1
00:00:00,510 --> 00:00:07,230
There are also two methods to identify whether an ACL is a standard ACL or extended ACL, access list are 

2
00:00:07,230 --> 00:00:14,760
either configured as numbered access lists or named access lists with numbered ACLs, the number of the

3
00:00:14,760 --> 00:00:17,670
ACL determines what type of ACL it is.

4
00:00:18,030 --> 00:00:23,940
So, for example, ACLs in the range 1 to 99 or what's called the expanded range

5
00:00:24,270 --> 00:00:29,310
1300 to 1999 would be used for standard 
IP ACLs.

6
00:00:30,570 --> 00:00:33,180
So as an example on our router, 

7
00:00:34,420 --> 00:00:37,630
in global configuration mode, I can type the command access list, 

8
00:00:38,870 --> 00:00:45,130
question mark, and as you can see here, 1-99 is used for IP standard access lists

9
00:00:46,280 --> 00:00:47,660
The expanded range

10
00:00:49,620 --> 00:00:53,010
is also listed 1300-1999.

11
00:00:53,610 --> 00:01:00,150
Now, the reason for the expanded range is that initially about 100 ACLs seemed more than enough

12
00:01:00,760 --> 00:01:06,600
but as we all know, as time goes by, what was deemed to be enough is not necessarily enough

13
00:01:06,840 --> 00:01:10,740
and these days, we can use both 1-99 or the expanded range.

14
00:01:10,980 --> 00:01:17,210
If the requirement for more than 100 access lists is there, IP be extended access lists on the range

15
00:01:17,340 --> 00:01:23,730
100-199, as well as the expanded range, which is 2000-2699.

16
00:01:24,420 --> 00:01:25,890
Depending on your IOS

17
00:01:26,250 --> 00:01:32,730
you'll see other types of ACLslisted, for instance, to support Apple talk ACLs in the range 600

18
00:01:32,730 --> 00:01:36,210
to 699 can be used to support IPEX.

19
00:01:36,540 --> 00:01:43,860
You could, for instance, use ACLs in the range 800 to 899 or extended IP access lists in the range

20
00:01:43,860 --> 00:01:47,730
900-999, notice here for example, 

21
00:01:49,090 --> 00:01:55,570
ACLs in the range 700-799 are used for Mac address access lists. In this course we

22
00:01:55,570 --> 00:02:01,530
fortunately only concentrate on IP access lists, so we will concentrate on both IP standard access

23
00:02:01,570 --> 00:02:04,480
lists and IP extended access lists.

24
00:02:04,960 --> 00:02:10,560
But be aware, please, that there are other number ranges used for other protocols like iPX, Apple

25
00:02:10,660 --> 00:02:11,650
talk and so forth.

26
00:02:12,250 --> 00:02:17,980
The second type is named access lists, which are more descriptive because they use alphanumeric characters

27
00:02:17,980 --> 00:02:18,790
as names.

28
00:02:19,330 --> 00:02:25,720
So rather than access list 100 for instance, permitting telnet traffic to switch, you could call  the ACL

29
00:02:25,930 --> 00:02:28,780
permit telnet and give it a name with more meaning.

30
00:02:29,350 --> 00:02:35,230
That also allows you to create many, many more ACLs on a router than the list specified by the numbered

31
00:02:35,230 --> 00:02:35,890
ACLs.

32
00:02:36,430 --> 00:02:43,210
Originally named ACLs also gave you more flexibility when it came to editing individual lines or deleting

33
00:02:43,210 --> 00:02:45,330
individual lines in an ACL

34
00:02:45,550 --> 00:02:51,430
but these days that flexibility is available for both named as well as numbered ACLs.

35
00:02:52,770 --> 00:03:00,000
Just to demonstrate a little bit more, if I specify one as my ACL, no notice, it gives me three options

36
00:03:00,150 --> 00:03:02,260
deny, permit or remark.

37
00:03:02,670 --> 00:03:04,020
Now, let's start with the last one.

38
00:03:04,450 --> 00:03:07,910
The remark option allows you to add a description to your ACLs.

