1
00:00:00,680 --> 00:00:01,310
Welcome back.

2
00:00:01,460 --> 00:00:04,520
My name is David Bombal CCIE 1123.

3
00:00:05,450 --> 00:00:07,550
In this section, we're going to look at access lists,

4
00:00:07,970 --> 00:00:12,530
I'd like to show you how to implement security using access control lists, which are one of the most

5
00:00:12,530 --> 00:00:16,500
basic building blocks for implementing security in the Cisco network.

6
00:00:17,030 --> 00:00:22,490
These days, there are multiple ways to implement security, but access lists are one of the most fundamental

7
00:00:22,490 --> 00:00:24,650
and a lot of the newer technologies are based on them.

8
00:00:24,950 --> 00:00:29,830
So it's important that you have a good understanding of how access lists work and how to implement them.

9
00:00:31,430 --> 00:00:33,650
So we're going to look at the purpose of access control list.

10
00:00:34,220 --> 00:00:39,680
I'd like to show you how they are bound to interfaces, they are either bound inbound or outbound.

11
00:00:40,100 --> 00:00:46,220
I'd like to show you various types of access lists, including numbered lists, named access lists, as

12
00:00:46,220 --> 00:00:50,420
well as standard and extended access control lists or ACLS.

13
00:00:50,840 --> 00:00:57,680
I'd like to explain what a wildcard mask does and how you can match individual hosts, subnets or all

14
00:00:57,680 --> 00:01:00,020
hosts by changing the wildcard mask.

15
00:01:00,570 --> 00:01:05,120
I'd also like to explain time based, Reflexive and Dynamic ACLs.

16
00:01:06,210 --> 00:01:11,190
Now, before getting into a discussion of access control list or ACL, let's review some of the information

17
00:01:11,190 --> 00:01:11,800
covered in IC

18
00:01:11,870 --> 00:01:17,640
ND1 course you will not be able to implement ACLs without a good understanding of protocols, port

19
00:01:17,640 --> 00:01:23,610
numbers and other options available in the TCP IP protocol stack and other protocols if you have them

20
00:01:23,610 --> 00:01:24,490
running on your network.

21
00:01:25,050 --> 00:01:25,950
So here's an example,

22
00:01:25,950 --> 00:01:33,480
if we have a PC connecting to a server and the PC connects using HTTP and that traffic is sent across

23
00:01:33,480 --> 00:01:40,140
the network, router 1 will see a packet with a source address of 10.1.1.1 with a source port

24
00:01:40,140 --> 00:01:42,670
number greater than 1023.

25
00:01:42,990 --> 00:01:49,320
So in this example, let's say 1024 in this case, because you are using HTTP, it's going to well known 

26
00:01:49,320 --> 00:01:50,360
port number 80.

27
00:01:50,610 --> 00:01:55,670
So the destination IP address is 10.1.2.1 and the destination port number is 80.

28
00:01:56,400 --> 00:02:01,310
Now, with access lists, direction is of great importance on this interface.

29
00:02:01,800 --> 00:02:07,230
The route is receiving the packet inbound, but on this interface, the packet is being transmitted

30
00:02:07,350 --> 00:02:08,060
outbound.

31
00:02:08,669 --> 00:02:11,310
It's important that you look at this from the routers point of view.

32
00:02:11,850 --> 00:02:15,660
The packet arrives inbound and is sent outbound.

33
00:02:16,110 --> 00:02:21,570
So in other words, if you configure an access-list outbound on this interface, it would have no effect

34
00:02:21,570 --> 00:02:28,020
on traffic from the PC to the server because an outbound access list only checks traffic outbound from

35
00:02:28,020 --> 00:02:28,880
the routers point of view.

36
00:02:29,430 --> 00:02:34,950
So if you configured an inbound access control list on the left hand side, packets would have to pass

37
00:02:34,950 --> 00:02:37,080
that access control list before being permitted.

38
00:02:37,530 --> 00:02:42,450
And once again, if you configured an outbound access control list on this interface, traffic sent

39
00:02:42,450 --> 00:02:46,200
would have to pass the access list or be permitted by the access list.

40
00:02:46,560 --> 00:02:48,150
Otherwise the traffic will be dropped.

