Access Control Lists | Cisco CCNA 200-301

CertBros
8 Jun 202113:28

Summary

TLDRThis video from 'Cert Bros' offers a comprehensive guide to Access Control Lists (ACLs), explaining their role in network security. ACLs, used by switches and routers, are rule-based lists that permit or deny traffic based on criteria like source and destination addresses. The video delves into standard, extended, and named ACLs, highlighting their unique features and configurations. It also emphasizes the importance of rule order due to the 'implicit deny' rule at the end of every list, ensuring viewers understand the impact of list structure on network traffic control.

Takeaways

  • 🔒 Access Control Lists (ACLs) are rule-based lists used by network devices like switches and routers to identify and control traffic based on various criteria.
  • 📋 ACLs can be used for purposes beyond just permitting or denying traffic, including network address translation and quality of service configuration.
  • 👉 ACLs consist of ordered rules that determine whether traffic should be allowed or blocked; the order is crucial as the first matching rule will be applied.
  • ⚠️ There is an implicit 'deny all' rule at the bottom of every ACL, which applies if no other rule matches the traffic.
  • 🔢 Standard ACLs use numbers from 1 to 99 or 1300 to 1999 and only consider the source IP address for traffic filtering.
  • 🔎 Extended ACLs, with numbers from 100 to 199 or 2000 to 2699, allow for more granular control by considering source and destination IP addresses, protocol, and port numbers.
  • 📝 Named ACLs provide a more human-readable alternative to numbered ACLs by assigning names to standard or extended ACLs for easier management.
  • 🌐 A wildcard mask is used in standard ACLs to determine which bits of the IP address must match for the rule to apply.
  • 🚫 Extended ACLs include an operator to match port numbers, offering options like 'greater than', 'less than', 'not equal to', 'equal to', and 'range'.
  • 👀 The configuration of ACLs requires careful planning to ensure that the rules are ordered correctly to avoid unintended traffic blocking or allowing.
  • 📚 Understanding how to read and interpret ACLs is essential for network management, as demonstrated by the examples provided in the script.

Q & A

  • What is an Access Control List (ACL)?

    -An Access Control List, also known as ACLs or access lists, are rule-based lists used by switches and routers to identify traffic based on source and destination addresses, and port numbers. They are commonly used to permit or deny traffic and can also be used for network address translation and quality of service.

  • What is the purpose of an ACL in a network?

    -The primary purpose of an ACL is to control traffic flow by allowing or denying traffic based on specific criteria such as source and destination IP addresses, port numbers, and protocols. This helps in enhancing security and managing network traffic effectively.

  • How does the order of rules in an ACL affect traffic processing?

    -The order of rules in an ACL is crucial because the router or switch processes traffic starting from the top of the list and stops at the first matching rule. Therefore, the placement of rules can determine whether intended traffic is permitted or denied.

  • What is the 'implicit deny' in an ACL?

    -The 'implicit deny' is an invisible rule at the bottom of every ACL that automatically denies traffic if no matching rule is found as the traffic is processed down the list.

  • What are the three types of access lists mentioned in the script?

    -The three types of access lists mentioned are standard access lists, extended access lists, and named access lists. Each type serves different purposes and has different levels of specificity in identifying traffic.

  • How do standard access lists differ from extended access lists?

    -Standard access lists use the source IP address only to identify traffic and are identified with numbers between 1 and 99 or 1300 to 1999. In contrast, extended access lists, identified with numbers between 100 and 199 or 2000 to 2699, allow identification based on source and destination addresses, protocol, and port numbers, providing more granular control.

  • What is the purpose of a wildcard mask in a standard access list?

    -A wildcard mask in a standard access list works with an IP address to identify which bits of the address need to match the specified IP address. It is like an inverted subnet mask, with zeros indicating bits that must match and ones indicating bits that do not need to match.

  • What is a named access list and how does it differ from numbered access lists?

    -A named access list assigns names instead of numbers to standard or extended access lists, making it easier to identify and manage multiple lists on a device. It provides the same functionality as numbered lists but with a more descriptive naming convention.

  • Can you provide an example of a rule in an extended access list?

    -An example of a rule in an extended access list could be to deny all TCP traffic from a specific source IP address to a specific destination IP address and port number. For instance, 'deny tcp 192.168.10.0 0.0.0.255 192.168.20.50 21' denies FTP traffic to port 21 on the destination IP 192.168.20.50.

  • How can the order of rules in an ACL impact the network traffic?

    -The order of rules in an ACL impacts network traffic because the router or switch stops processing the list at the first matching rule. If a 'permit' rule is placed before a more specific 'deny' rule, the 'deny' rule may never be reached, thus allowing traffic that was intended to be denied.

