Now I'm going to demonstrate how extended access list created,
and I'm going to do it
on router one, and I'm gonna permit certain access certain
I'm gonna permit router to one certain access to Router three and deny router to a one. Certain access to router three.
let's first see if router to a one can tell that to Router three.
I'm gonna say it. Tell that
1 51 01 $45.3 Which is routed three's address.
And right now, it's refusing connections, too.
Router to a one, because
pc three to get to Router three. So
I'm gonna get rid of my access list here.
And router to one. Should be able to gain connection
to Router three. There we go. And I'm inside of Router three. See, the prompt changed.
I'm gonna exit out now. We created a question that we're going to solve using extended access list.
I'm saying router tour one should be denied from Tell net access to Router three.
So let's work these one at a time.
So when router to a one tries to tell that to router three by default. Router to a one is going to use the
as a source. I p address in the Telnet
session Router to one is going to use the I. P address of the exit interfaced towards Router three, which is the I. P address of the serial 010 interface which, if we look at our show I p i nt brief one more time
is the 202 102 100 to address.
So I am creating this access list on router one.
And I'm gonna create a named access list this time because, as we saw numbered access list
can be dangerous, because if you take away one entry, all entries are automatically deleted. So the new way off doing access list is to create named access list.
So I'm going to say I be
and then is asking me for a name.
If I wanted to create an act extended access list. That's a numbered access list. I simply would have to pick a number between one and 1 99 But we're gonna go ahead and create a named access list.
So I say I p access list extended. And then a name CCN, eh?
And see now my promises config extended
At this point, I'm going to say
I'm supposed to deny Tell that access from our two a 12 are three.
I'm going to say deny
space question mark.
Now I'm denying. Tell that access tell that uses you. TCP port 23
tell that uses TCP Port 23. So I'm going to deny
now my source address. I'm denying router to one's s zero slash once last zero interface address.
So that's going to be deny. TCP
202 102 $100.3 and then the wild card.
The source is 202 102 103 in the packet
and then the wild card for one addresses 0.0 dot 0.0.
Then it's asking me for a destination address.
So the destination is rather trees F zero slash zero
address, which is 1 50 dot
and then again the wildcard 0.0 dot 0.0. I could also say, for one address the word host 1 51 01 45.3
At this point, I hit Enter
Now the next step in my question
router to one should not be able to paying rotter three using its s zero slash one slash zero address.
So I should not be able to ping
Router three using 202 102 103 as my source. So once again, I'm gonna deny
Now, Ping, if you remember, works under the protocol ICMP So I cmp if execute the help feature is an option I can use,
So I'm going to say it. Deny
And then I'm going to say
host for one address
and then I can I'm denying it to the 1 51 01 45.3 address
so I can save 1 51 01 45.3 and used the wild cards of all zeros.
I'm mixing and matching the host option and the 00 wildcard option. Both do the same thing. I'm just showing you the different ways it can be done. You can do it either. Which way? Whatever you prefer,
my question say's that router to one should be able to ping Router three using its new bag. Zero interface address.
So on router to one. The loo bag zero interface address
two A 12 a 12 a 12 a one.
No, it's I'm saying should be able to ping Router three using his loop back eight address. Excuse me.
So, Lou, back eights address is actually 30. That 10.8 dot eight.
So I'm gonna go to rather one
too. I can show you a different
What? New back? So I have here 89 and 10.
I'm going to change it to
Rather tree should be able to paying
router to one. Should be able to paying
Router three using his new back eight,
10 addresses. So all three
so back to rather one I'm gonna permit ICMP,
which is the protocol Ping works with.
The source of dress is going to be 30 dot Tenn 30.0.0 dot zero
it nine and 10 on router to one have their second have the third and fourth octet changing.
So Lou back ages 30. That 10 98.8 due back nine is 30. That turned out 9.9 Lou back tennis 30 That $10.10 dollars. 10.
So I'm gonna have to permit on Router one permit. Icmp 30 dot Tenn 30.0.0 dot zero. So I care about the 1st 2 AQ tests, and I want to permit through anything in the last two octaves. So I'm going to say
matched the first octet with zero master second octet and permit anything in the third and the fourth octet.
to rather trees. Address
of 1 51 01 $45.3. So I'm simply going to say host 1 51 01 45 3 I also could have used the 1 50 that 101.45 3 and then 0.0 dot 0.0. Option instead, off the keyword host.
Both do the same thing.