39
00:03:08,490 --> 00:03:13,980
This is very useful because when you return to an ACL that you can figure out months ago, rather than

40
00:03:13,980 --> 00:03:20,550
having to decipher the lines of the ACL, the remark or in other words, the description can let you

41
00:03:20,550 --> 00:03:23,500
know what that ACL is attempting to accomplish.

42
00:03:23,910 --> 00:03:29,280
So it's recommended that you use the remarks statement to add descriptions to ACLs to make them more

43
00:03:29,280 --> 00:03:34,110
user friendly and understandable, both for yourself and for others.

44
00:03:34,770 --> 00:03:35,670
If I choose the option permit.

45
00:03:37,370 --> 00:03:43,970
Notice because this is a standard IP access list, the only options here are permitting either a hostname

46
00:03:43,970 --> 00:03:50,050
or IP address, permitting any which permits everyone or anything and the host option.

47
00:03:50,750 --> 00:03:57,230
So I could, for example, put an address here like 10.1.1.1 and then notice the next option

48
00:03:57,560 --> 00:04:05,390
is to put in wild card bits or to hit enter or I can log this information to, say, a six log server

49
00:04:05,660 --> 00:04:08,380
or another logging device on my network.

50
00:04:08,930 --> 00:04:10,550
So if I put in the option 0.

51
00:04:11,590 --> 00:04:19,230
0.0.0 that is specifying that I will permit traffic from a specific host, 10.1.1

52
00:04:19,240 --> 00:04:19,720
.1.

53
00:04:20,610 --> 00:04:26,820
Now, ACLS don't use standard network mask, they use inverse mask where a 0 in binary means

54
00:04:26,970 --> 00:04:31,110
they must be a match and a 1 in binary means that doesn't have to be a match.

55
00:04:31,980 --> 00:04:35,100
So just to reiterate, you need to look at this in binary

56
00:04:35,100 --> 00:04:41,400
if you're not sure a 0 in binary in the mask means that there must be a match on the host or network, 

57
00:04:41,790 --> 00:04:45,980
a 1 in the mask means that we ignore the host or network value.

58
00:04:46,710 --> 00:04:52,050
So as an example, if I want to match a specific IP address, I can type the command access list 1,

59
00:04:52,470 --> 00:04:53,490
1 denoting that

60
00:04:53,490 --> 00:04:55,320
this is a standard IP access list.

61
00:04:55,770 --> 00:05:00,870
I'm permitting traffic that matches 10.1.1.1

62
00:05:01,230 --> 00:05:02,010
exactly.

63
00:05:02,490 --> 00:05:07,260
The 0 in the mask mean that the first octet must be a 10.

64
00:05:07,680 --> 00:05:15,150
The second octet must be a 1, the third octet must be a 1 and the fourth octet must be a 1.

65
00:05:15,750 --> 00:05:18,870
A 0 in the mask means an exact match.

66
00:05:19,200 --> 00:05:22,170
A 1 in the mosque means it doesn't have to match.

67
00:05:22,680 --> 00:05:27,450
So this statement will only match for a specific host with the IP address

68
00:05:27,450 --> 00:05:28,740
10.1.1

69
00:05:28,740 --> 00:05:29,190
.1.

70
00:05:29,550 --> 00:05:33,420
Now, rather than doing it that way, you can configure the access list as follows.

71
00:05:33,570 --> 00:05:36,690
You can type the command access list 1 permit

72
00:05:37,050 --> 00:05:41,130
and in this case, we're looking for a specific host so you can use the keyword host

73
00:05:41,490 --> 00:05:45,200
and in specifying the host IP address, either will do.

74
00:05:45,570 --> 00:05:51,510
It's like saying tomato versus tomato, depending on which you prefer, will depend on which one you

75
00:05:51,510 --> 00:05:52,080
configure.