Outlines

00:00

🔒 Introduction to Access Control Lists

This paragraph introduces the concept of Access Control Lists (ACLs), explaining their role in network security. ACLs are rule-based lists used by switches and routers to identify and manage traffic. They can be based on source and destination addresses, as well as port numbers, and are primarily used to permit or deny traffic. The paragraph also discusses the importance of order in ACLs, as the first matching rule determines the action taken on the traffic. An implicit 'deny all' rule is present at the bottom of every list, emphasizing the need for careful rule placement to avoid unintended traffic blocking.

05:02

📝 Understanding Access List Configuration

This section delves into the specifics of configuring access lists, including standard and extended ACLs, as well as named access lists. It explains the use of access list numbers to differentiate between standard (1-99, 1300-1999) and extended (100-199, 2000-2699) lists. The paragraph clarifies that standard ACLs are limited to source address filtering, while extended ACLs offer more granular control by considering destination addresses, protocols, and port numbers. Named ACLs are introduced as a way to assign names to lists for easier identification and management. The paragraph also breaks down the components of ACL entries, including action, source and destination IP addresses, wildcard masks, and operators for port number matching.

10:02

🚫 Denying and Permitting Traffic with ACLs

This paragraph focuses on the practical application of ACLs to deny or permit specific types of traffic. It provides examples of standard and extended ACL entries, illustrating how to configure rules using IP addresses, wildcard masks, and port numbers. The explanation includes the use of keywords for common ports and the importance of the order of rules in an ACL. The paragraph emphasizes that the correct sequence of rules is crucial to avoid unintended traffic allowances or denials, as the last rule applied will be the one that matches first.

📚 Reading and Interpreting Access Lists

The final paragraph provides examples of ACLs to help viewers understand how to read and interpret them. It includes examples of extended and standard ACLs, both numbered and named, and explains the significance of each rule within the list. The paragraph clarifies the use of 32-bit wildcard masks and the 'any' keyword to match any IP address. It also highlights the implicit deny rule at the bottom of all ACLs and the importance of rule order for determining which traffic is permitted or denied.

Mindmap

Keywords

💡Access Control List (ACL)

An Access Control List, also known as an ACL, is a rule-based list used by network devices such as switches and routers to control the flow of traffic. ACLs are central to the video's theme of network security and management. In the script, ACLs are described as being able to identify traffic based on source and destination addresses, and port numbers, and are used to permit or deny traffic, as well as for configuring network address translation and quality of service.

💡Permit

In the context of the video, 'permit' refers to the action of allowing certain network traffic to pass through a device based on the rules defined in an ACL. The concept is integral to understanding how ACLs control traffic, as it directly impacts the flow of data within a network. For example, the script mentions allowing all traffic destined for a specific server while blocking all other traffic to any other host.

💡Deny

'Deny' is the opposite of 'permit' and is used in ACLs to block traffic that does not meet the specified criteria. The script explains that ACLs can be configured to deny traffic, which is crucial for network security by preventing unauthorized access. The concept is illustrated through examples where certain types of traffic are denied based on their source and destination addresses.

💡Source Address

The source address is the IP address from which the network traffic originates. It is a fundamental part of the ACL rules that determine whether to permit or deny traffic. The video script uses the source address in examples to show how ACLs can be configured to allow or block traffic from specific sources.

💡Destination Address

The destination address is the IP address where the network traffic is intended to reach. It is another key element in ACL rules, used alongside the source address to control traffic flow. In the script, the destination address is used in conjunction with the source address to demonstrate how ACLs can be used to selectively allow or deny traffic to specific destinations.

💡Port Numbers

Port numbers are used in network communications to identify specific services or applications running on a device. The video script explains that ACLs can identify traffic based on port numbers, allowing for more granular control over what types of traffic are permitted or denied at the application level.

💡Standard Access List

A standard access list is a type of ACL that uses the source IP address only to identify traffic. The script explains that standard access lists are limited in their functionality compared to extended access lists, as they do not consider the destination address, protocol, or port numbers. They are identified by numbers between 1 and 99 or 1300 to 1999.

💡Extended Access List

An extended access list provides more granular control than a standard access list by also considering the destination address, protocol, and port numbers in its rules. The script describes how extended access lists use numbers between 100 and 199 or 2000 to 2699 and are more flexible for complex network security requirements.

💡Named Access List

A named access list is an ACL that is identified by a name rather than a number, making it easier to manage and identify the purpose of each list. The script mentions that named access lists can be either standard or extended and are beneficial when there are multiple access lists on a device.

