Hi, and welcome to this CertificationKits CCNA training video, access list configuration expanded.  The expanded part is, is we’re expanding on the original CCNA material for the new CCNA test.  There have been some additions to the new CCNA test.  One of them being sequenced access lists.  Sequence access lists are available as of IOS release 12.2, and it gives us some more flexibility with the filter decision, as far as, how we order the access list and actually the ability to able to delete individual entries. Additional access list, we’re going to be going over are dynamic, reflective and time based access lists.  But we’re going to first go in and talk about sequence access list as that is a bigger part of the new CCNA test.  So, let’s go in and take a look at how these access lists function. 

Sequence access list, again, available with IOS version 12.2-15T.  Sequence numbers can be added to the individual access lists statements allowing us to reorder our access list statements, as well as, delete individual access list statements.  Prior to this we had to remove the entire access list.  Here is a sample configuration on this.  IP access list and notice when we’re going to create this the IP access list, that’s what we’re doing going to create a named access list.  So, actually kind of creating any type of named access list with a number instead of the name.   So, we’re just using the number 110 as the name of this particular access list.  Extended, means as an extended access list, which again, filters is based on source, destination and protocol, port number, as opposed to just source IP address on a normal access list.  And what we do, the only different now is we add a number to the beginning of the statement.  Now typically in an environment where we’re doing sequencing and things like that, the initial timeout when we create the access list, originally, we are going to go with numbers, like 10, 20, 30, 40, 50 and so on.  And the reason we can do that is because if we decide later on that we like these two statements, but we want to add another line in between, we’ve got nine numbers in between 11 through 19, that we can use to add additional entries, between these two entries. 

So, what I want to do now, is I want to go in and take a look at configuring these access lists on a router.  So, here I am, I have a hyper-terminal session open to a router.  What I am going to do is, I am going to do the show version command just to make sure I have an operating system that supports these access lists.  And again, it’s got to be at least 12.2-15 in here.  I’ve got 12.3.  So, I  know I can go  in and create access lists with sequence numbers.  So, I go to global mode just like every other time.  And now if I want to do this, I have multiple options when I go to create my access list.  But again, if I go IP access list, this is creating a named type of access list.  What it’s going to want is, okay, what type of access list are you creating.  And typically, we are going with the standard or extended access list, especially for the CCNA program.  So, I am going extended.  And that wants the name or a number to go along with the access list.  So, I can just go a number between 100 and 199.  I could actually give it a name.  And again, the nice thing about this now, as I’m going to be able to add sequence numbers.  So, I am going to call access list 110.  Enter.  Now, if I use a question mark prior to this version — newer version of code, I would not, I’d have permit, deny in there, and I know, I wouldn’t have all these different types of access lists.  Like dynamic, evaluate an access list.  Things like that.  Remarks also weren’t available in older operating systems as well.  Obviously permitting deny, or definitely there. 

So, what I can do now.  Is if you noticed the first thing in line is a sequence number.  Access list can get pretty long, but here is the length of the numbers, I can put in here.  So, that’s 2,147,483,647, I can go up to that.   So, if your access list is getting that long, you are doing something wrong.  So, what I am going to do, is I’m just going to start with the number 10.  So, I can go 10, 20, 30, 40, 50, 60, as I add entries to the access list, I am creating.  So, here’s my access list I’ve created, and its access list 110, I’ve got some permit statements here.  I am permitting FTP traffic to this particular host, and then I am blocking all other FTP traffic.  So, if it’s not a part of one of these subnets or network addresses actually.  If it’s not part of one of these networks, then it’s not going to have access, and then I am permitting all other traffic.  So, here’s my access list I created.  Now when I created this, I did use sequence numbers.  I went into extended name access list mode, and I put 10, 20, 30, 40, 50, 60.  So, this would be 10, 20, 30, 40, 50, 60.  I just can’t see it here.  This is what I am looking at when I do a show run.  You show access list, I can see my sequence numbers here. 

So, I want to use this to show access list command.  So, here I see 10, 20, 30, 40, 50, 60, and what’s going on with this access lists.  Again, is I am letting subnets and it’s actually networks.   It’s not a subnet.  Since its class C here network.  All the way through network  So, 1, 2, 3 and 4 networks can get to this particular host of FTP.  So, we can set up an FTP session to this particular host from any one of these four networks.  Then I denied all other traffic going to this particular host, at this particular port.  So, I am denying any other host from being able to set up an FTP session, with this particular server.  And then I am permitting all of the traffic on the networks.  So, maybe this is my only FTP server, whatever.  I am permitting everything else.  The nice thing about this is, let’s say, I decided I wanted to deny one particular host on the subnet 192 or network from accessing the FTP server.  Maybe it’s just uploading a bunch of movies there or I don’t like the guy or for what.  Whatever the reason, I can block one particular user without having to go in and reconfigure the entire access lists.  I am just going to use the sequence number that’s in between the 10 and the 20.  So, to block a user from this subnet right here. I’m going to go into global mode.  And what I want to do is I want to get back into that access list configuration.  

