Hi welcome to this CertificationKits CCNA training video covering Access List Concepts. We are going to be talking about what Access List do. Packet filtering Standard Access List verses extended. Some general guidelines to follow when creating and applying Access Lists, as well as the Wildcard Mask.  Let’s go in and talk a little bit further about what packet filtering will do for you.  Packet filtering the sort of Access List we’re going to do filter traffic based on certain criteria.

We can filter traffic before the routing decision. So if we create an Access List; depending on where we place it will determine whether it filters the traffic before the routing decision or after the routingdecision.  Let’s take a look at what I mean. I have a machine over here on the other side of router B and if I want to stop particular traffic from getting out of this subnet right here; what I could do is—I could place an Access List on this interface and I would place the Access List on that interface on the way in.  It's very important to understand the concept of in or out when we’re placing our Access List. Because we apply into an interface this is a router I'm drawing; we applying them to an interface and then we have to specify the direction of the traffic flow out or in. It’s very important to look at the router as a room. Everybody is hanging out in the room.  And these interfaces are doors. To get into the room you got to go in the door. If you’re going out of the room, you're going out of the door.  So, in this situation a lot of times people look at their subnet is the inside. It's not inside of anything, it's inside of the router as where the in or out refers to. So if I want to stop traffic from this machine; may be this guy made me mad so I’m blocking all of his traffic from getting out. So I would put that Access List on this interface on the way into the router because it's entering the router. Into or out of the router; what will we do?  Just stop him right here before the routing decision.

Maybe I want to allow this computer to go out of this interface but not out of this interface. I don’t want all of them to go out a serial0. So that I could deal with that situation is put the Access List on serial0 on the way out.  Then what would happen is that would be after the routing decision. If the packet entered the router, it does all these things — routing table lookup; all that says all right – need to go out of serial0. Oh wait he can’t, that’s after the routing decisions so again before or after depending on in or out.  Now we can permit or deny traffic, so it’s a very important to understand something with an Access List. Let me clean up the CCNA slide and talk about that further. Much better as it’s always important to understand that Access List are always going to be blocking some traffic or at least that’s the way they’re designed because at the end of every Access List is an implicit deny any. 

So if I go in and I used a permit statement in an Access List allowing this computer right here to go into this interface and I just leave one permit statement per bit, this IP, any other computers would be blocked. Because what happens is the Access List makes sure that every IP address matches a statement. If it doesn’t, it will match with this statement right here implicit deny all.  Unless it's explicitly told what to do it's going to block the traffic just in case.  Even though this guy might be trying to get out and the Access List doesn’t say to stop him from getting out and also doesn’t say to let this computer get through this interface. So to be safe, the router is going to block the traffic.  So again when permitting traffic realize that you are blocking everything else. So permit statements are when you just want to allowed a few types of traffic in and then everything else would be blocked.

Now standard verses Extended Access List. Cisco recommends that you place Extended Access List as close to the source as possible. Extended Access List block very specific traffic. So I can block traffic from this guy right here only at port 80. So I could shutdown all web traffic if I wanted to.  So, something like that is possible you put it on this interface right here.  Maybe E0 as close to the source as possible. A Standard Access List since it blocks all traffic from that particular host you want as close to the destination as possible.

So if I'm trying to stop –I don’t know this machine from getting to this subnet right here; may be there’s some servers and stuff like that he’s been messing around I don’t want him going over here for whatever reason. As close to the destination as possible which would be on this interface, E0 on the routers C, on the way out.  It’s a very important standard is as close to the destination. Extended as close to the source recommended by Cisco.  So again with the Access List we can filter before or after routing the decision. Again before would be on the way in; after on the way out of an interface. We can permit or block traffic. Just remember at the end of every Access List is an implicit deny any and if it's not specified to allow the traffic, it's going to block it. And then with the standard is close to the sources or close to the destination and extended is close to the source as possible.

Let’s go in and take a look at another CCNA slide.  I want to go over Standard Access List versus Extended Access List a little bit further. Now when we are creating an Access List, there are certain number ranges that specified the type of Access List, the numbers tells the router two things.  One, they tell the router standard or extended. If the number is between 1 and 99 or 1300 to 1999, it’s a Standard Access List. If it's between 100 and 199 or 2000 to 2699 it is considered an Extended Access List.  One additional thing it tells the router is the protocol. Any of these numbers here will tell the router that it's going to be looking at IP traffic.

So right here between the data link and the network where actually the LLC portion of that data link sub layer specifies the type field.The Access List will look in the type field and the type field of a packet tells the device what type of layer three packaging was used like IP.  So in the type field, it's looking for IP traffic and that's how it knows because in the type field it says this is IP traffic. So it says look for IP traffic. A Standard Access List is going to block or permit traffic based on a source IP address. So it will look for IP traffic and then go in and take a look at the actual IP address that it originates from.  That’s all a Standard Access List is going to block on. So in a Standard Access List would look something like this; Access List and then we specify our Access List number right here. If it's between 1 and 99 it's going to be standard. So I could use the number 1 and then I have to specify am I permitting or denying.  I am permitting. I type permit, then there’s a couple of different things like you do here. I could just put an IP address for the host and basically whatever I put here is going to be the source address. We’re going to get into that more detail under configuring Standard Access List.

