Time
15 hours 34 minutes
Difficulty
Intermediate
CEU/CPE
16

Video Description

Extended Access Lists Lab In this lesson, we demonstrate through a number of simulation scenarios how Extended Access List work and how it differs from Standard Access List capabilities. You'll learn how to manage PC level rights and privileges in order to grant functional access list permission and why it matters. We demonstrate how to use the "permit" command to grant access and perform protocol specific functions as with loopbacks for example.

Video Transcription

00:04
Now I'm going to demonstrate how extended access list created,
00:08
and I'm going to do it
00:10
on router one, and I'm gonna permit certain access certain
00:16
I'm gonna permit router to one certain access to Router three and deny router to a one. Certain access to router three.
00:24
So
00:25
let's first see if router to a one can tell that to Router three.
00:30
I'm gonna say it. Tell that
00:31
1 51 01 $45.3 Which is routed three's address.
00:37
And right now, it's refusing connections, too.
00:41
Router to a one, because
00:45
I have
00:46
Onley permitted
00:48
pc three to get to Router three. So
00:53
I'm gonna get rid of my access list here.
00:57
No access list 10
01:03
and then try again.
01:08
And router to one. Should be able to gain connection
01:11
to Router three. There we go. And I'm inside of Router three. See, the prompt changed.
01:18
I'm gonna exit out now. We created a question that we're going to solve using extended access list.
01:23
I'm saying router tour one should be denied from Tell net access to Router three.
01:29
So let's work these one at a time.
01:33
So when router to a one tries to tell that to router three by default. Router to a one is going to use the
01:41
as a source. I p address in the Telnet
01:44
session Router to one is going to use the I. P address of the exit interfaced towards Router three, which is the I. P address of the serial 010 interface which, if we look at our show I p i nt brief one more time
02:02
is the 202 102 100 to address.
02:07
So I am creating this access list on router one.
02:13
And I'm gonna create a named access list this time because, as we saw numbered access list
02:22
can be dangerous, because if you take away one entry, all entries are automatically deleted. So the new way off doing access list is to create named access list.
02:32
So I'm going to say I be
02:35
access list
02:37
extended
02:38
and then is asking me for a name.
02:42
If I wanted to create an act extended access list. That's a numbered access list. I simply would have to pick a number between one and 1 99 But we're gonna go ahead and create a named access list.
02:53
So I say I p access list extended. And then a name CCN, eh?
02:59
And see now my promises config extended
03:04
named access list.
03:07
At this point, I'm going to say
03:09
I'm supposed to deny Tell that access from our two a 12 are three.
03:15
So
03:17
I'm going to say deny
03:22
space question mark.
03:23
Now I'm denying. Tell that access tell that uses you. TCP port 23
03:31
tell that uses TCP Port 23. So I'm going to deny
03:38
TCP
03:40
now my source address. I'm denying router to one's s zero slash once last zero interface address.
03:50
So that's going to be deny. TCP
03:54
202 102 $100.3 and then the wild card.
04:00
The source is 202 102 103 in the packet
04:05
and then the wild card for one addresses 0.0 dot 0.0.
04:12
Then it's asking me for a destination address.
04:16
So the destination is rather trees F zero slash zero
04:21
address, which is 1 50 dot
04:28
101.45 3
04:31
and then again the wildcard 0.0 dot 0.0. I could also say, for one address the word host 1 51 01 45.3
04:45
At this point, I hit Enter
04:47
Now the next step in my question
04:50
waas
04:54
router to one should not be able to paying rotter three using its s zero slash one slash zero address.
05:01
So I should not be able to ping
05:04
Router three using 202 102 103 as my source. So once again, I'm gonna deny
05:15
Now, Ping, if you remember, works under the protocol ICMP So I cmp if execute the help feature is an option I can use,
05:25
So I'm going to say it. Deny
05:28
I si m p.
05:31
And then I'm going to say
05:33
host for one address
05:36
202 102 103
05:42
and then I can I'm denying it to the 1 51 01 45.3 address
05:47
so I can save 1 51 01 45.3 and used the wild cards of all zeros.
05:55