Next since I am going to apply this
inbound on drought er ones
s 000 interface and router to one is sending Oh, SPF helos to router one. I want to make sure that implicit deny any statement at the end off every access list does not take down my routing does not take down my oh, SPF
So I'm also going to have to permit.
And if I execute uh,
you see you SPF is an option I'm going to say permit
Oh SPF And at this point, I can just simply say any any
any any deny everything else, which is a good thing to do as far as security goes,
then I'm going to apply this access list inbound on serial 000 on router one.
So I went into the interface by saying, Interface serial 000 and I'm going to say I'd be access group
and then the group name was CCN, eh?
And this is inbound.
Now let's see if my access let's works. Let's make sure it's in our running config,
And let's see if this worked. So first I'm going to try and tell net to Router three from Router to a one, and it should not work. We look for access list in our running config. And I just noticed that router to a ones I p address on cereals. Beautiful 10 is actually
And what I have permitted on Router one
is 202 102 100 not three. So this access list won't work.
instead of having to type this thing out over again,
I'll reduce the front a little bit so you guys can see the hole
and I'm going to delete this access list that I created
and then re create it through the magic of copy and paste.
So if you do make a mistake, guys like I just did, it is a simple matter off going to note pad,
putting a no in front of the I p access this extended. See CNN Command that will delete this whole access list,
and then I can just re create it
with the correct I p and copy and paste this whole thing back. So I don't even need to
copy this. I just copied this portion
going to config mode and simply hit paste.
So the no i p access list extended ccn A command took away the mistake and then it immediately recreated and pasted the correct address, which is not to
let me make sure this exists in my running config
Do show. Ron, you have to be careful that access this Guys, I made a simple typo and, uh, it could have
If this was a live network, I could have been in big trouble for this.
So I scroll down in my running config
and make sure it's there.
Yes, it is. And this is the correct address. And if I scroll up,
I have applied the I p Access Group C CNN in command on my serial interface
so I can get rid of this
on and enlarge this again for you guys to see
so a router to one should be denied from tell Met access to route or three.
Let's try and tell that from Router two a 12 router. Three.
and it's not going to be able to tell that
because the access list on Router one
is not allowing me to tell net
sees router to one should not be able to ping router three using its serial 010 address. So if I just simply send a pain from router to a won by default, it's gonna use the i p address on the outbound interface, which is 202 102 102. So this ping should also fail.
Five. Paying 1 51 101
a bunch of used returned from Roger one, which means destination unreachable.
However, if I pick any one of these new back into faces as my source address to Ping, it should work.
an interface other than my outbound in the face as my source address in a pink?
That brings me to an extended ping.
So you execute an extended ping by just typing in ping typing in ping and hit Enter.
It asks me, Are you going to use the protocol? I p. I am So I just hit. Enter
my target I p addresses 1 50
0.1 no one got 45 dot
enter at this point. My repeat, Countess five. Let's make this fun. Let's make this 50
I hit. Enter my data, Graham Sizes 100. I'm going to keep it at 100.
My time out is two seconds. I'm going to keep it at two seconds by heading in her.
Now, when it asks me for extended commands,
I'm going to say why for yes
and you see, now it's asking me for a source address. Now I can paint glue back. I can pick new back 89 or 10 as my source address.
So I'm gonna pink pick 30 dot Tenn 30.0.8 dot eight as my source address.
And I'm just gonna hit enter all the way through the true to the end because the other options do not matter to us.
And of course, you see it is working.
So if I go check my access list on Router one,
I should have hiss. It's against all these entries.
and you see I have hits against all my entries.
the deny I p any any
does not have any hits because we did not test any commands
me access so I could possibly
go tour outer to a one
show I p interface brief
my Lou Bag zero address, which is two. A 12 a 12 a 12 a one into SPF by saying router
two a 12 a 12 a 12 a one
0000 area one. The area between router to one and rather one is
Go check to see that the 21 network propagated out
to router one and router three.
and I see the tool one network isn't oh, SPF route in my routing table Should have also propagated out to router three
And there it is. It's an inter area out coming from area
12 area zero where rather three is located.
And if I now do in extended paying by picking the to one address as my source address, I should see hits against that deny statement. So I say Ping and her protocol i p
the target is 1 51 around 45.3. And then I go down to extended command. Say yes, my source address. I'm gonna pick as the two a 12 a 12 a 12 a one address
hit. Enter all the way to the end and I get a destination. Unreachable message.
So if I go down to router One now and check my access list by saying show access list
the deny I p any any shows five matches against it.
extended access list lecture.