see that I only got rid of the last statement. The deny any statement. The rest of my access list is still here
to get rid of my whole access list. I actually need to say no.
No, I p access list standard C, C and A. And that gets rid off my whole access list
now standard access. This can also be used to deny, tell net traffic or
remote log in traffic. So I'm gonna try and remotely log into Router four from PC three.
Let's see if that works.
So I'm gonna go to P C three and say, Tell that
and rather force I p is 1 51 a 1 $45 for
and it worked. So standard access list can also be used to block tell net access.
First, I'm gonna test to see if I can tell net into Router three from PC three. So I'm going to try and remotely log into Router three,
so I'm gonna type in Tel net 1 51 01 45 3
And it saves connection to foreign connection to 1 51 1.1 51 A 1 $45 3 was closed by foreign host.
This is a security feature in Siskel routers. Cisco routers, by default, do not allow anybody to tell that into them or remotely logging into them
to enable. Tell that access I have to go into my VT vie lines, those virtual ports that are there for Tell Net.
So line bt y and I have 16 lines, you know, through 15
and I have to assign it a password, which I'm gonna say Cisco and said this
this password is a log in
Now let's try and tell that from PC three
telnet from pc three going to say
1 51 01 It should be there a barrel keep
and it's asking for a password. I type in Cisco and I'm inside a router. Three. You see, my promises are three
and make sure I can tell that from router for also I mean from PC for also, excuse that.
So I'm gonna say it. Tell Nat 1 51 01 $45.3
and I get into Router three.
Now. What I'm going to do is create an access list on Router three and this one I have to create it on Router three because that's what where I'm trying to prevent telling that access to
pc three town that access, and I'm gonna allow PC four, Tell Net access,
and I'm going to use a standard access list
So I'm going to say I p
no, I'm going to create a numbered access list to do this because it's quicker.
So I'm just going to simply say, access
and PC Trees I p addresses 2020 23
and then 0.0 dot 0.0 for that one address.
No pc to me. I'm gonna permit
I'm going to say permit
and 0.0 dot 0.0. Then I'm going to say, deny everybody else, deny
access list. Chen deny any, which should deny p C four.
Now I do not apply this access list inbound on Router three's F zero slash zero interface.
I actually have to go into my VT bylines
lying VT y zero space 15
and see access class. The command is different. It's not I p access grope say's access class,
10 which is my access list number
and then inbound or outbound? Well, the connection is gonna come inbound, so I'm going to say in
There's it out again.
And now I'm going to try and tell that from PC three, which should work.
So tell that to 1 51 01 $45 3
I'm inside a router. Three.
attell net connection from p C. Four should not work,
and it says connection refused by remote host
So let's go check our access list on Router three
And I see two matches
for my permit statement and 16 matches for my deny statement. So this access list is working.
That concludes our standard access list lab