41
00:02:49,370 --> 00:02:55,130
When the service ends, traffic in reply, the source address will now be 10.1.2.1 with a source

42
00:02:55,130 --> 00:03:01,400
port of 80 and the destination IP address will be 10.1.1.1, and the destination port number will

43
00:03:01,400 --> 00:03:02,780
be 1024.

44
00:03:03,170 --> 00:03:09,140
In this case, an outbound access list on this interface would come into effect for traffic from the

45
00:03:09,140 --> 00:03:13,360
server to the PC because the traffic is going out from the routers point of view.

46
00:03:13,820 --> 00:03:19,340
So an access list configured outbound in this interface would affect this traffic and this traffic would

47
00:03:19,340 --> 00:03:23,510
have to pass the criteria set in the access list before being permitted

48
00:03:23,930 --> 00:03:29,030
by the same token, an inbound access list on this interface would affect the traffic and the traffic

49
00:03:29,030 --> 00:03:31,760
would have to pass the criteria set in that access control list.

50
00:03:33,020 --> 00:03:40,220
Here's another example, this MacBook is telneting to switch 1 via the router, so for argument's

51
00:03:40,220 --> 00:03:43,580
sake, let's assume the MacBook chooses Port 50000.

52
00:03:43,970 --> 00:03:49,460
The source address or frames from the MacBook to the switch would be 10.1.1.1 with a source

53
00:03:49,460 --> 00:03:50,560
port of 50000.

54
00:03:51,080 --> 00:03:55,940
The destination would be 10.1.2.1 with the destination port number of 23.

55
00:03:56,450 --> 00:04:02,270
So once again, from the routers point of view, it's receiving frames on this interface with a source

56
00:04:02,270 --> 00:04:04,760
of 10.1.1.1 source port 50000.

57
00:04:05,180 --> 00:04:11,600
And it's transmitting those packets out of this interface with the same details packets sent in reply

58
00:04:11,600 --> 00:04:18,170
from the switch at the source address of 10.1.2.1 source port of 23 and a destination IP address

59
00:04:18,170 --> 00:04:21,570
of 10.1.1.1, the destination port of 50000.

60
00:04:22,040 --> 00:04:27,350
Once again, it's important that you understand your protocols and port numbers because without that

61
00:04:27,350 --> 00:04:30,440
understanding you'll not be able to configure ACLs.

62
00:04:30,950 --> 00:04:37,010
Always look at the direction of the traffic to determine whether an access list should be bound inbound

63
00:04:37,310 --> 00:04:39,860
or outbound on specific interfaces.

64
00:04:40,970 --> 00:04:47,120
Here are some examples of some well-known TCP protocols with the relevant port numbers, FTP uses

65
00:04:47,120 --> 00:04:57,290
Port 21 for control and 20 for data, telnet uses Port 23, Secure Shell uses Port 22, SMTP uses 

66
00:04:57,290 --> 00:05:00,440
Port 25, HTTP uses Port 80,

67
00:05:00,890 --> 00:05:05,170
POP3 uses Port 110, SSL uses port 443.

68
00:05:05,990 --> 00:05:11,780
So those are examples of some well-known TCP port numbers that you should remember. For the real world

69
00:05:12,140 --> 00:05:18,830
just Google IANA port numbers to see a list of the Internet assigned numbers authority port numbers.

70
00:05:19,460 --> 00:05:23,240
The IANA is in charge of port numbers and determines the allocation.

71
00:05:24,490 --> 00:05:27,490
So as an example, just type IANA port numbers

72
00:05:30,160 --> 00:05:35,520
and your very first hit will be a list of port numbers, and they explained quite nicely

73
00:05:36,500 --> 00:05:38,060
about the well-known port numbers,

74
00:05:39,150 --> 00:05:40,410
registered port numbers,

75
00:05:42,700 --> 00:05:46,930
and dynamic and private port numbers. So as an example, if you just do a search or

76
00:05:48,220 --> 00:05:51,540
Telnet, you'll see which port no telnet uses.

77
00:05:52,060 --> 00:05:57,010
So here's a nice list if you're not sure which port numbers are used by specific protocols.

78
00:05:58,070 --> 00:06:04,010
Here's an example of protocols that use UDP and their relevant port numbers, so as an example, DHCP

79
00:06:04,370 --> 00:06:12,020
uses port numbers 67 and 68, TFTP uses port 69 and SNMP uses Port 161.