So, IP access list extended 110.  And now I have to determine where I want to place this entry.  So, if I’m going to be blocking a host on this subnet, I would have to put it prior to permitting all FTP traffic from that subnet.  Or if I’m going to block it from this subnet, right here, 19216830, I say subnet but again it’s a network.  I am going to have to put it prior to that entry in the access list statements.  So, let’s go ahead and just block someone from 2.0 network here.  So, what I need to do is, I need to put it prior to the 20.  So, all I have to do is use a number like 15, deny TCP, host and I’ll pick a host with this IP address and I don’t want use 50, I want to use 57 going to host at port and then the FTP port to establish the session.  Control Z, I’ll save it, write memory, show access list as a command we want, and I can go in and see that I’ve successfully added an entry. The reason this is so awesome with the sequence to access list.  Is prior to the sequence to access list, what would happen is this new entry, would be at the very bottom after the permit IP any — any command. 

So, what would happen is this entry would never even get looked at.  Now what it does, it looks at the packet.  So, if this guy tries to connect to the FTP server and look at the packing are you, network 192.168.10, no.  Are you host, yes.  Are you going to this destination IP, yes.   Is it at FTP, yes.  Sorry, I have to deny you.  If this were at the bottom what would happen is it go, if it’s line was not there, and I actually let me show how I can easily remove this particular line.  I can just go back into, actually, I’m just  hereAllI have to do is go, no, 15 enter, control Z.  Show access lists.  So, I don’t have to type, no 15, deny blah, blah, blah.  I just go no 15 and the whole line is gone.  Now, what will happen when he tries to connect.  He’s going to go, okay, are you from subnet, first I’ll see this and go,  you’re not part of network  Are you part of network, yes.  I go to this host.  Yes.  You’re setting an FTP session.  Yes.  I am going to permit you.  So, it’ll allow that traffic to go through.  So, if that statement were at the bottom here, or anywhere after this permitted statement for that network, it wouldn’t work if I were trying to deny him.  Because he’d be through already, and as soon as, an access list entry has matched, it does the appropriate action based on that entry.  It does not look at the rest of the access list. 

So, sequenced access list are awesome, because we can go in and reorder things easily without having to get rid of the entire access list.  So, let’s go in and take a look at some additional access list that we can create now for later version of the Cisco IOS.  Apparently additional types of access list, you should be familiar with.   dynamic, reflective and time based access list are covered as well with the new CCNA test.  Dynamic access list allow prevention of traversal meaning, you can pass through the router or you can’t past through the router, until you’ve telnet and authenticated from the router.  What that means is, when you go into access.  Let’s say you’re the client over here and you’re going to access resources on this particular server.  What’s going to happen is you’re going to establish a telnet sessions to this router.  Once you’ve established a telnet session on this router, it will go ahead and authenticate you and allow traffic from your client machine to pass through the router to access the server.  So, unless you telnet to this router and establish the session, allowing you to go through the router and basically authenticate yourself.  The router will stop your traffic from accessing the server.  So, it’s kind of they call a lock and key.  Here’s the lock, here’s the key.  So, what has to happen, is you have to go in and authenticate yourself, basically unlock the door, that allows you to get through and get to this server.  So, that’s a dynamic access list.  In additional one, is a reflective access list and with this one filtering rules can be applied to the session or to the user based on the session layer information. 

Let me go back to that diagram, clean it up and explain what I mean by session layer information.  Now, with the reflective access list, also referred to as reflexive, I’ve seen both accounts on Ciso’s website and researching online, they were seen or referred to both ways.  If you’re learning to how to configure these, it’s better to use actually reflexive, but in the study guide that I have for this new CCNA from Cisco, they call it the reflective access list.  So, either way you’re good.  But if you’re doing some searching on the website, you want it reflexive access list when you’re doing your searching.  What this does, is we would have a reflective access list applied on the outbound direction of this interface, right here.  We could play it here, or we could play it here. Depending on our environment.  So, it’s a serial, I am playing it on a WAN interface.  So, here’s the WAN, between us and some resource.  So, we have reflexive access list that we apply going out.  And our main access list that’s filtering all of our traffic is an inbound access list.  Going in.  So, traffic, coming from the outside world, we have this inbound access list protecting us.  So, what we can do is instead of leaving doors open all the time for all the traffic we’re going to, from all those servers, all these ports and holes in our inbound access list.  What we can do is we can have entries dynamically created when we need them. 

