Hi, and welcome to this CertificationKits CCNA training video on extended access list configuration.  We’re going to be talking about when we will use extended access lists.  Number ranges that define the extended access lists. The commands to configure it, as well go in and configure some extended access lists.  Named access lists, which we can configure in standard or extended format, as well as troubleshooting our access lists. 

Let’s take a look at a CCNA slide here and we’ll talk about when to use the extended access list to get extended as a number 100 to 199 or 2000 to 2699.  And again those numbers tell the router two things.  One, it tells that that’s it the IP protocol and two it tells it standard or extended.  In this case, it is extended for using that number range right there, 100 to 199 and 2000 to 2699.  We use an extended access list when we want to block particular types of traffic like, web traffic.  Or a specific traffic from a specific source address going to a specific destination address.  So, we use an extended access list when we need more granularity in the type of traffic we’re blocking or filtering.  I can also block or filter ranges of port numbers.  When we look at the access list outlined, its access list and then the number. Again it’s got to be a number within these ranges here to be extended; permit and then the protocol.  I can specify the Layer 3 protocol like IP, which will block everything associated with IP or permit everything associated with IP. Or I could specify a different Layer 4 protocol TCP, UDP or parts of the IP protocol suite, like ICMP, Internet Control Message Protocol, which ping is a great example of that. Ping and Traceroute.  I can block pings using access lists; extended.  Filtering based on the source address, and the port, and again, with the port number associated with the source address I can go ports greater than 1023. 

So, ports that are greater than the common ports or ports less than 1024 which would be the common ports.  Or if I use the EQ, I could specify a particular port, like port 80.  What’s great about this, I can do this for source, and destination address and port number.  So, these are options.  I don’t have to specify a port number though.  I can do source and destination address and block all traffic from a source to a destination.  So, I don’t have to specify the port number.  But specifying the port number, again, gives me a finer control of what type of traffic I am filtering out.  I want to take a look at a diagram and we will run through some sample extended access lists.  I want to look at scenario in this diagram where this server is an FTP server.  So, this is this server and its running FTP service.  So, we’re looking at the OSI model, seven layer model.  FTP is running on that system.  I want to allow access to this machine only to the FTP service.  So, this is the only guy with FTP access on the server, for the download, upload files whatever.  All the other machines or this one’s in the same subnet.  All the other machines and all the other subnet should still be of the ping this machine and function normally.  Maybe there’s a web server on here, as well, whatever.  I want them to build a access to sever for any service, but only this machine is going to able to access the FTP service.  

So, what I am going do is we’re going open up notepad and take a look at the access list we will create to allow that to happen.  I’ve labeled the interfaces.  You can see Ethernet0, Serial0 on each of the routers. I have brought up notepad, so we can see the access list we’re going to be typing out.  Again, 13 is going to have access to the FTP service over here only. All the other machines will be still have access to the server for any other service, just not FTP.  So, what we’re going to do is, we are going to set up an access list and this is an extended access list to able to specify particular traffic.  So, we go Access List 101.  We’re permitting the traffic.  Now, we need to know something.  We need to know, the layer for protocol that FTP works with.  You might know of at the top of your head.  You might not.  We need to know whether or not it works with TCP or UDP at Layer 4, because we’re going to be telling the router to the check TCP or UDP packets.  So, we have to know the Layer 4 protocol.  If you don’t know that at the top of your head, it’s easy to look up, you can Google or whatever.  There’s also a file on our computer called the services file and it will allow us to view those protocols, and port numbers that our computer uses. 

Let me pull up that file.  I’ve brought up that file here, and you can see the past to it, and it’s available on all your windows boxes C, windows, or the system route, system 32, drivers, etc. folder, we will see the services file.  And I can just open that up with notepad, and I can go in and take a look.  And it shows me all the main services and standard ports that my system uses.  We’re looking for FTP.  Now FTP uses two ports.  The data and the control information.  The control information is used to set up the connection and share the information.  The data actually gets transferred on Port 20.  Typically, blocking Port 21 or allowing Port 21 letting everything else go with suffice.  So, we’re going block the or only allow computer with an IP 13 to be able to access that server on Port 21.  And we’re going to tell it look at TCP packets, not UDP packets.  So, we know that FTP works with TCP at Layer 4.  If we get it wrong it won’t filter the traffic appropriately.

