Access Control Lists | Cisco CCNA 200-301

00:00

hey what's up guys welcome to cert bros

00:03

in this video we're going to be talking

00:05

about access control

00:11

[Music]

00:14

lists

00:19

so what is an access control list

00:22

access control lists also known as acls

00:26

or simply access lists are rule-based

00:28

lists that are used

00:30

by switches and routers to identify

00:32

traffic

00:33

they can identify traffic based on the

00:35

source address destination address

00:37

and port numbers the most common use for

00:40

an access list is to deny or permit

00:43

traffic but there are other uses for

00:45

access lists such as configuring network

00:47

address translation

00:48

and quality of service let's take a look

00:51

at a quick example

00:55

this router has an acl configured the

00:58

acl

00:58

is configured with rules that tell it

01:00

which traffic is allowed to pass

01:02

and which traffic is not for example

01:05

we may want to allow all traffic

01:07

destined for this server

01:09

but at the same time we may want to

01:11

block all other traffic to any other

01:13

host

01:14

this is all possible with a very simple

01:17

access list

01:20

okay so now we have an idea about what

01:22

an access list does

01:23

let's see what one looks like

01:27

here is a simple access list it consists

01:31

of one or more lines

01:32

called rules which specify if traffic

01:34

should be permitted

01:36

or denied don't worry we'll look at what

01:38

each bit means

01:39

in just a moment the first thing you'll

01:42

probably notice is the number on the

01:44

left

01:45

this represents the order of each rule

01:48

the reason it goes up in tens

01:49

is to give you the flexibility to come

01:52

back at a later date

01:53

and add rules in between the existing

01:55

ones

01:56

why does that matter well the order of

01:58

the list is very

02:00

important when a router or switch

02:03

receives some traffic

02:04

it checks the access control list it

02:07

starts at the top of the list and it

02:09

works its way

02:09

down it keeps going until it finds a

02:12

matching rule

02:14

as soon as a matching rule is found it

02:16

stops looking and applies that rule

02:19

this means you have to be very careful

02:21

to put the rules

02:22

in the right place otherwise you could

02:25

deny traffic that you're trying to

02:27

permit

02:27

or permit traffic that you're trying to

02:29

deny we'll see this more as we go

02:33

another very important note here is that

02:35

if no matching rule is found

02:37

the traffic will automatically be denied

02:41

there is an invisible deny everything

02:44

rule at the bottom of every access list

02:47

this is known as the implicit deny

02:52

okay so now we know what an access list

02:54

does and what it looks like

02:56

now let's take a closer look

02:59

there are three types of access list the

03:02

first

03:02

is a standard access list now

03:05

when you configure an access list you

03:07

use a number to identify the type of

03:09

access list you want to configure

03:12

a standard access list uses any number

03:14

between 1

03:15

and 99 then cisco decided to expand this

03:19

to also include 1300 to 1999

03:24

this expansion meant we can configure a

03:27

lot more access lists

03:28

per device standard access lists

03:32

only use the source address to identify

03:34

traffic so this can be quite limiting

03:37

the second type of access list is called

03:40

an extended

03:40

access list extended access lists uses

03:44

any number between 100 and 199

03:47

and expanded numbers between 2000 to

03:51

2699

03:53

extended access lists allow us to

03:55

identify traffic not only on the source

03:57

address

03:58

but the destination address protocol and

04:00

port number as well

04:02

so we can have a lot more granular

04:04

control with extended access lists

04:08

the last type i want to mention is

04:10

called a named access list

04:13

a named access list allows standard or

04:15

extended lists to be given

04:16

names rather than numbers if you have

04:19

multiple access lists on a device

04:21

named lists make it easier to identify

04:23

what each list does

04:25

making them easier to manage we're going

04:27

to look at all three of these in a bit

04:29

more detail

04:32

first let's look at standard access

04:34

lists

04:38

this is a command to configure a single

04:40

standard access list entry

04:42

it can look a bit intimidating at first

04:44

so we're going to break it down

04:46

the first part specifies the access list

04:48

number remember

04:50

any number between 1 and 99 or 1

04:53

300 to 1 999 means this will be a

04:57

standard

04:57

access list the next part is the action

05:01

do we want to permit this traffic or do

05:04

we want to deny it

05:06

we then have our source ip address and

05:09

finally

05:09

something called a wildcard mask now the

05:12

wildcard mask will need some further

05:14

explaining

05:16

a wildcard mask works with an ip address

05:19

it's like an inverted subnet mask the

05:22

job of a wildcard mask is to identify

05:24

the bits of an ip address that needs to

05:26

match

05:27

and the bits that don't to do this you

05:30

need to compare the wildcard mask

05:31

with the ip address wherever you see a

05:34

zero

05:35

this means that corresponding bit must

05:37

match

05:39

wherever you see a 1 this means the bit

05:41

does not need to match

05:43

so in our example here we have the

05:45

address 192.168.10.0

05:48

and the wildcard mask of 0.00

05:54

this means it will match any traffic

05:55

with the source address between

05:59

192.168.10.0

06:00

to 192.168.10.255.