80
00:06:12,800 --> 00:06:17,990
Once again on that same list, on the IANA, you could do a search for specific protocols

81
00:06:18,960 --> 00:06:23,080
and there's an example of TFTP, DNS is a special case

82
00:06:23,550 --> 00:06:30,960
it uses port number 53 that uses both TCP and UDP, so both for study purposes and the real world.

83
00:06:30,960 --> 00:06:39,060
Remember their protocols like Telnet uses Port 23 and Telnet uses TCP, whereas, for example, TFTP uses

84
00:06:39,060 --> 00:06:41,490
port 69 using UDP.

85
00:06:43,110 --> 00:06:47,940
Now, why would you use ACLs up to this point, and of course, we've been enabling access between

86
00:06:47,940 --> 00:06:53,730
different parts of the network, no shutting interfaces creating inter VLAN routing, setting up routing

87
00:06:53,730 --> 00:06:57,930
protocols like EIGRP and OSPF all enable access throughout the network.

88
00:06:58,620 --> 00:07:03,210
However, you might not want everyone to be able to access every part of the network.

89
00:07:03,990 --> 00:07:06,270
This is especially true when you connect to the Internet.

90
00:07:06,810 --> 00:07:11,400
You don't necessarily want everyone on the Internet to be able to access your corporate servers or corporate

91
00:07:11,400 --> 00:07:11,850
network.

92
00:07:12,210 --> 00:07:17,640
So access lists are one of the first lines of defense to stop or deny traffic from one part of the network

93
00:07:17,640 --> 00:07:21,980
to another so they can be used to permit or deny traffic moving through a router.

94
00:07:22,470 --> 00:07:26,460
So as an example, we might allow this MacBook to gain access to the Internet.

95
00:07:27,550 --> 00:07:33,370
But we might deny traffic from the Internet into our corporate environment, so we would permit or deny

96
00:07:33,370 --> 00:07:38,170
traffic on a per interface basis and thus deny traffic moving through the router.

97
00:07:39,090 --> 00:07:43,710
You could put a password on a VTY line on a router to force a level of security.

98
00:07:44,130 --> 00:07:49,350
However, you might say that only administrative subnet, for instance, this machine on an administrative

99
00:07:49,350 --> 00:07:56,030
subnet is allowed to access the VTY lines with this machine is not allowed to access the VTY lines.

100
00:07:56,490 --> 00:08:02,850
In this case, the access list will not even permit Telnet or SSH traffic to the VTY lines on this 

101
00:08:02,850 --> 00:08:03,380
router.

102
00:08:04,050 --> 00:08:10,250
So rather than just having one line of defense a password, you implement two lines of defense, only

103
00:08:10,260 --> 00:08:16,530
permitting certain subnets to the VTY lines, as well as putting a password on the VTY lines.

104
00:08:16,530 --> 00:08:17,470
it comes to security

105
00:08:17,490 --> 00:08:20,700
you've got to think of the risk dependent on the risk

106
00:08:21,060 --> 00:08:22,740
you will implement more security.

107
00:08:23,040 --> 00:08:27,940
In this case, you might deem the risk of users accessing network equipment to be high.

108
00:08:28,350 --> 00:08:34,860
So you only allow certain subnets to connect to the VTY lines of a router or a switch.

109
00:08:36,440 --> 00:08:42,110
So once again, without ACLs all packets could be transmitted to all parts of the network, and that might

110
00:08:42,110 --> 00:08:43,090
not be desirable.

111
00:08:43,580 --> 00:08:48,030
So you might want to deny certain parts of the network from gaining access to other parts of the network.

112
00:08:48,650 --> 00:08:54,050
The whole idea here is that you are starting to implement security, locking down parts of the network

113
00:08:54,260 --> 00:09:00,170
so that they cannot be accessed by all individuals inside and outside of the organization.

114
00:09:01,220 --> 00:09:07,520
ACLs, however, not just used for permitting or denying traffic, they can also be used for classification

115
00:09:08,120 --> 00:09:14,450
when setting up an IPSec VPN or virtual private network between two sites, you need to tell the router

116
00:09:14,720 --> 00:09:16,540
which traffic needs to be encrypted.

