Time
15 hours 34 minutes
Difficulty
Intermediate
CEU/CPE
16

Video Description

Access List Lab In this lesson, you are learning how to configure several different Standard Access lists and observe how each works. This is an excellent lab simulation where the results should be a pinging any address, two PC pinging everyone but one of them not being able to telnet to a router. You'll see what happens to the Access list data, how to remove Access list/data, how to deny telnet traffic and a host of other critical functions.

Video Transcription

00:04
Okay, Now we're going to configure some standard access list and see how they work.
00:10
So I have made up a question that we're going to solve.
00:14
I have said that PC three should be able to paying everyone,
00:18
and p C four should not be able to ping any address.
00:22
So
00:24
I go to my router to this access this I'm gonna create on router to
00:29
because that is the router that is closest to the source of the traffic. It is usually not always, but usually a good idea to create you access list as close to the source of the traffic that you're trying to permit or deny. Especially if you're trying to deny traffic. Because
00:46
if you prove access this close to the destination that you trying to deny traffic to, it doesn't make sense. For that traffic two transfers your whole network, get close to the destination and then get dropped. Anyways,
00:59
this
01:00
if you drop the traffic at the very end at the course with the destination, you're wasting bandwidth by allowing that traffic to flow through part of your network.
01:10
So the general rule of thumb is to deny traffic as close to the source as possible. So rich in this case,
01:18
BC one pc to pc three NPC four are closest to writer too. So we're gonna create this access list on louder to I go to Lincoln Fig mode
01:32
and execute the command access list. And then I hit the help feature, which is the question mark. And it is telling me that if I pick a number between one and 99 it's gonna automatically create a standard access list.
01:47
So I picked the number 10
01:49
and then I'm gonna permit PC
01:52
three's address PC trees address
01:55
It is
01:57
10 $20.20 dollars, $20 3
02:00
Remember, standard access list. Our source based. So rather too will be checking for the source I P address in the inbound packet
02:10
coming into out or two.
02:14
So I'm gonna say permit
02:15
$20.20.20 dot three. And since this is just one address, I'm going to use a wild card. Next, it's gonna ask me for a wild card. I'm going to use a wild card off all zeros.
02:30
Next, my question stays at P. C. One and two should be able to paying everybody,
02:37
so we must permit
02:39
PC one and pc to the I. P s on pc one
02:44
being 10 9 10 9 10.1 slash 24
02:49
and pc to
02:51
being
02:52
10 9 10 9 10 not two last 24.
02:55
So I go to outer too, and not allow this whole network. That's last 24 network, too,
03:01
by saying access
03:06
C C E access
03:08
access lists 10 permit. This is going to be my second entry
03:15
in access list. 10 on access list him
03:20
then I say 10 dot Tenn dot Tenn 10.0.0.0
03:23
and then the wild card. I care that the first octet must match. So all the bits are turned off because off bits in the wild card are the inverse of what they mean
03:35
in an I. P address in the wild card and off bit is a care bit. I care.
03:40
So I care to match the first Arquette completely. I care to match the second and the third octave completely. And I don't care what you allow. Two in the third and the fourth octet.
03:53
I can also put a remark down for this access list
03:59
access list 10. And if I hit the question Marquis
04:02
it shows me that the three options are denied. Permit all remark remark is just if you want to say something about that access list, we'll go ahead and say Remark,
04:14
test A, C L
04:16
and hit Enter.
04:17
Let's see if this access list exists in our running conflict. Do sure
04:23
running dash config.
04:30
And there it is.
04:35
Now, after creating access list, I must apply this access list
04:41
on router to
04:43
another two. I'm gonna choose to apply it inbound on this interface, which is F zero slash one.
04:49
However, if we go look at our
04:53
sure i p I and debrief new show I p i n t brief, you'll remember that we had actually not assigned f a zero slash one an i p address and we had created to sub interfaces FAA zero slash 1.10 and FX you a slash 1.20 under the main interface.
05:12
So we must go apply
05:14
this access list on f zero slash 1.10 and 0.20. So I go into the interface first
05:21
fast Internet
05:23
Butera slashed 1.10 and I used the command I p access grope
05:30
and then access list number.
05:34
Any number between one and 99 1 in 1 99 and we are creating a standard access list. So our number was between one and 99 we picked 10. And then it asked me, either inbound or outbound. Now, if you look at the floor of traffic in a network diagram,
05:53
traffic will be coming inbound into this sub interface. So well applied this
05:59
access list
06:00
inbound
06:01
access with the I P Access Group 10 in command.
06:05
Let's go do the same for the 0.20 sub interface.
06:11
And now let's
06:14
save our Convicts
06:16
and let's go see if this worked.
06:23
So from PC three
06:26
right up here, it's a specie. Three.
06:28