76
00:05:53,160 --> 00:05:58,950
The opposite of specifying an individual host would be matching anything or everything, so you could

77
00:05:58,950 --> 00:06:05,910
create an excellent access list 1 permit and notice in the address portion, we have put 00

78
00:06:05,910 --> 00:06:06,890
00

79
00:06:07,320 --> 00:06:10,600
and this could essentially be made anything, in the mask

80
00:06:10,620 --> 00:06:14,430
however, we've put 255.255.255.255.

81
00:06:14,790 --> 00:06:19,610
If you remember, a 1 in binary in the mask means ignore this value.

82
00:06:19,680 --> 00:06:24,000
In other words, it can be anything, a 0 in the mask means an exact match.

83
00:06:24,660 --> 00:06:31,950
So if we look at the IP address, it's 0.0.0.0 in decimal, which is equal to all 0s

84
00:06:31,950 --> 00:06:32,610
in binary.

85
00:06:32,970 --> 00:06:36,120
This gap in the binary address obviously doesn't exist.

86
00:06:36,520 --> 00:06:38,240
I've just put it here for readability.

87
00:06:38,880 --> 00:06:42,150
So looking at the address in binary, it's eight 0s.

88
00:06:42,750 --> 00:06:48,930
The mask, in other words, in the first octet, the mosque is set to 255, which is equal to eight

89
00:06:48,930 --> 00:06:49,940
binary 1s.

90
00:06:50,430 --> 00:06:57,030
So what we saying by putting 255 in the first octet in the mask is that the first octet in the address

91
00:06:57,330 --> 00:06:58,160
is irrelevant.

92
00:06:58,680 --> 00:07:00,420
We are just ignoring all the bits.

93
00:07:00,750 --> 00:07:04,530
We've done the same with octet 2, 3 and 4.

94
00:07:04,830 --> 00:07:11,490
So this is essentially matching anything or everything and we are not matching any specific hosts or

95
00:07:11,490 --> 00:07:12,120
network.

96
00:07:12,840 --> 00:07:17,190
Alternately, you could also use the Syntex Access List one permit any.

97
00:07:17,520 --> 00:07:22,220
So once again, tomatoe versus tomatoe, you decide which you prefer.

98
00:07:22,620 --> 00:07:25,290
Both will work and both have the same result.

99
00:07:26,510 --> 00:07:32,270
If you wanted to match an individual subnet rather than an individual host or any traffic, you could

100
00:07:32,270 --> 00:07:34,900
use a combination of 0s and 1s in the mask.

101
00:07:35,270 --> 00:07:41,330
So as an example, access list 1, permit 10 and notice in the mask, we have 0 in the first

102
00:07:41,330 --> 00:07:46,360
octet, which means that we are matching on the 10, 10.1.1.0

103
00:07:46,370 --> 00:07:50,300
and in the mask we have 000.255.

104
00:07:50,630 --> 00:07:53,010
Now in the first octet in the mask.

105
00:07:53,060 --> 00:07:58,280
We have got binary 0s, which means that there must be an exact match on this address.

106
00:07:58,850 --> 00:08:01,960
In other words, we are specifically matching the first octet.

107
00:08:02,390 --> 00:08:04,040
It must be equal to a 10.

108
00:08:04,610 --> 00:08:08,690
The second octet must be 1 because we have got a 0 in the mask.

109
00:08:09,140 --> 00:08:12,620
The third octet must be 1 because we have a 0 in the mask.

110
00:08:13,070 --> 00:08:18,920
But notice in the fourth octet, this could be set to anything because we've got binary 1s in the

111
00:08:18,920 --> 00:08:23,210
fourth octet, 255, if you remember, is eight binary 1s.

112
00:08:23,420 --> 00:08:26,840
In other words, we are saying we don't care what the lost octet is set to.

113
00:08:27,320 --> 00:08:34,820
This statement will match any host or any address where the first three octets are said to 10.1

114
00:08:34,820 --> 00:08:35,419
.1.

115
00:08:35,900 --> 00:08:37,730
The fourth octet can be anything.

116
00:08:39,020 --> 00:08:45,710
So just to sum up, if we were using the dotted decimal notation to match a specific IP address like 10

117
00:08:45,740 --> 00:08:49,590
111 we would full the mask with 0s.