Let’s go back and finish typing out that access list.  I’m back in notepad, and now we know what to type here TCP the protocol that we’re typing is TCP.  So, Access List 101 permit TCP and now the source.  This machine down here 172.16.0.13 is the IP address.  And now we have to specify the Wildcard Mask with this one IP, if so.  I’m just getting as host, instead of the (inaudible 0:07:37) or Wildcard Mask.  So, this is my source address.  So, coming from source 172.16.0.3. Now a common misconception would be when this machine sends information out to that FTP server and then sends the packet information, that the source port is going with FTP server. The destination port is 21 to set up the control information and set up the link.  The source port is not 21.  The source port would be like a common port above 1020 or registered port above 1023.  It’s not going to be using Port 21.  Port 21 is not for the client.  FTP access it’s for the server.  When you’re running the FTP service, you’re running a Port 21.  The client is using a different port.  So, we don’t specify the source port for the client.  We’re just worried about the destination of being 21.  So, let’s go back our notepad and take a look at that.  So, we’re going to specify, we just going to leave any port.  So, any port coming from 172.16.0.13 going to, let’s take a look at the subnet right there.  It’s in the 10 subnet, 10.0.0.44, and that’s a host as well to mix it up or use the Wildcard Mask of 0.0.0 EQ, because we’re just worried about port 21, EQ 21. 

So, what that is done, it’s allowing traffic from this machine to go this server at port 21.  Now all other FTP traffic going to that server, we want to block.  So, now we’re going to block, because we are allowing any additional traffic aside from me, FTP traffic.  So, we’re permitting — I’m sorry, we’re denying, blocking, denying TCP traffic from any source going to and we use the host again.  Host, 10.0.0.44, I cannot type write now,   EQ 21.  So, we’re denying TCP from any source to the destination.   So, it’s going to check all TCP traffic from any source, going to destination host 100044 at Port 21.  The reason we have to have that in there, is because we don’t want to block web traffic or whatever this server might be running aside from FTP.  The only thing we’re worried about filtering out to where, this is only machine that can get to it, is the FTP traffic.  So, at Port 21.  Now the order is very important.  If I put this to deny statement first, what would happen is when even this machine want to go through and check it against the statement, they go oh! that’s part of any, so, I am going to deny you.  But since the permit statement is first, this machine will go ahead and go through, the computer will check, the router will check and go, oh! that’s you, it says to permit you.  Okay, you can go through.  Another machine, let’s say, this machine right here with an IP of 192.168.1.95, if it tries to go, it won’t match the statement, because it doesn’t haven’t the same source address.  So, it’ll go to the next statement.  It will go oh! you’re part of any, you’re denied. 

So, remember within the access list as soon as it hits an entry in the access list that it matches, it will go ahead and carry that out.  It won’t go to the next line.  So, when this machine goes through, matches the statement, goes ahead and permits it, it doesn’t bother checking the next line.  That’s very helpful especially in a situation like this, when we want to block all other systems using FTP traffic.  Now the last one, we do want to allow all other traffic like web tariff, TFTP, DNS whatever the server might be running, we will want to allow all other traffic.  So, we’re permitting — now very important, what the access list here is the permit statement.  There are multiple different types of protocols associated with IP, pings, all the TCP, all the UDP traffic, there’s all kinds of stuff associate with IP.  If it’s an IP access list and we’re permitting all IP traffic, that means we’re not going to be blocking anything.  So, are permit statement if it worked to just say permit TCP, what would happen is any traffic using UDP or pings or anything like that would get blocked.  Our permit statement for permitting all the traffic has to be IP.  So, for just allowing TCP traffic that means all the other type of IP traffic isn’t going to be able go through. 

So, very important that you put IP not anything else, any — any.   So, -permit IP, any source, any destination, since there was no specification with the port numbers, that’s it, any port number.  So, this access list we can go in and set up on the router.   So, all I have to do is highlight it, copy, and then we go into a router and apply it.  So, I am in my router, I’m going to go on global mode and I am going to paste that access list in the global mode.  And I left off my other – any.  For that last statement, for some reason, I didn’t highlight my other any and place in there.  So, I’ll have to type out those three words, those characters again.  So, anyway, our access list was pasted in there, let me check that out.  I forgot the second any — any source, any destination.  So, I pasted my access lists in there.  Now, if I do show run, I can check it out and I can view my access list.  Here it is, access list 101 permit.  That one host to the FTP server at 10.44.  Denying all other traffic to 10.0.0.44 FTP, and allowing all other traffic.  So, anything else going 10.0.0.44 will be allowed from any other system.  But I haven’t applied it to an interface. 