💡Wildcard Mask

The wildcard mask is used in conjunction with an IP address in standard access lists to specify which bits of the address must match the source address for the rule to apply. The script explains that a wildcard mask is like an inverted subnet mask, with zeros indicating bits that must match and ones indicating bits that do not need to match.

💡Implicit Deny

The implicit deny is a concept in ACLs where, if no matching rule is found for incoming traffic, the traffic is automatically denied. The script refers to this as an 'invisible deny everything rule' at the bottom of every access list, emphasizing the importance of rule order and the default behavior of ACLs.

Highlights

Access control lists (ACLs) are rule-based lists used by switches and routers to identify traffic.

ACLs can be used to deny or permit traffic based on source and destination addresses, and port numbers.

Other uses for ACLs include network address translation and quality of service configuration.

ACLs are composed of rules that determine if traffic should be permitted or denied.

The order of rules in an ACL is crucial as it affects the application of rules to traffic.

An implicit deny rule exists at the bottom of every ACL if no match is found.

There are three types of ACLs: standard, extended, and named.

Standard ACLs use source addresses for traffic identification and range from 1 to 99 or 1300 to 1999.

Extended ACLs offer more granular control with source, destination, protocol, and port number identification.

Extended ACLs use numbers between 100 and 199 or 2000 to 2699.

Named ACLs assign names instead of numbers for easier identification and management.

Wildcard masks in standard ACLs act like inverted subnet masks to determine matching bits in an IP address.

Extended ACLs require specifying protocol, source and destination IP addresses, masks, and port operators.

Port numbers can be matched using operators like 'gt', 'lt', 'neq', 'eq', and 'range'.

The importance of rule order is emphasized to avoid unintended traffic denial or permission.

Examples provided demonstrate the configuration and interpretation of standard, extended, and named ACLs.

An implicit deny at the bottom of ACLs ensures all unmatched traffic is denied by default.

The video is part of a full CCNA course, available for further learning.

Transcripts

play00:00

hey what's up guys welcome to cert bros

play00:03

in this video we're going to be talking

play00:05

about access control

play00:11

[Music]