So, as a client, what would happen is, I would try to go in and then access this particular server or resource on the server, whatever.  My source IP might be and I might be accessing a resource on IP, let’s say there’s, where the resource is located.  I am just going to use a random port number and say, I’m accessing, I don’t know, Port 8130.  A service on this server that I am accessing a port, my source port, might be coming from Port 3096, something like that.  So, what can happen at this point is when I to go out to the network, right now, any traffic coming from this server IP, is going to be blocked on my inbound access lists.  I have a reflexive access list created, going out and I’ve also — what’s called a nested the reflexive access list on the way in.  So, what happens is the router, when I am going out, it looks at the source and destination traffic to get the session information and so what will happen is it’ll dynamically create an inbound access list, so it’ll dynamically add an entry on the inbound access list and a temp directory allowing traffic coming from their server, going to my client, just when I need it.  What you would do is you would go ahead and set a session timeout.  So, I would say after two minutes, this session would end.  So, what’s cool about this is traffic coming from the server is not going to be allowed through my inbound access list.  However, when I initiate the connection going out, the reflexive access list, adds a dynamic entry to the inbound access list itself, allowing the traffic from the server to go in and hit my client machine.  Once I’m done.  That entry on the inbound access list times out.  

So, somebody who were spoofing the source IP or something here or trying to get back in with the source IP, that session would be ended, and the opportunity to get into our network would be done.  So, Reflevtive access could add some security toward network, instead of just leaving certain ports and open on an inbound access list.  Let’s talk about a timed access list.  That one is fairly self-explanatory.  Back at my CCNA slide a little bit more cleaned up.  I just want to touch base on the time base to access list.  It’s very similar to extend it except it is based on time.  This is clock I’m drawing, big hand, little hand, right here.  So, the key thing about this is you might want to allow particular type of access to your network, between the hours of 8:00 a.m. and 10:00 p.m.  But after hours, you might want to shut that down, because people shouldn’t be accessing that data other than their normal work hours.  Or something like that you can use a time base to access list for.  I just want to do real quick is, just go through the steps required to create a dynamic, a reflective or reflexive access list, as well as, a time based accessed list and a couple of a commands you would use.  Nothing you need to be an expert on, but you should be definitely be familiar with the availability and the functionality of these types of access lists. 

Let’s start with dynamic.  So, the steps to create a dynamic access list, just a few of them.  You create the dynamic access list, you’re going to apply the access list to interface, specify on authentication method.  You have three different types of authentication method.  You can use an external server, like TACAS.  You can use a local user name and password, local authentication where you actually create a user account for the user and then a simple local authentication where you just create uses that one user name and password that everybody uses.  Least secure, most secure.  I just did a basic set up for this.  And then the forestep obviously will not obviously maybe not.  You name will be ability for the temporary access list creation by using the auto command.  Because again what happens after you log in to the sever via telnet.  You are going to get a session that allows you to pass through the router to get to the resource on the other side.  So, here were creating an access list for permitting TCP, any host that were applying to the external interface here, or allowing telnet in to that IP address.  We’ve got to allow the telnet session to take place.  Second, part as add to dynamic entry to the access list.  And that’s creating the dynamic access list.  Access list 110 dynamic Palaestra test list.  This is name of this access list.  Timeout 120.  This 120 is the absolute timeout. 

So, max timeout here of 120 and that is the absolute meaning.  Even if the session is still active, after a 120, it’s going to kill it.  Now there are something you can do to get around that but we’re just going to set this time at 120 which is two hours for that session to be active, and we’re permitting all traffic.  So, once they are verified through telnet all types of traffic are going to be able go through the router to get to those resources on the other side.  Again, remember, here’s our router, we’re setting it on a WAN interface right here.  So, as an outside client comes in, the telnet to a router, a router, they validate their session and then the router will allow them to pass through at that point to access the resources on the other side, from max of 120 minutes.  We have the IP address set on the interface and then we apply this access list to the interface itself.  The last steps is specifying the type of log on.  So, we’re just using line VTY0 for this, one of our telnet lines.  Log on local or send everything up to locally log and auto command.  This is where it allows to create the temporary access lists, access enable.  So, it’s automatically going to create a temporary pass through access list entry, enabling access with a time out of five.  This is five minutes and this an idle time out.  So, if they are active on the session.  The max they’re going to get is a 120 minutes.  If they don’t use this sessions or whatever they idle on it, it’s going to stay open for five minutes.  It’s not to going to stay open forever, waiting for somebody else to go through and use that session and try to break our security. 