So, let’s check, where we would apply it.  Now you think I might apply it here on the way in, but that wouldn’t affect these guys over here. We’re worried about protecting this server, and it’s extended.  So, we wanted it as close to the source of the traffic as possible.  So, to build a filter from everybody going to this server, obviously aside from this guy, we’re not worried about filtering him out.  So, filtering the 192.1.168 network, and 172.16 network is close as we can get to those, is Serial 0. Let’s say this is Router B and this is Router A, Router B and Router C.  So, on router B here to be able to filter that out, we’ve got to Serial 0 interface and apply it in which direction.   Now you have to remember, this is before the routing decision on this router, it’s entering the router.  If you look at this as a door, it would be on the way in.  So, we’ve got to go to Serial 0 and apply it on the way in.  So, our command now we specified IP.  Remember when we create access list we don’t specify IP.  Because the 101 says IP and it also says extended.  IP Access Group 101 referred to the access list, specify on the way in.  To show run, and I can go in and take a look at the access list.   I can see that it’s applied to Serial 0 on the way in and I can view my access list very important to check that out.  Now I can also do the show access lists, and I can see my access list that way.  There’s also another show command, show IP interface Serial 0, and what that will do is this is the only show command aside from show run, that I can see whether an access list is set on my interface.  I particularly like show run better, but I can check it out right here.  Inbound access list is 101.  So, right here on Serial 0 I can see that there is an inbound access list of 101 applied to the interface.  So, this is another show command, the side show run that you can use to view the access list on the interface.  If I like it, I will go ahead and save my configuration.  Let’s go back to our diagram and when we clean it up.  I want to take a look at additional scenario. 

All right, I brought up the diagram, let’s go over another scenario here, and I’d added another Ethernet interface to router A, Ethernet 1.  So, we’re got router A, router B, and router C.  And I’m just going to say that this subnet coming off Ethernet 0, is the 1.0 subnet coming off of Ethernet 1, is the 2.0 subnet.  I want traffic to be able to go between the subnets, normally.  So, these computers over here can talk to these computers over here in the 2.0 subnet.  Let’s say their IP is also 12 and 13.  So, we’ve got 172.16.1.12 and 1.13 and 17216.2.12 and 2.13.  However, these machines right here, I want these machines to be able to go to the outside world but only to this public IP address.  So, it’s running private IP is in the background, much to say this router is running that.  Let’s say they all are, and I don’t want to get too involved in the IPs’ right now.  But I want to allow access to this public IP from these machines, but these machines cannot go out. 

So, these machines can talk here, but they can’t get out and this machine can get out, but they can only go to this public IP.  So, let’s take a look at the access list that would accomplish that.  Access list, it’s extended, so I can use a number greater than 100, lower than 199 or 199 and below.  I am permitting traffic.  And what I’m going to do is, we’re going to apply the access list on Serial 0 on this machine on the router on the way out, after the routing decision.  That way it won’t affect these machines right here, been able to communicate.  So, they can still have communication back and forth between the subnets. However, these guys are going to be sad, because they do get to go out of Serial 0, only these guys down here in the 20 subnet, get to go out Serial 0.  So, let’s go back and finish that access list up.  And I am permitting, and I am just going to permit all traffic. 

So, IP traffic from the source now.  So, the source is going to be 172.16.2.0 that’s the subnet down here.  And what I did as I used a Wildcard Mask 0.0.0.255 what that does, it says, okay.  The three octets have to be 172.16 and 2, last octet doesn’t matter.  These guys won’t be able to go, because their first octet.  So, 172.16.1. So, that won’t mask them.  So, they’re not permitted.  To destination host, whatever services are running back in here, they are all going to be represented by that one, public host IP of 20.9.77.3.  And I am going to allow any port.  So, I don’t have to specify the port.  At this point, if I don’t want any other traffic going out of this interface, if that’s all I want is this subnet, to be able to go out, to these machines over here, I am done.  I have my one permit statement, permit everything else is blocked, because of the implicit deny any at the end of every access lists.   It’s there so I don’t have to say, so I ‘m allowing this subnet 20 to go out to this one public IP and that’s it.  So, I don’t have to specify any denying statements.  One permit statement works just fine.  Now, what I’ll have to do, is go to the router and apply it.  All right, I’m back in our router, and his one’s going to go on the Serial 0 interface on the way out.  So, I am going to go on a privilege mode here, global mode, paste the access list.  Now I have to go the Serial 0 interface, and apply it on the way out using the IP access group command.  If I can type it.  111 out.  Do a show run.  I can verify that the access list has been applied to the interface.  The old one is still there. 