117
00:09:17,120 --> 00:09:23,030
You might not want all traffic encrypted from your local LAN because you might want traffic from your

118
00:09:23,030 --> 00:09:27,140
local LAN to an Internet server to be sent unencrypted.

119
00:09:27,680 --> 00:09:34,400
But traffic from your local LAN to the LAN on the other side of the VPN tunnel needs to be encrypted.

120
00:09:35,420 --> 00:09:39,140
So you create an access list determining what traffic is interesting.

121
00:09:39,290 --> 00:09:44,390
In other words, needs to be encrypted on what traffic is not interesting, in other words, does not

122
00:09:44,390 --> 00:09:45,320
need to be encrypted.

123
00:09:46,620 --> 00:09:53,340
ACLs can also be used in redistribution, where you are taking routes from one routing protocol and

124
00:09:53,340 --> 00:09:57,540
redistributing them or pumping them in to another routing protocol.

125
00:09:58,170 --> 00:10:05,190
So you might not want OSPF to learn about all EIGRP routes and therefore you can use access control list

126
00:10:05,190 --> 00:10:09,120
to limit or only permit certain routes to be redistributed.

127
00:10:10,000 --> 00:10:15,670
Access lists are also used with NAT or network address translation the access list will determine which

128
00:10:15,670 --> 00:10:19,800
packets need to be translated in which packets do not need to be translated.

129
00:10:20,290 --> 00:10:24,670
So you would create an access list permitting only certain subnets which would allow for those packets

130
00:10:24,670 --> 00:10:25,600
to be translated.

131
00:10:26,110 --> 00:10:32,370
Packets denied by the access list are not denied access or dropped, but they are not translated using

132
00:10:32,380 --> 00:10:34,630
network address translation or NAT.

133
00:10:35,860 --> 00:10:41,640
When using ACLs to permit or deny packets moving through a router, there are two main steps.

134
00:10:42,370 --> 00:10:49,240
So firstly, in global configuration mode, you create the access list using the command access list and

135
00:10:49,240 --> 00:10:50,860
then filling in various options.

136
00:10:51,280 --> 00:10:55,000
So the access list command is used to create the access list

137
00:10:55,240 --> 00:11:01,300
and then secondly, you apply the access list either inbound or outbound on an interface by using the

138
00:11:01,300 --> 00:11:02,590
access group command.

139
00:11:03,130 --> 00:11:10,210
So access list command creates the access list, access group command binds the access list and when you bind

140
00:11:10,210 --> 00:11:12,930
it, either specify inbound or outbound.

141
00:11:13,210 --> 00:11:18,370
In other words, determining the direction that the access list is bound, it's important to note that

142
00:11:18,370 --> 00:11:21,830
an ACL does not take effect until it's applied somewhere.

143
00:11:22,330 --> 00:11:27,700
So if you have access lists in the running configuration of a router and they haven't been applied that

144
00:11:27,700 --> 00:11:30,100
have no effect, they are two steps.

145
00:11:30,400 --> 00:11:33,650
You create the axis list and then you apply it somewhere.

146
00:11:34,090 --> 00:11:37,360
For instance, inbound on fast Ethernet 0/0.

147
00:11:38,830 --> 00:11:45,730
So once again, Inbound ACLs applied inbound on an interface, the ACL will be processed before the traffic

148
00:11:45,730 --> 00:11:46,870
traffic will be reported.

149
00:11:47,380 --> 00:11:54,460
In other words, if the ACL denies the traffic and the traffic is discarded, the router will not have

150
00:11:54,460 --> 00:11:59,950
to process the packets by looking at its routing table and determining the outbound interface.

151
00:12:00,400 --> 00:12:05,680
The packets will be discarded or dropped before the routing engine needs to process them.

152
00:12:06,130 --> 00:12:11,650
If they are permitted, they will be processed for routing and the router will determine the outgoing

153
00:12:11,650 --> 00:12:13,990
interface, if discarded

154
00:12:14,470 --> 00:12:19,000
there is no additional overhead on the router because the router does not need to do a routing table

155
00:12:19,000 --> 00:12:21,880
lookup to determine the egress or outgoing interface.