I'm mixing and matching the host option and the 00 wildcard option. Both do the same thing. I'm just showing you the different ways it can be done. You can do it either. Which way? Whatever you prefer,
06:09
then
06:13
my question say's that router to one should be able to ping Router three using its new bag. Zero interface address.
06:23
So on router to one. The loo bag zero interface address
06:29
is
06:31
two A 12 a 12 a 12 a one.
06:38
No, it's I'm saying should be able to ping Router three using his loop back eight address. Excuse me.
06:45
So, Lou, back eights address is actually 30. That 10.8 dot eight.
06:51
So I'm gonna go to rather one
06:55
maximize
06:57
permit.
07:00
I si m p
07:06
Let's change this
07:09
too. I can show you a different
07:12
you back eight.
07:17
What? New back? So I have here 89 and 10.
07:20
I'm going to change it to
07:24
Rather tree should be able to paying
07:28
router to one. Should be able to paying
07:30
Router three using his new back eight,
07:34
nine and
07:38
10 addresses. So all three
07:43
so back to rather one I'm gonna permit ICMP,
07:48
which is the protocol Ping works with.
07:51
I'm gonna permit
07:54
I si m p 30.
07:57
The source of dress is going to be 30 dot Tenn 30.0.0 dot zero
08:01
because new back
08:03
it nine and 10 on router to one have their second have the third and fourth octet changing.
08:13
So Lou back ages 30. That 10 98.8 due back nine is 30. That turned out 9.9 Lou back tennis 30 That $10.10 dollars. 10.
08:22
So I'm gonna have to permit on Router one permit. Icmp 30 dot Tenn 30.0.0 dot zero. So I care about the 1st 2 AQ tests, and I want to permit through anything in the last two octaves. So I'm going to say
08:37
matched the first octet with zero master second octet and permit anything in the third and the fourth octet.
08:46
So 0.0 dot 255.255
08:50
to rather trees. Address
08:54
of 1 51 01 $45.3. So I'm simply going to say host 1 51 01 45 3 I also could have used the 1 50 that 101.45 3 and then 0.0 dot 0.0. Option instead, off the keyword host.
09:11
Both do the same thing.
09:13
Good ahead, Ener.
09:16
Next since I am going to apply this
09:20
inbound on drought er ones
09:24
s 000 interface and router to one is sending Oh, SPF helos to router one. I want to make sure that implicit deny any statement at the end off every access list does not take down my routing does not take down my oh, SPF
09:43
So I'm also going to have to permit.
09:48
And if I execute uh,
09:50
help feature
09:52
you see you SPF is an option I'm going to say permit
09:58
Oh SPF And at this point, I can just simply say any any
10:05
and then deny i p
10:07
any any deny everything else, which is a good thing to do as far as security goes,
10:13
then I'm going to apply this access list inbound on serial 000 on router one.
10:22
So I went into the interface by saying, Interface serial 000 and I'm going to say I'd be access group
10:30
and then the group name was CCN, eh?
10:33
And this is inbound.
10:39
Now let's see if my access let's works. Let's make sure it's in our running config,
10:46
and there it is.
10:48
And let's see if this worked. So first I'm going to try and tell net to Router three from Router to a one, and it should not work. We look for access list in our running config. And I just noticed that router to a ones I p address on cereals. Beautiful 10 is actually
11:09
202 102 102.
11:11
And what I have permitted on Router one
11:16
is 202 102 100 not three. So this access list won't work.
11:22
What I can do,
11:24
it's simply,
11:24
instead of having to type this thing out over again,
11:30
I can simply
11:35
say copy Paste,
11:39
I'll reduce the front a little bit so you guys can see the hole
11:43
access list,
11:50
and I'm going to delete this access list that I created
11:54
and then re create it through the magic of copy and paste.
12:00
So if you do make a mistake, guys like I just did, it is a simple matter off going to note pad,
12:07
putting a no in front of the I p access this extended. See CNN Command that will delete this whole access list,
12:13
and then I can just re create it
12:16
with the correct I p and copy and paste this whole thing back. So I don't even need to
12:22
copy this. I just copied this portion
12:26
copy
12:26
going to outer one
12:33
going to config mode and simply hit paste.
12:37
So the no i p access list extended ccn A command took away the mistake and then it immediately recreated and pasted the correct address, which is not to
12:48
let me make sure this exists in my running config
12:52