So, I’ll get rid of that and again to get rid of something all I have to do type in what I see in the prompt chair interface, Serial 0.  So, interface Serial 0, enter, no, and if I want to, I can get rid of the old one, just by copying and pasting right into the prompt, it makes it real easy.   Do a show run, and much better.  I see my access list 111 is permitting traffic from the subnet 172.16.2.0 to host 20.97.7.3 on the way out of Serial 0.  And back to our slide there we can here, Serial 0 is right here.  It’s going out of Serial 0 and allowing it to go to this destination IP.  Now. what I want to do is I want to go in and take a look at how will create similar access lists, by using named access lists.  Instead of relying on the number, like Access List 101 or 111. Instead of relying on that number, we’re going to be using names.  And the nice things about names is, it’s a little more intuitive and you can actually remove individual statements without deleting the entire access lists.  Let’s go back to the prompt, and take a look at what I mean.  I have brought up the router prompt.  Now we’re going go and configure a named access list. 

So, we’re getting to global mode and the big difference with the named access list, is we start by telling it the protocol.  Remember we’re standard or extended. The number tells that the protocol, and then standard or extended.  But here we’re telling it, it’s going to be an IP access lists.  So, we say hey!  this is an IP access list.  And now it wants the type of access lists that could be a logging access list, but we’re after standard or extended is what we’re looking at.  So, what’s the type of access list.  So, let’s say this is going to be an extended access list, and now it wants a name.  We can give it a number if we would like.  But this is the big plus here, as we can give it a name.  So, we could call it, block ping.  So, we’re going to give this thing a name, call it an extended access list, block ping and it can be intuitive meaning that we’re going to be blocking pings with this access list.  Notice it takes us to a new mode.  Configure, extended named access list mode.  All we do now as we start with the permit or the deny, tripping over my tongue there.  So, we don’t have to say, hey!, this is IP access list extended block ping, now we just enter the components of it.  So, we’re saying deny.  ICMP.  Just I could finish up any other access list for blocking pings now, any — any echo.  Is the echo request for a ping.  And now a permit statement permit IP any — any.  So, we go in and create it and we’re done.  If we do a show run, we can go in and take a look at it, IP access list extended block ping. 

So, are named access list and here’s the components of it.  Now maybe I didn’t want to block the echo request, but I wanted to block the echo reply which is the response to an echo request with ping.  So, the nice thing about named access list, but doesn’t turn out to be that big of a benefit.  I’m just going to copy this so I can get into that access list mode.  Copy, paste the host, there it is.  I want to remove this one line.  So, instead of typing it out again, I’m just going to copy, type no, paste the host, enter, control Z, show run and verify that the one line is gone.  So, I can remove an individual statement out of a named access list. I can’t do that with a standard or extended access list, because it will remove the whole thing.  Again, this is an extended access lists, but it’s a named access list. If I did it with a non-named access list or a regular access lists, I’d remove the whole access list.  I can’t remove one statement. 

So, what I am going to do, is I want to put that statement back, but I am going to specify echo reply instead of echo request.  So, I’ll paste that there getting my access list configuration mode, and then I’m going to deny ICMP any — any, echo reply.  I think, its’ dash reply.  Let me check it out.  Yeah, dash reply.  Enter, control Z.  Show run.  So, I can remove an individual statement and put on the statement back in.  But the big problem is I can’t reorder the statements.  So, my permit statement is now first.  With the permit statement being first, permit IPN any – any, all traffic will hit this first statement and go ahead and go through.  Traffic will never reach to this next statement in the access list.  So, I will never be blocking echo replies.  So, the main benefit to this really, I think, is the ability to just give it a name.  But again, by creating notepad, you could save the access list in notepad with a particular name and have all the information there.  This is just another way to create the access list on the router, that’s a little bit more flexible.  All right let’s talk about what we’re going to do, when we want to troubleshoot, our access list and we’re going to go a CCNA slide here. Because I want to make some points first, before we come in and use our show commence on the router. 

I brought up this CCNA slide, because there’s some points I want to make with CCNA level troubleshooting, especially with an extended access list.  The fact that it has extended and you’re blocking port numbers, and not all traffic from certain sources or destinations, very important.  And it makes a much more complicated.  It’s important to know your traffic.  If you’re filtering traffic going to or coming from a particular subnet, and you’ve got a bunch of different services, on there that you want outside devices to build to access different services or different machines.  It’s very important to understand the port number that these machines are listening on and what services are offering, who’s going to be accessing the service, all that information.  Very important to get that information, and know it well.  If you don’t know it or you get the wrong protocol or port number, you’re going to be blocking unnecessary traffic or allowing unnecessary traffic which may be worse.  Make sure your permit statement is correct. If you don’t have at least one permit statement in your access list it’s not going to allow the right traffic.  So, your permit statement is very important to make sure it is correct.  Make sure you’re permitting what you want to permit.  Verify all your IPs’ in the access list, look very closely, ready them aloud to yourself, remove the access list and see if the traffic can pass.  If you’re having trouble getting particular traffic in, remove the access list and see if that traffic can go in, once the access list is gone.  If that does it, then you need to look closer to get the access list. 