156
00:12:22,300 --> 00:12:27,940
If the traffic is permitted, the routing process will then do the routing table lookup to determine

157
00:12:27,940 --> 00:12:29,080
the outgoing interface.

158
00:12:30,640 --> 00:12:37,210
With outbound ACLs, routing is performed first and then the package is directed to an outbound interface

159
00:12:37,690 --> 00:12:43,780
and then based on the ACL, the packets will be permitted, in other words, transmitted or denied.

160
00:12:44,560 --> 00:12:50,710
It is therefore more efficient to bind an access list inbound on an interface because packets that are

161
00:12:50,710 --> 00:12:55,750
dropped or denied will not need to be processed by the routing process on the router.

162
00:12:56,230 --> 00:13:03,280
If an ACL is applied outbound, the router still has to process all the packets which may then be denied

163
00:13:03,280 --> 00:13:05,190
or dropped on the outbound interface.

164
00:13:05,710 --> 00:13:13,150
So where possible, bind ACLs inbound on interfaces rather than outbound for more efficient processing.

165
00:13:14,240 --> 00:13:20,450
An access list is a sequential list of statements where packets are evaluated from the first statement

166
00:13:20,450 --> 00:13:21,290
to the last.

167
00:13:21,410 --> 00:13:24,080
In other words, there is top down processing.

168
00:13:24,620 --> 00:13:30,650
If a packet is matched by an individual statement in the access list, that packet will either be permitted

169
00:13:30,830 --> 00:13:38,120
or denied, depending on whether the permit or deny Keywood is used in that specific statement or remaining

170
00:13:38,120 --> 00:13:41,600
lines of the access list or ignored for that specific packet.

171
00:13:42,080 --> 00:13:48,350
So in other words, as soon as there's a match on a line all remaining lines are ignored, if the traffic

172
00:13:48,350 --> 00:13:54,760
does not match that specific line or statement, then the next line in the ACL is checked.

173
00:13:55,340 --> 00:14:01,370
So next list is a sequential list of statements and the Rada will check from the first line to the last

174
00:14:01,370 --> 00:14:02,720
until it gets a match.

175
00:14:03,200 --> 00:14:06,530
As soon as there's a match, all subsequent lines are ignored.

176
00:14:06,860 --> 00:14:12,260
If there is no match for any statement in the ACL, the packet is dropped because of what's called the

177
00:14:12,260 --> 00:14:13,700
implicit deny at the end.

178
00:14:14,120 --> 00:14:19,700
At the end of every access list, there's an implicit denial, which means if you're not explicitly

179
00:14:19,700 --> 00:14:23,210
permitted by an access list, you are implicitly denied.

180
00:14:23,900 --> 00:14:31,550
All traffic not permitted somewhere in that access list with the use of a permit statement will be dropped.

181
00:14:32,060 --> 00:14:36,830
That means, therefore, that you must have at least one permit statement somewhere in your access list,

182
00:14:37,260 --> 00:14:39,140
Otherwise you might as well unplug the cable.

183
00:14:39,680 --> 00:14:43,520
Now there are two main types of access lists that we concentrate on in this course.

184
00:14:44,090 --> 00:14:49,310
The first is a standard ACL and the second is an extended ACL, standard

185
00:14:49,310 --> 00:14:52,100
ACLs only check on source IP addresses

186
00:14:52,490 --> 00:14:57,170
they do not check on individual port numbers or individual protocols.

187
00:14:57,590 --> 00:15:04,070
They either permit or denied the entire protocol suite based on the source IP address or source network.

188
00:15:04,550 --> 00:15:08,240
Nothing else in the source IP address or source network can be specified.

189
00:15:09,050 --> 00:15:15,860
Extended ACLs check on both the source and destination address and allows you to permit or deny specific

190
00:15:15,860 --> 00:15:17,330
protocols and applications.

191
00:15:17,780 --> 00:15:24,560
In other words, you could permit or deny based on IP, TCP, UDP, ICMP and many other protocols

192
00:15:24,920 --> 00:15:29,990
and you can also permit or deny based on source port numbers and destination port numbers.

193
00:15:30,440 --> 00:15:35,270
Extended access lists are therefore a lot more granular and tend to be used in the real world.

194
00:15:35,690 --> 00:15:40,520
But for completeness, we need to cover both standard and extended access lists in this course.