Do show. Ron, you have to be careful that access this Guys, I made a simple typo and, uh, it could have
13:01
If this was a live network, I could have been in big trouble for this.
13:07
So I scroll down in my running config
13:11
and make sure it's there.
13:13
Yes, it is. And this is the correct address. And if I scroll up,
13:20
I have applied the I p Access Group C CNN in command on my serial interface
13:26
so I can get rid of this
13:30
on and enlarge this again for you guys to see
13:41
That's too big.
13:48
Okay,
13:54
so a router to one should be denied from tell Met access to route or three.
13:58
Let's try and tell that from Router two a 12 router. Three.
14:03
Tell him that
14:05
1 51 01 $45.3
14:11
and it's not going to be able to tell that
14:13
because the access list on Router one
14:18
is not allowing me to tell net
14:22
now.
14:22
Secondly,
14:24
sees router to one should not be able to ping router three using its serial 010 address. So if I just simply send a pain from router to a won by default, it's gonna use the i p address on the outbound interface, which is 202 102 102. So this ping should also fail.
14:45
Five. Paying 1 51 101
14:50
$45 3 I get
14:54
a bunch of used returned from Roger one, which means destination unreachable.
15:00
However, if I pick any one of these new back into faces as my source address to Ping, it should work.
15:09
So how do I pick
15:11
an interface other than my outbound in the face as my source address in a pink?
15:16
That brings me to an extended ping.
15:18
So you execute an extended ping by just typing in ping typing in ping and hit Enter.
15:26
It asks me, Are you going to use the protocol? I p. I am So I just hit. Enter
15:31
my target I p addresses 1 50
15:35
0.1 no one got 45 dot
15:37
three.
15:39
And if I hit,
15:41
enter at this point. My repeat, Countess five. Let's make this fun. Let's make this 50
15:46
I hit. Enter my data, Graham Sizes 100. I'm going to keep it at 100.
15:52
My time out is two seconds. I'm going to keep it at two seconds by heading in her.
15:56
Now, when it asks me for extended commands,
16:02
I'm going to say why for yes
16:06
and you see, now it's asking me for a source address. Now I can paint glue back. I can pick new back 89 or 10 as my source address.
16:17
So I'm gonna pink pick 30 dot Tenn 30.0.8 dot eight as my source address.
16:22
And I'm just gonna hit enter all the way through the true to the end because the other options do not matter to us.
16:30
And of course, you see it is working.
16:33
So if I go check my access list on Router one,
16:40
I should have hiss. It's against all these entries.
16:44
So
16:45
show
16:45
access this
16:48
and you see I have hits against all my entries.
16:55
Now
16:56
the deny I p any any
16:59
does not have any hits because we did not test any commands
17:03
that would deny
17:04
me access so I could possibly
17:08
go tour outer to a one
17:11
and show I fee
17:17
show I p interface brief
17:21
and include
17:22
my Lou Bag zero address, which is two. A 12 a 12 a 12 a one into SPF by saying router
17:32
O S p f 100 Network
17:34
two a 12 a 12 a 12 a one
17:38
0000 area one. The area between router to one and rather one is
17:45
area one.
17:47
Go check to see that the 21 network propagated out
17:52
to router one and router three.
17:55
So I'd be route
17:59
and I see the tool one network isn't oh, SPF route in my routing table Should have also propagated out to router three
18:08
shou id be route.
18:12
And there it is. It's an inter area out coming from area
18:17
12 area zero where rather three is located.
18:22
And if I now do in extended paying by picking the to one address as my source address, I should see hits against that deny statement. So I say Ping and her protocol i p
18:36
the target is 1 51 around 45.3. And then I go down to extended command. Say yes, my source address. I'm gonna pick as the two a 12 a 12 a 12 a one address
18:48
hit. Enter all the way to the end and I get a destination. Unreachable message.
18:55
So if I go down to router One now and check my access list by saying show access list
19:03
the deny I p any any shows five matches against it.
19:07
This concludes my
19:08
extended access list lecture.

Up Next

Cisco CCNA

Our free, online, self-paced CCNA training teaches students to install, configure, troubleshoot and operate LAN, WAN and dial access services for medium-sized networks. You'll also learn how to describe the operation of data networks.

Instructed By

Instructor Profile Image
Junaid Memon
Instructor