play00:14

lists

play00:19

so what is an access control list

play00:22

access control lists also known as acls

play00:26

or simply access lists are rule-based

play00:28

lists that are used

play00:30

by switches and routers to identify

play00:32

traffic

play00:33

they can identify traffic based on the

play00:35

source address destination address

play00:37

and port numbers the most common use for

play00:40

an access list is to deny or permit

play00:43

traffic but there are other uses for

play00:45

access lists such as configuring network

play00:47

address translation

play00:48

and quality of service let's take a look

play00:51

at a quick example

play00:55

this router has an acl configured the

play00:58

acl

play00:58

is configured with rules that tell it

play01:00

which traffic is allowed to pass

play01:02

and which traffic is not for example

play01:05

we may want to allow all traffic

play01:07

destined for this server

play01:09

but at the same time we may want to

play01:11

block all other traffic to any other

play01:13

host

play01:14

this is all possible with a very simple

play01:17

access list

play01:20

okay so now we have an idea about what

play01:22

an access list does

play01:23

let's see what one looks like

play01:27

here is a simple access list it consists

play01:31

of one or more lines

play01:32

called rules which specify if traffic

play01:34

should be permitted

play01:36

or denied don't worry we'll look at what

play01:38

each bit means

play01:39

in just a moment the first thing you'll

play01:42

probably notice is the number on the

play01:44

left

play01:45

this represents the order of each rule

play01:48

the reason it goes up in tens

play01:49

is to give you the flexibility to come

play01:52

back at a later date

play01:53

and add rules in between the existing

play01:55

ones

play01:56

why does that matter well the order of

play01:58

the list is very

play02:00

important when a router or switch

play02:03

receives some traffic

play02:04

it checks the access control list it

play02:07

starts at the top of the list and it

play02:09

works its way

play02:09

down it keeps going until it finds a

play02:12

matching rule

play02:14

as soon as a matching rule is found it

play02:16

stops looking and applies that rule

play02:19

this means you have to be very careful

play02:21

to put the rules

play02:22

in the right place otherwise you could

play02:25

deny traffic that you're trying to

play02:27

permit

play02:27

or permit traffic that you're trying to

play02:29

deny we'll see this more as we go

play02:33

another very important note here is that

play02:35

if no matching rule is found

play02:37

the traffic will automatically be denied

play02:41

there is an invisible deny everything

play02:44

rule at the bottom of every access list

play02:47

this is known as the implicit deny

play02:52

okay so now we know what an access list

play02:54

does and what it looks like

play02:56

now let's take a closer look

play02:59

there are three types of access list the

play03:02

first

play03:02

is a standard access list now

play03:05

when you configure an access list you

play03:07

use a number to identify the type of

play03:09

access list you want to configure

play03:12

a standard access list uses any number

play03:14

between 1

play03:15

and 99 then cisco decided to expand this

play03:19

to also include 1300 to 1999

play03:24

this expansion meant we can configure a

play03:27

lot more access lists

play03:28

per device standard access lists

play03:32

only use the source address to identify

play03:34

traffic so this can be quite limiting

play03:37

the second type of access list is called

play03:40

an extended

play03:40

access list extended access lists uses

play03:44

any number between 100 and 199

play03:47

and expanded numbers between 2000 to

play03:51

2699

play03:53

extended access lists allow us to

play03:55

identify traffic not only on the source

play03:57

address

play03:58

but the destination address protocol and

play04:00

port number as well

play04:02

so we can have a lot more granular

play04:04

control with extended access lists

play04:08

the last type i want to mention is

play04:10

called a named access list

play04:13

a named access list allows standard or

play04:15

extended lists to be given

play04:16

names rather than numbers if you have

play04:19

multiple access lists on a device

play04:21

named lists make it easier to identify

play04:23

what each list does

play04:25

making them easier to manage we're going

play04:27

to look at all three of these in a bit

play04:29

more detail

play04:32

first let's look at standard access

play04:34

lists

play04:38

this is a command to configure a single

play04:40

standard access list entry

play04:42

it can look a bit intimidating at first

play04:44

so we're going to break it down

play04:46

the first part specifies the access list

play04:48

number remember

play04:50

any number between 1 and 99 or 1

play04:53

300 to 1 999 means this will be a

play04:57

standard

play04:57

access list the next part is the action

play05:01

do we want to permit this traffic or do

play05:04

we want to deny it

play05:06

we then have our source ip address and

play05:09

finally

play05:09

something called a wildcard mask now the

play05:12

wildcard mask will need some further

play05:14

explaining

play05:16

a wildcard mask works with an ip address

play05:19

it's like an inverted subnet mask the

play05:22

job of a wildcard mask is to identify

play05:24

the bits of an ip address that needs to

play05:26

match

play05:27

and the bits that don't to do this you

play05:30

need to compare the wildcard mask

play05:31

with the ip address wherever you see a

play05:34

zero

play05:35

this means that corresponding bit must

play05:37

match

play05:39

wherever you see a 1 this means the bit

play05:41

does not need to match

play05:43

so in our example here we have the

play05:45

address 192.168.10.0

play05:48

and the wildcard mask of 0.00

play05:54

this means it will match any traffic

play05:55

with the source address between

play05:59

192.168.10.0

play06:00

to 192.168.10.255.

play06:04

because the wildcard mask states that

play06:06

the last eight bits don't need to match

play06:11

so to summarize this rule it will permit

play06:13

any traffic coming from the source

play06:15

address

play06:18

192.168.10.something

play06:20

okay so that was nice and simple let's

play06:23

now look at an extended access list

play06:27

this is a command to configure a single

play06:29

extended access list entry

play06:32

as you can see there is a bit more to it

play06:34

than the standard access list

play06:36

don't worry though we're going to break

play06:37

it down the first part specifies the

play06:40

access list number

play06:42

because we're now configuring an

play06:43

extended access list we will use

play06:45

something between

play06:47

100 and 199 or 2000 to 2699

play06:53

the next part is the action so this time

play06:56

we will be denying this traffic

play06:58

next we have a new section this matches

play07:01

the traffic protocol

play07:03

in this example we have tcp but this

play07:05

could be

play07:06

udp eigrp ospf etc

play07:11

then we have the source ip address

play07:13

followed by the source wildcard mask

play07:17

then we have the destination ip address

play07:20

and the destination wildcard mask

play07:23

after that we have something called an

play07:25

operator

play07:27

an operator is used to match port

play07:29

numbers

play07:30

we have a few different operator options

play07:33

gt

play07:34

means greater than lt

play07:37

means less than neq

play07:41

means not equal to

play07:44

and eq means equal to

play07:47

range means included in the range you

play07:49

specify

play07:52

in this example we're going to use eq

play07:55

which means

play07:56

equals two and then we'll specify the

play07:58

port number

play07:59

we can do this using the port number

play08:01

itself or we can use a keyword

play08:03

for common ports here i typed ftp

play08:06

meaning port 21. an important note here

play08:10

when configuring an extended access list

play08:13

the source ip

play08:14

and port number always comes first

play08:18

okay so to summarize this rule deny all

play08:22

tcp traffic coming from

play08:25

[Music]