I'm going to try and ping out PC three can can it? Paying the 1 51 01 45 123 and four addresses on that 1 51 a 1 45 0 slash 29 land between water 123 and four.
06:44
Well, it can think about a one. Let's paint out or four,
06:47
and I'm pretty sure it can ping about or two in Router three. Also,
06:56
let's Try and Ping Writer to a one
07:00
202 102 100 not to,
07:03
and it can ping out pretty much anywhere.
07:08
PC one and PC to should also be able to ping out anywhere, since we had
07:14
permitted them access to be able to ping anywhere
07:16
so I can pay out or to a one, and I can ping the 1 50 network 1 51 01 $45.3.
07:29
And that, too. And I see it's replying, so I'm picking just fine. Let's go do these pings from PC to and test out
07:40
so I can ping the 1 51 1 45.0 network or 0.4 on that 0.0 network.
07:47
I can also ping 0.3
07:50
less test and see if I can ping the 202 102 100 dot
07:56
11 address on Router one,
08:00
and I can ping that. Also.
08:01
Now,
08:03
remember, I said,
08:05
there is an implicit deny statement
08:09
at the end of every access list.
08:11
So which means since I have not permitted, I'm looking at my running configuration. Since I have not permitted router force address for going out, it should automatically be denied.
08:28
So let's go out off. I mean Let's go to P C four. Since I have not permitted PC four out, it should automatically be denied.
08:35
So let's try that out.
08:37
Ping 1 51 01 45.4
08:43
and see.
08:45
I'm getting a message for my default Gateway saying the destination host. It's unreachable. I should not be able to paying any off the 200 addresses either.
08:56
And again it says destination host unreachable, telling me that there really is an implicit deny statement at the end of my access list.
09:05
So now if I look at my access list should
09:09
access list, I see that the permit to permit statements had matches against them,
09:15
and I do not have matches against the deny statement because it does not. It does not show,
09:22
but it is implicitly there.
09:24
However, if I go ahead and type it in
09:28
access list 10 deny any I add 1/3 entry to my access list. Should
09:37
asked New show, run
09:43
and see. I have my
09:46
last entry.
09:48
This is just a remark that doesn't count. So my last entry or my third entry in my access list is the deny any
09:56
statement
09:58
and if I say do show
10:01
access list.
10:03
I see the deny entry exist over here.
10:05
If I start pinging from P C. Four again,
10:16
paying
10:18
1 50 dot wanna won about $45
10:22
one, for example. Again, it says Destination host unreachable.
10:28
Now, if I look at Max's listen router to,
10:31
I will see matches against that. Deny any entry,
10:35
and I have four matches
10:37
I usually like. Typing this end is not too much work because I want to see matches against my deny any statement because if this counter this match counter increments rapidly for me, I had to endure that. Somebody's trying to
10:54
do a denial of service attack on my network and hence this counter. If redo this command over and over again, we'll start implementing rapidly
11:03
now.
11:05
One happens.
11:07
Let's go get out running Configure again
11:15
that stroll down to my access list. What happens if I take away this last entry in the access list?
11:22
So
11:24
let's take it away. No access less. 10. Deny any
11:35
and I checked my running config again
11:39
and you see
11:41
that the whole access list is gone.
11:45
So as soon as the router red No access list. 10. It didn't bother reading the rest of the command and just got rid of the whole access list because of this issue. So school created named access list. So now if I type in i p
12:00
access list
12:01
standard,
12:05
So if I type and I'd be access list and hit question mark, I see two options either extended a standard and I'm going to pick the standard option.
12:16
Then I need to give it a name that's Nemetz ccn a and hit Enter since it say's access list name.
12:24
And now you see, I'm in a separate consideration mode, a sub configuration mode here I can permit and deny adding delete entries without taking away the whole access list. So this is much better
12:39
then. From here,
12:43
I can do my commands over again. I haven't been note pad and I can simply copy and paste.
12:50
So I permitted her stry.
12:54
So
12:56
I said, Permit host three. The statement permit
13:01
2020 $20.30.0 dot 0.0 can also be replaced since its one address that were permitting with a keyword host $20.20 dollars, $20 3 Personally, I don't like doing it that way.
13:18
It's a matter of personal preference. I'd rather type and permit $20.20 dollars $20 t
13:24
and then 0.0 dot 0.0.
13:28
So let's go look at our access list
13:30
by saying Do show, run!
13:35
And here it is.
13:37
So I should have the same effect
13:39
ruthless access list that I had with the previous one because
13:43
it looks the same.
13:46
The only difference is that now I get to go into a sub configuration mode and do my permit and deny statements
13:52
and name my access list from CONFIG mode.
13:58
Now I need to change that access group command under fast Internet zero slash 1.10 and 20 Do show
14:11
running
14:11
config. See, it still has that old command we put in previously I p access group 10 in. I need to remove that
14:22
i n t f zero slash 1.10
14:26
no, I p access group
14:30
10 in
14:31