118
00:08:50,060 --> 00:08:52,280
Once again, this is an inverse mask.

119
00:08:52,280 --> 00:08:58,250
A 0 in the mask means that we are looking for a specific value in the host portion of the address.

120
00:08:58,460 --> 00:09:02,400
A 1 in the mask means we ignore what the host portion is set to.

121
00:09:02,780 --> 00:09:08,790
So this matches a specific IP address to match a specific subnet, let's say 10.1.1.0

122
00:09:09,260 --> 00:09:15,980
we could configure the access list is 10.1.1.0 with the first three octets equal to 0 and

123
00:09:15,980 --> 00:09:18,320
the last octet equal to 255.

124
00:09:18,740 --> 00:09:25,220
Or if we wanted to match anything, we could set the host portion to actually any number and the mask

125
00:09:25,220 --> 00:09:28,430
255.255.255.255.

126
00:09:30,110 --> 00:09:34,310
So as an example on a router, I could type the command access list 2

127
00:09:35,500 --> 00:09:38,550
permit and then specify anything I wanted to.

128
00:09:41,970 --> 00:09:47,550
But if the mask is set to all 1s, if I type the command show IP access list.

129
00:09:50,940 --> 00:09:58,260
Notice the routers changed it to say permit any, we typed this on the router, but the router has changed

130
00:09:58,260 --> 00:10:05,790
it to permit any I could do the command show run pipe include access list to see all my access lists statement

131
00:10:05,790 --> 00:10:06,810
configured on the router

132
00:10:07,110 --> 00:10:12,120
and you can see once again, the router has changed the format of the access lists.

133
00:10:13,630 --> 00:10:20,290
Here's  a more complicated example, if we had an access list, let's say access list 1 permit, 10.1.1.0

134
00:10:20,650 --> 00:10:24,000
and the mask is 0.0.0.15.

135
00:10:24,340 --> 00:10:28,710
What we are saying is ignore the last four bits of the last octet.

136
00:10:29,410 --> 00:10:36,370
So notice the address is 10.1.1.0  and the mask is 0.0.0.15.

137
00:10:36,760 --> 00:10:39,330
Now, the first three octets are fairly easy to work out.

138
00:10:40,000 --> 00:10:47,290
What we're saying is that the first octet must be 10, the second octet must be 1, the third octet

139
00:10:47,290 --> 00:10:48,070
must be 1.

140
00:10:48,610 --> 00:10:50,260
But it gets a little bit more complicated.

141
00:10:50,500 --> 00:10:55,870
Looking at the last octet in decimal, it's a lot easier if you convert it to binary.

142
00:10:57,080 --> 00:11:04,010
Four binary zeros, followed by four binary ones, zero in binary equals eight binary zeros.

143
00:11:04,490 --> 00:11:11,210
Once again, the gap in the middle in these octets is just there for readability so that it's easier

144
00:11:11,210 --> 00:11:12,380
to see what's going on.

145
00:11:13,750 --> 00:11:18,310
So what we're saying is that the last four bits, in an address can be set to anything.

146
00:11:18,790 --> 00:11:25,060
So in other words, these lost four binary bit could be set to either a 0 or a 1 but the first

147
00:11:25,060 --> 00:11:33,970
four binary bits must be equal to 0 because the address portion has a 0 in it and the first four

148
00:11:33,970 --> 00:11:35,850
bits of the mosque are set to zero.

149
00:11:36,070 --> 00:11:40,510
It means that the first four bits of an address must be equal to this value.

150
00:11:40,540 --> 00:11:41,950
In other words, 0.

151
00:11:43,110 --> 00:11:48,690
So let's show you some examples, if I had an address of 10.1.1.1 would it

152
00:11:48,690 --> 00:11:54,760
be matched by this statement permit 10 .1.1.0.0.0.0.15

153
00:11:55,080 --> 00:11:56,700
and the answer would be yes.

154
00:11:57,000 --> 00:12:01,020
I've only converted the last octet into binary as the first three octet.

155
00:12:01,020 --> 00:12:02,070
So easy to work out.