06:04

because the wildcard mask states that

06:06

the last eight bits don't need to match

06:11

so to summarize this rule it will permit

06:13

any traffic coming from the source

06:15

address

06:18

192.168.10.something

06:20

okay so that was nice and simple let's

06:23

now look at an extended access list

06:27

this is a command to configure a single

06:29

extended access list entry

06:32

as you can see there is a bit more to it

06:34

than the standard access list

06:36

don't worry though we're going to break

06:37

it down the first part specifies the

06:40

access list number

06:42

because we're now configuring an

06:43

extended access list we will use

06:45

something between

06:47

100 and 199 or 2000 to 2699

06:53

the next part is the action so this time

06:56

we will be denying this traffic

06:58

next we have a new section this matches

07:01

the traffic protocol

07:03

in this example we have tcp but this

07:05

could be

07:06

udp eigrp ospf etc

07:11

then we have the source ip address

07:13

followed by the source wildcard mask

07:17

then we have the destination ip address

07:20

and the destination wildcard mask

07:23

after that we have something called an

07:25

operator

07:27

an operator is used to match port

07:29

numbers

07:30

we have a few different operator options

07:33

gt

07:34

means greater than lt

07:37

means less than neq

07:41

means not equal to

07:44

and eq means equal to

07:47

range means included in the range you

07:49

specify

07:52

in this example we're going to use eq

07:55

which means

07:56

equals two and then we'll specify the

07:58

port number

07:59

we can do this using the port number

08:01

itself or we can use a keyword

08:03

for common ports here i typed ftp

08:06

meaning port 21. an important note here

08:10

when configuring an extended access list

08:13

the source ip

08:14

and port number always comes first

08:18

okay so to summarize this rule deny all

08:22

tcp traffic coming from

08:25

[Music]

08:26

192.168.10.something with a destination

08:29

ip address

08:29

of 192.168.20.50

08:33

and a destination port number of 21. the

08:40

last one we need to look at is a named

08:42

access list now luckily named access

08:45

lists are pretty similar

08:46

they're just configured slightly

08:48

differently

08:50

the first thing you need to do is type

08:52

ip access list

08:54

then you specify if you want to

08:55

configure a standard or an extended

08:57

access list then you just need to choose

09:00

a name

09:01

here i've chosen serpros for the name

09:04

then you enter the access list

09:06

configuration mode where you can add the

09:08

rules in the same way as before

09:11

so this access list will deny any tcp

09:13

traffic with a source ip address of

09:17

192.168.10.something

09:19

with a destination ip address of

09:23

192.168.20.50

09:24

and a destination port number of 21

09:27

which is

09:27

ftp after that it will permit any ip

09:32

traffic

09:32

with a source ip address of 192.168

09:37

and a destination ip address of

09:41

192.168.20.50.

09:44

can you see the importance of having the

09:46

correct order

09:48

if these two entries were the other way

09:50

around then ftp traffic would be

09:52

permitted

09:52

because the bottom rule would never be

09:54

checked

09:59

so that is how you configure the three

10:01

types of access list

10:02

but you also need to be able to read the

10:04

lists

10:05

let's take a look at a few examples and

10:07

try and figure out what they do

10:11

here's our first list we know it's an

10:14

extended list

10:15

because well because it says extended at

10:18

the top

10:19

but not only that it also has a number

10:21

of 101

10:23

which hopefully by now we know is an

10:25

extended access list number

10:29

below this we have our list rules the

10:32

first one states

10:33

deny all tcp traffic destined for

10:38

192.168.10.something

10:40

with a destination host address of

10:44

192.168.20.50

10:46

and the destination port number of 21.

10:51

now access lists that have a 32-bit

10:54

wildcard mask

10:55

or 0.0.0.0 meaning one ip

10:58

exactly will show a host address

11:02

you can even use the keyword host when

11:04

configuring it

11:06

the next rule is the same but this time

11:09

we are blocking telnet traffic

11:12

and the bottom one permits any ip

11:14

traffic from 192.168.10.something

11:18

with a destination host address of

11:22

192.168.20.50

11:24

nice and easy right well the next one is

11:27

even easier

11:32

this is a standard list of course it

11:36

says standard at the top

11:37

but it's also using a standard number

11:42

remember standard access lists only

11:44

filter based on the source ip address

11:47

so this list is permitting traffic from

11:49

host 192.168.10.10

11:54

15 and dot 20.

11:57

remember all access lists have an

12:00

implicit deny

12:01

at the bottom so everything else will be

12:03

denied

12:07

okay let's look at the last example

12:10

this is an extended access list but this

12:13

time it doesn't have a number

12:14

instead it has a name

12:20

the first rule permits tcp traffic

12:23

and there is a keyword here that we

12:24

haven't seen yet

12:26

we can use the any keyword to specify

12:29

any ip address so in this case any

12:32

source ip

12:34

and then we have the destination host

12:36

address of 192.168.20.50

12:41

and which port do you think www means

12:44

http port 80.

12:48

the second rule is the same but it's

12:49

permitting ftp traffic on port

12:52

21 hopefully this has given you a good

12:55

understanding of access lists

12:56

what they're used for and the different

12:58

types this video is part of the full

13:01

ccna course which can be found

13:02

in the description so please feel free

13:04

to go and check that out

13:07

if you like this video don't forget to

13:08

give it a thumbs up leave a comment

13:10

and subscribe the support from you guys

13:12

really helps this channel grow

13:14

other than that thank you for watching

13:27

you