And then I need to do the Command i p access group and this time used the name access list, which was C CNN
14:41
and then again inbound.
14:43
I do the same for interface at zero slash 1.20.
14:48
Take away
14:50
my access group number 10
14:54
and add my access group name CC and A.
15:03
This should work exactly the same way. Let me send a bunch of pings from each one of these
15:07
devices
15:11
so this one should not work. And it's saying destination host unreachable.
15:16
Gonna go to P C three
15:18
and send a ping
15:22
PC. One should also work.
15:24
I'm gonna send a pain
15:28
on PC
15:30
to NPC. One should also work.
15:33
So I send pings from PC to and now from P C one
15:37
and I go check my access list on
15:41
router to by saying show access list and I see matches against each one of my entries telling me that this access list is working.
15:52
Now, if I take away
15:54
if I go under the access list configuration mood, I'd be access list
16:02
standard to see an A and I take away the last statement, which is the Deny, any statement And I said no deny any,
16:11
and then I checked my running config.
16:17
Okay,
16:18
you will see that I only got rid of the last statement. The deny any statement. The rest of my access list is still here
16:26
to get rid of my whole access list. I actually need to say no.
16:36
Copy it.
16:37
No, I p access list standard C, C and A. And that gets rid off my whole access list
16:45
now standard access. This can also be used to deny, tell net traffic or
16:51
remote log in traffic. So I'm gonna try and remotely log into Router four from PC three.
16:59
Let's see if that works.
17:02
So I'm gonna go to P C three and say, Tell that
17:06
T l and E t
17:08
and rather force I p is 1 51 a 1 $45 for
17:15
and it worked. So standard access list can also be used to block tell net access.
17:21
First, I'm gonna test to see if I can tell net into Router three from PC three. So I'm going to try and remotely log into Router three,
17:30
so I'm gonna type in Tel net 1 51 01 45 3
17:36
And it saves connection to foreign connection to 1 51 1.1 51 A 1 $45 3 was closed by foreign host.
17:45
This is a security feature in Siskel routers. Cisco routers, by default, do not allow anybody to tell that into them or remotely logging into them
17:56
to enable. Tell that access I have to go into my VT vie lines, those virtual ports that are there for Tell Net.
18:03
So line bt y and I have 16 lines, you know, through 15
18:08
you know, Space 15
18:11
and I have to assign it a password, which I'm gonna say Cisco and said this
18:18
this password is a log in
18:21
password.
18:23
Now let's try and tell that from PC three
18:26
and it should work.
18:30
So
18:30
telnet from pc three going to say
18:34
chill net
18:37
1 51 01 It should be there a barrel keep
18:41
and it's asking for a password. I type in Cisco and I'm inside a router. Three. You see, my promises are three
18:48
would exit out
18:49
and make sure I can tell that from router for also I mean from PC for also, excuse that.
18:59
So I'm gonna say it. Tell Nat 1 51 01 $45.3
19:04
and it works
19:07
and I get into Router three.
19:10
Now. What I'm going to do is create an access list on Router three and this one I have to create it on Router three because that's what where I'm trying to prevent telling that access to
19:19
I'm gonna prevent a
19:22
I'm gonna
19:23
deny
19:25
pc three town that access, and I'm gonna allow PC four, Tell Net access,
19:30
and I'm going to use a standard access list
19:33
to do this.
19:37
So I'm going to say I p
19:40
no, I'm going to create a numbered access list to do this because it's quicker.
19:44
So I'm just going to simply say, access
19:47
list
19:48
10 din I
19:52
and PC Trees I p addresses 2020 23
19:56
and then 0.0 dot 0.0 for that one address.
20:02
No pc to me. I'm gonna permit
20:04
I'm going to say permit
20:07
$20 $2020 3
20:11
and 0.0 dot 0.0. Then I'm going to say, deny everybody else, deny
20:18
access list. Chen deny any, which should deny p C four.
20:26
Now I do not apply this access list inbound on Router three's F zero slash zero interface.
20:34
I actually have to go into my VT bylines
20:40
lying VT y zero space 15
20:45
and see access class. The command is different. It's not I p access grope say's access class,
20:52
Then the number
20:55
10 which is my access list number
20:57
and then inbound or outbound? Well, the connection is gonna come inbound, so I'm going to say in
21:04
and hit, Enter
21:07
Gonna exit out
21:10
There's it out again.
21:14
And now I'm going to try and tell that from PC three, which should work.
21:21
So tell that to 1 51 01 $45 3
21:25
And it worked.
21:29
I'm inside a router. Three.
21:32
Let's exit out
21:34
and
21:37
attell net connection from p C. Four should not work,
21:41
and it says connection refused by remote host
21:45
right here.
21:48
So let's go check our access list on Router three
21:53
show access list.
21:56
And I see two matches
22:00
for my permit statement and 16 matches for my deny statement. So this access list is working.
22:06
That concludes our standard access list lab

Up Next

Cisco CCNA

Our free, online, self-paced CCNA training teaches students to install, configure, troubleshoot and operate LAN, WAN and dial access services for medium-sized networks. You'll also learn how to describe the operation of data networks.

Instructed By

Instructor Profile Image
Junaid Memon
Instructor