156
00:12:02,460 --> 00:12:08,220
What we're saying is that the first three octets must be equal to 10.1.1.1 which it is for

157
00:12:08,220 --> 00:12:08,940
this address

158
00:12:09,360 --> 00:12:12,530
but the last octet converted to binary will look as follows.

159
00:12:12,540 --> 00:12:18,400
We would have seven binary 0s, followed by a binary 1, 15 in binary

160
00:12:18,420 --> 00:12:22,380
once again is four binary 0s, followed by four binary 1s.

161
00:12:22,620 --> 00:12:29,670
So what we are saying is notice the first four bits and the address must, because of the zeros in the

162
00:12:29,670 --> 00:12:34,980
mask, be equal to 0000, which for one is true.

163
00:12:35,200 --> 00:12:38,140
The first four bits are set to 0s.

164
00:12:38,610 --> 00:12:43,270
It doesn't matter what the last four bits are set to because we have binary 1s in the mask.

165
00:12:43,770 --> 00:12:46,470
So there is a match on 10.1.1.1.

166
00:12:46,890 --> 00:12:54,420
But does this access list  statement match 10.1.1.1.29 and the answer is no, because in the first

167
00:12:54,420 --> 00:12:59,910
four bits of the address, it must be equal to four binary 0s.

168
00:13:00,210 --> 00:13:07,530
And if you convert 129 into binary, it consists of one binary 1 followed by six binary

169
00:13:07,530 --> 00:13:09,270
0 followed by binary 1.

170
00:13:09,660 --> 00:13:14,950
In other words, the first four binary bits do not equal four 0s.

171
00:13:14,970 --> 00:13:16,440
So this is not a match.

172
00:13:17,820 --> 00:13:21,160
In this example, we have some hosts on subnet 10.1.1.0.

173
00:13:21,720 --> 00:13:27,300
So as an example, this PC and this MacBook, we also have servers, server 1 with IP, address 10.

174
00:13:27,300 --> 00:13:30,840
121 and server 2 with IP, address 10.131.

175
00:13:31,350 --> 00:13:37,920
In this example, we want to permit host 10.1.1.1 access to the servers but deny everyone else.

176
00:13:38,430 --> 00:13:43,500
Please note these examples are just to help teach you the syntax of access lists and how they can be

177
00:13:43,500 --> 00:13:45,070
used in various scenarios.

178
00:13:45,420 --> 00:13:50,910
These examples are not best practice, so please don't try and understand the why of these examples.

179
00:13:50,940 --> 00:13:55,440
They're just here to try and help you understand how access lists can be applied.

180
00:13:56,010 --> 00:14:01,740
Obviously, in the real world and in exam situations, you might be presented with various scenarios

181
00:14:02,010 --> 00:14:07,620
and in those cases you will need to know how access lists work to be able to meet the requirements of

182
00:14:07,620 --> 00:14:08,390
the scenario.

183
00:14:08,730 --> 00:14:12,180
The first decision you need to make is on which interface

184
00:14:12,210 --> 00:14:15,660
are you going to apply the access list on this example?

185
00:14:15,660 --> 00:14:18,380
We are going to use a standard IP access list.

186
00:14:18,510 --> 00:14:20,480
We are not going to use extended access lists.

187
00:14:20,910 --> 00:14:26,760
So it makes sense to apply the access list inbound on this interface because that will accomplish what

188
00:14:26,760 --> 00:14:27,670
we set out to do.

189
00:14:28,380 --> 00:14:34,740
You could also apply the access list on both f01 and f02 but it would be more efficient

190
00:14:35,040 --> 00:14:40,470
to apply inbound rather than outbound and also means that you only have to apply the access list on

191
00:14:40,470 --> 00:14:43,170
one interface rather than on two interfaces.

192
00:14:44,070 --> 00:14:49,560
So on my router, I could configure the access list, but before doing that, I'm going to type the command show

193
00:14:49,980 --> 00:14:56,160
access lists just to see which access lists have already been configured so that I don't inadvertently

194
00:14:56,430 --> 00:14:58,530
edit an access list that already exists.