If you’re still having trouble figuring it out, try entering the access list one line at a time.  Just do it one at a time, test the traffic and then go to the next line.  That way you will be able to isolate the line in the access list that’s really causing you problems.  Let’s go back to the router prompt, use a couple of show commands, more around in there to verify our access list creation and make sure we can see where it’s applied, all that’s a couple of basic show commands.  I am on my router prompt, and I am just going to take a look at the router, with the access list on it, using the basic show commands.  First one that show running config. probably my favorite command out of all of them.  Ethernet 0, I can see there was an access list applied.  Access list to 101 on the way in to Ethernet 0, Serial 0.  I can see there’s an access list of 102 applied on the way in.  The access list is not applied anywhere.  So, I should just get rid of that.  And if I want to get rid of that, and clean up my router, all I have to do is copy, don’t want to global mode, no, paste, gets rid of it.  Now, I’m going to do a show run, to actually view the access lists, are applied to the interfaces.  That access list will be gone.  I always get rid of any excess stuff, because I don’t want to worry about it, confusing me when I am looking at my router, config.  So, I’ve got some ports here, I am permitting a bunch of ports.  I am blocking all other ports.  I am stopping this host 172.16.5.3 from getting out, to any destination with FTP for whatever reason.  I am permitting all other FTP traffic and the data.  And it’s important if I’m just running permits statements like this, and not just denying traffic, that I do permit the data as well.  Because whatever, it’s not specified here what I’m just running permit statements, will be blocked, because that implicit deny all at the end of every access list.  So, I’m just permitting FTP traffic data, TFTP, web and Port 443.  That’s on the Ethernet interface. 

So, that’s coming from any source, going to those different services, I’m allowing out on the web.  This is my Serial 1 on the way in, access list 102, deny and blocking pings.  Any – any echo, that’s a very common access list to block pings, and your serial interface.  I don’t want people to be able to ping me and find out that I am there.  And I am permitting all other traffic on the way in.  If I didn’t have this permit statement, I’d block everything.  Show IP interface, again will allow me to see that in access list is applied to an interface, inbound Access List 102 on Serial, no outbound access list.  So, very important to know the directions.  Make sure you have the direction correct and here’s where you can check it out as well as the show run.  If there is a problem with the access list, and I figure something out, and I don’t have it in notepad, I’ll copy the access list and put up notepad and past the access list in notepad and make my changes.  So, maybe I might want to make a change.  May be, I don’t know, instead of TFTP, I’m going to allow a different service, something like that.  So, all I have to do is go in here and make my changes, highlight it, copy it, put it back into the router, but first I would just remove, this access list by going no access list to 101.  If you check this out, as I was pointing out earlier, I can’t remove an individual statement from a regular access list extended or standard.  If it’s named I can remove an individual statement.  But here all I did was no access list to 101, and I specified this information just like it’s here.  Or watch when I do a show run.  The whole access list is gone.  Taking a look at it, the whole thing is gone. That’s why it’s nice to work in the notepad, because if I want to remove a particular line out of notepad, I just delete that line, control A, control C, remove it from the router, and paste it back in.  Now the whole things I back and I don’t have to worry about typing all that stuff or if I do a show run.  I can see that my access list is back.  So, it makes it pretty easy to go in and do that. 

Again, the key thing is not a lot of tools here with the access list other than using your show run, and really verifying what the access list is doing and making sure, it maps what you want to accomplish with your network.  So, we have talked about when we use our extended access lists, the number ranges from the commands were used to create them as well as going in and creating a few different access lists.  Named access list, again I don’t to see a huge benefit other than the name.  It’s a little nice to have the name, and you can remove an entry, but you can reorder them.  So, typically you’ll still be configuring in notepad.  And troubleshooting its very important to pay attention to the little details while you’re doing the troubleshooting, and know your traffic — know your traffic, know what traffic you want to allow and what traffic you want to deny, very important.  I hope you have enjoyed this CertificationKits CCNA Training video on extended access list configuration.