So, again, four steps create the dynamic access list, apply to an interface, specify authentication, and enable the ability for temporary access through the router by using that auto command.  And again this is going to create a temporary entry.  Let’s go in and take a look at the next type of access list.  Here is the reflective or again you can call it reflexive access list requirements and the same configuration.  Define the reflexive access list and apply inbound or outbound.  Nest through reflexive access list and the opposing access list and set a global timeout value. So, what you’re doing and again this situation allows traffic from a remote server back through temporarily because you initiated the session from a client inside of the network.  So, here’s our router, and here is out Serial0 interface.  So, what we’re doing is, we are creating an outbound filter to create dynamic entries that will allow inbound traffic from this server when I request it.  So, the first thing we do is we create the extended access list called outbound filters, and we go in and permit TCP.  So, any TCP traffic, this is what we’re going to generate the reflective entries for TCP only, not UDP.  So, for TCP traffic for any source or destination we are going to reflect the session.  So, the outgoing session will be reflected on the way back in, and it will be called TCP traffic.  That’s the name of — it’s basically like a small database of entries or an additional access list of entries that are going to be allowed on the way in temporarily.  IP access list extended inbound filters.

So, that’s going to be the inbound access list.  We’re going to block pings.  Just because we’re always block pings, and what we’re doing here it says evaluate TCP traffic.  So, remember TCP traffic is an additional temporary access list that will have entries based on client initiated sessions from inside of your network.  So, each client that goes out and accesses a resource, an entry into TCP traffic will be put to temporarily allow access through Serial 0.  Then what we do as we go in and apply both to the Serial 00 interface.  Inbound filters on the way in.   Outbound filters on the way out.  IP reflective list, time out, so, for a couple of hours those entries will be inside of the TCP traffic database.  So, what happens when client here goes in and goes out and accesses a resource from the server, let’s use an IP of  This guy would use and IP of  So, he goes out, accesses resources on the sever.  When he initiates the connection to IP or whatever port number.  What’s going to happen is because we’ve told it to reflect traffic on the way out to any destination from any source, and put that entry in TCP traffic.  We’re going to allow inbound traffic with this source IP to this destination IP and we’re going to put that entry right here in the TCP traffic. 

What’s going to happen when the server responds, because of this access list, right here evaluate TCP traffic on the way in, the packets hit this interface right here, it says evaluate TCP traffic.  TCP traffic has an entry in it.  Saying , okay traffic from this source IP and port number, can go to this destination IP and port number.  I am going to allow it, and allows the traffic to come back through.  After a couple of hours that entry will time out.  So, somebody else can go in and spoof this IP or whatever or we get on this machine and try to into our network.  So, that’s how reflective or reflective access list work.  Let’s go in and take a look at the time that access list.   For timed access list, it’s just a couple of things that you’re going to do.  You’re going to go in and set a time range and then you’re going to incorporate the time rang and you’ll permit statement within an access list.  Here’s an example.  Time range and I am going to call it no webs.  So, I’m getting rid of web access with this, but I can’t do anything.  This is a time range I’m calling it.  And I can do something like an absolute start.  So, I pick a start time, and a start date.  So, 4:30 a.m. on June 15th, 2007.  This will apply. Absolute and after 4:30 a.m, September 15th, it will no longer be valid.  And so what I do on the access list, is I am denying any source, any destination traffic at Port 80, time range, no web.  So, what it does, it applies these time restrictions to this statement in the access list. 

The additional one that you can use a different variable here.  Time range, no FTP, it takes me under the time range configuration.  I go periodic, like a specified days of the week, like any days stuff like that.  Fridays, I choose weekdays here.  I could also do weekends.  So, on weekdays, 8:00 a.m. to 7:00 p.m., and I apply that time range to my access list here.  Deny TCP any — any, EQ FTP.  Time range no FTP, so all FTP traffic will be locked.  Blocked on weekdays 8:00 a.m. to 7:00 p.m., and again go to reiterate all web traffic because that’s here, with a deny, will be blocked between 4:40 a.m. 15th, June till 4:40 am. 15th September.  And then again, I just apply it to individual statements within the access list.  Never, permit statements.  All access lists need at least one permit statement.  So, let’s go do and do a recap of what we’ve talked about in this video.  So, within this access list configuration and expanded version for the new CCNA.  We have talked about sequence access list which is got to be a bigger part of the test, than any additional types down here.  Or we can actually go in and sequence or access list entries.  And again, it’s a good idea if you are using sequences in your access list entries to spread them out.  That way you can go in and fit things in between if you need to.  The additional types you talked about dynamic.  Again, that creates a dynamic entry.  So, when I go out or someone is trying to come in to get resources on a server here.  They first need to go in telnet to this router and get validated and then the router will allow them to pass through.  Also called lock and key.  Reflective would be, when I access a sever remotely, would be one in situation.   My client goes out to the sever, the outbound access list, looks at it, and creates a reflective entry inbound.  So, the server traffic can get back through temporarily.  And then also we’ve talked about time based to access list where we can set time restrictions on one particular access list entries are going to be in affect.   I hope you’ve enjoyed this CertificationKits CCNA training video on Access List configurations expanded.