195
00:14:58,950 --> 00:15:03,270
In this example, you can see that there are no access lists so I can go into global config mode

196
00:15:03,720 --> 00:15:07,320
and type the command access list and then specify a number

197
00:15:07,560 --> 00:15:10,740
and let's say in this example we have to use a standard IP access list

198
00:15:10,740 --> 00:15:14,520
So I'm going to just choose a number, let's say one, and then I'm going to say permit

199
00:15:17,380 --> 00:15:25,540
host 10.1.1.1 and hit enter our scenario states that we need to permit this host access

200
00:15:25,540 --> 00:15:26,370
to the servers.

201
00:15:26,800 --> 00:15:30,970
Now a standard IP access list does not allow you to specify destinations.

202
00:15:30,970 --> 00:15:32,630
You can only specify the source.

203
00:15:33,100 --> 00:15:39,250
Now it's worth remembering the implicit deny any at the end of every IP access list. Our criteria

204
00:15:39,250 --> 00:15:45,470
and this example is just to permit that specific host 10.1.1.1 and deny everyone else.

205
00:15:46,180 --> 00:15:50,340
So this single line access list will accomplish what we set out to do.

206
00:15:51,010 --> 00:15:53,650
The next step is to bind the access list on an interface.

207
00:15:54,100 --> 00:15:58,330
So on interface f0/0 I'll type the command IP

208
00:16:00,560 --> 00:16:08,280
access group and notice, it prompted me to put in the number or word of the access list, so 1 and

209
00:16:08,280 --> 00:16:13,680
then a prompt me to specify the direction and I'm going to say inbound that just by doing that, I've

210
00:16:13,680 --> 00:16:15,920
accomplished what I set out to do.

211
00:16:17,370 --> 00:16:23,520
We are permitting this host 10.1.1.1 and denying everyone else, you obviously need to be careful

212
00:16:23,520 --> 00:16:29,880
with access lists because if another interface were configured on this router, no traffic except for

213
00:16:29,880 --> 00:16:34,910
this host would be allowed to send traffic through interface f0/0

214
00:16:35,430 --> 00:16:37,800
but in this scenario, we have met the requirements.

215
00:16:38,970 --> 00:16:40,250
One last thing to show you.

216
00:16:41,660 --> 00:16:46,130
Is if I type the command show IP nterface and the relevant interface.

217
00:16:47,510 --> 00:16:54,170
The router will show me which access list is bound outbound and which axis list is bound inbound on this

218
00:16:54,170 --> 00:16:55,300
specific interface.

219
00:16:55,700 --> 00:17:02,300
And as you can see here, axis list 1 is bound inbound and no access list is bound outbound.

220
00:17:03,610 --> 00:17:09,579
So as an example, I could create another access list, let's say, access list 2 permit any

221
00:17:10,930 --> 00:17:15,130
and then go on to that interface and type IP access group

222
00:17:16,599 --> 00:17:17,470
to out.

223
00:17:20,190 --> 00:17:27,990
Do the same show command again, show IP interface f0/0 and you'll be able to see that access list

224
00:17:28,020 --> 00:17:31,260
2 is bound up on an axis list, one is bound inbound.

225
00:17:34,280 --> 00:17:35,810
If I made the following mistake

226
00:17:36,850 --> 00:17:40,600
and bound access list to inbound rather than outbound.

227
00:17:43,440 --> 00:17:44,880
The following would take place.

228
00:17:47,350 --> 00:17:52,720
The router does not warn me about anything, but notice the inbound access list has been replaced with

229
00:17:52,720 --> 00:17:58,780
with access 2, so the previous access list 1 was removed off the interface and replaced with access

230
00:17:58,800 --> 00:17:59,290
list 2.

231
00:17:59,890 --> 00:18:04,900
There's no need to firstly remove the old access list before applying the new access list.

232
00:18:05,320 --> 00:18:08,380
The old one is implicitly removed and the new one is applied.

233
00:18:09,010 --> 00:18:14,110
Also, notice that you can apply the same access list in and out at the same time.