play08:26

192.168.10.something with a destination

play08:29

ip address

play08:29

of 192.168.20.50

play08:33

and a destination port number of 21. the

play08:40

last one we need to look at is a named

play08:42

access list now luckily named access

play08:45

lists are pretty similar

play08:46

they're just configured slightly

play08:48

differently

play08:50

the first thing you need to do is type

play08:52

ip access list

play08:54

then you specify if you want to

play08:55

configure a standard or an extended

play08:57

access list then you just need to choose

play09:00

a name

play09:01

here i've chosen serpros for the name

play09:04

then you enter the access list

play09:06

configuration mode where you can add the

play09:08

rules in the same way as before

play09:11

so this access list will deny any tcp

play09:13

traffic with a source ip address of

play09:17

192.168.10.something

play09:19

with a destination ip address of

play09:23

192.168.20.50

play09:24

and a destination port number of 21

play09:27

which is

play09:27

ftp after that it will permit any ip

play09:32

traffic

play09:32

with a source ip address of 192.168

play09:37

and a destination ip address of

play09:41

192.168.20.50.

play09:44

can you see the importance of having the

play09:46

correct order

play09:48

if these two entries were the other way

play09:50

around then ftp traffic would be

play09:52

permitted

play09:52

because the bottom rule would never be

play09:54

checked

play09:59

so that is how you configure the three

play10:01

types of access list

play10:02

but you also need to be able to read the

play10:04

lists

play10:05

let's take a look at a few examples and

play10:07

try and figure out what they do

play10:11

here's our first list we know it's an

play10:14

extended list

play10:15

because well because it says extended at

play10:18

the top

play10:19

but not only that it also has a number

play10:21

of 101

play10:23

which hopefully by now we know is an

play10:25

extended access list number

play10:29

below this we have our list rules the

play10:32

first one states

play10:33

deny all tcp traffic destined for

play10:38

192.168.10.something

play10:40

with a destination host address of

play10:44

192.168.20.50

play10:46

and the destination port number of 21.

play10:51

now access lists that have a 32-bit

play10:54

wildcard mask

play10:55

or 0.0.0.0 meaning one ip

play10:58

exactly will show a host address

play11:02

you can even use the keyword host when

play11:04

configuring it

play11:06

the next rule is the same but this time

play11:09

we are blocking telnet traffic

play11:12

and the bottom one permits any ip

play11:14

traffic from 192.168.10.something

play11:18

with a destination host address of

play11:22

192.168.20.50

play11:24

nice and easy right well the next one is

play11:27

even easier

play11:32

this is a standard list of course it

play11:36

says standard at the top

play11:37

but it's also using a standard number

play11:42

remember standard access lists only

play11:44

filter based on the source ip address

play11:47

so this list is permitting traffic from

play11:49

host 192.168.10.10

play11:54

15 and dot 20.

play11:57

remember all access lists have an

play12:00

implicit deny

play12:01

at the bottom so everything else will be

play12:03

denied

play12:07

okay let's look at the last example

play12:10

this is an extended access list but this

play12:13

time it doesn't have a number

play12:14

instead it has a name

play12:20

the first rule permits tcp traffic

play12:23

and there is a keyword here that we

play12:24

haven't seen yet

play12:26

we can use the any keyword to specify

play12:29

any ip address so in this case any

play12:32

source ip

play12:34

and then we have the destination host

play12:36

address of 192.168.20.50

play12:41

and which port do you think www means

play12:44

http port 80.

play12:48

the second rule is the same but it's

play12:49

permitting ftp traffic on port

play12:52

21 hopefully this has given you a good

play12:55

understanding of access lists

play12:56

what they're used for and the different

play12:58

types this video is part of the full

play13:01

ccna course which can be found

play13:02

in the description so please feel free

play13:04

to go and check that out

play13:07

if you like this video don't forget to

play13:08

give it a thumbs up leave a comment

play13:10

and subscribe the support from you guys

play13:12

really helps this channel grow

play13:14

other than that thank you for watching

play13:27

you

Browse More Related Video

Free CCNA 200-301 Course 28-06: Numbered ACLs Lab Demo

Prüfungsvorbereitung Fachinformatiker Firewallregeln

Access Controls Part 1: Computer Security Lectures 2014/15 S2

Access Controls - CompTIA Security+ SY0-701 - 4.6

Computer Network Devices in Hindi

Top 50 🔥 Network Administrator Interview Questions and Answers

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Access ControlNetwork SecurityRoutersSwitchesACL ConfigurationTraffic ManagementCisco SystemsCCNA CourseNetwork ProtocolsIT TutorialTech Education