Now very important. All traffic from that source when it’s a Standard Access List is going to get block or permitted based on what you're trying to do. So its very important you understand that you’re not just blocking web traffic or telling the traffic or whatever you're blocking; all traffic from that source.  An Extended Access List is a little bit different. My CCNA slide gets so dirty so fast.  I got to clean house.  As Extended Access List as I said is a little bit different.  100 to 199 or 2000 to 2699; so an Extended Access List is going to look at a lot more than just IP and the source address. It does look at the type field that specified with the logical link control sub layer, so that type field right here is specifying IP traffic.  It’s also going to look at the IP information; source and destination address.  It’s going to look inside the packet.  It’s called a packet at layer three of the OSI model. It’ll look inside of that packet for the source and destination addresses.  Then it’s going to look at what’s called the protocol field; the protocol number here it will look at that. Then determine TCP. We can block TCP traffic, UDP traffic, all different types of IP traffic we can block because it goes in and looks at these protocol fields. It tells the router whether TCP or UDP was used at layer four.  And the last thing it’s going to look at, is the port numbers right here in the OSI model between the transport and the session layers; it’s going to look at the port numbers.  The port numbers tell us the applications. Like port number 80; http, most people know that port number. TFTP, port 69.  So, it’s going to go in and look at the port number and based on that port number we’ll tell the device what application we’re blocking.  So an Extended Access List is going to look at a lot more.

Now, when we create this Access List, it’s possible for us to block – let’s say I’m going to Access List one permit and then I want to block a particular address.  So, 172.16.0.1 based on what's called a Wildcard Mask.  I can block just this particular IP. I can block the entire 172.16 network. I can block the 172.16.10.0 subnet or I can block a range of subnets; all depending on this Wildcard Mask.  This Wildcard Mask is a very important when creating Access List as well as with OSPF and stuff like that where we use the Wildcard Mask.  

So let’s go in a take a look at the Wildcard Mask can figure out how this thing actually functions.  The Wildcard Mask tells the router whether or not an IP address is going to match the permit or the deny statement.  So let’s say I have an IP address of 172.16 –I don’t know this machine down here it will be in the one subnet so it will be 1.10.  So if I want to block that particular machine or permit that particular machine, I would specify that machine’s address 172.16.1.10 and then I would put a Wildcard Mask of 0.0.0.0. Zero means the entire IP address must match the statement.  So when it’s comparing information, let’s say this machine’s IP address is .20.  When this machine sends information and let’s say the Access List is applied here on the way in. So it’s before the routing decision and machine with an IP address of .20 sends the information. The Access List is going to check that packet and look at the source address and it’s goanna go; “okay this has a source address of 172.16.1.20. Let me check again the statement.”  Zero must mean is it a 172 on the first octet there is, zero must mean 16 in the second octet there is, zero must mean there is a one in the third octet, there is.  Zero must mean there is a 10 in the fourth octet; there’s a 20 so this IP address does not match the statement.

You can have a bunch of difference statements in an Access List and its going to check them all until it finds one that matches. But the Wildcard Mask determines really whether or not it’s going to match the statement.  This zero here means it must be a 10 or it does not match the statement.  If I wanted to stop all or permit all of the computers on the subnet, I would use this Wildcard Mask right here, 0.0.0.255. Let me clean this up and then we will take a look at what the 0.0.0 with the .255 and the last octet’s going to do.  All right, I cleaned up the CCNA slide and while I was at it I just cleaned the rest of it out because of my handwriting is not the best.  So we’ve got the IPs 10 and 20 here. What I want to do is I want to permit all of the computers in this subnet. Maybe I applied the Access List here on serial 1 on the way out so I’m allowing all these computers on the subnet on the way out.  And what this does is the same. I’m going to take a look at this machine again I72.16.1.20.

So we’ve got the 172.16.1.20 sending information out of that interfaces and the router is going to look at the statement and see whether or not this information or the source address applies.  So it’s going to check it. Zero means it must be 172; yes. Zero means must be 16 yes, Zero means must be a one in the third octet, it is.  255 means it does not matter what is in the fourth octet so since it does matter what this is.  It could be any number it applies and it will permit that traffic to go out of that interface.  If I want to allow the whole subnet, what I would do is I would use 172 for the whole network.  16.1.0 actually 0.0.255.255 and then I would permit the entire network.

So maybe this might be, I don’t know instead of 172 that might be 192.168 up here. Might be this network up here and we’re allowing all 172.16 traffic to go out of that interface.  So again this is our statement. 172.16 entire network 0.0 means must be a 172, must be a 16, 255.255 means third octet doesn’t matter what it is.  4th octet doesn’t matter what it is. So any machine with a 172 and a 16 and the first octet, first two octets would be permitted to go out of this interface.  If this – I don’t know instead of being 172.16 down here if this was a 10.0.0  networks, if this was the only statement permitting 172.16.0.0 out these machines; it would not be able to go out of that interface and only the 172.16 in the first octets would be able to go out the 192.168.1.0 interface.  So remember there’s an implicit deny any of the end of every Access List.

Let me clear this up one more time and take a look at who we can block; a range of IPs or range of subnets.  All right here is the situation. We’re going to allow a range of subnets with one statement. So with this one statement; Access List 10 permit 172.16.4.0 0.0.3.255 we will actually be permitting subnets four through 7.0 with this one statement.  So we don’t have to mention the 7 in the statement as it's mentioned with this number right here.  And what happens is it basically just like a subnet mask. A Wildcard Mask comes down to a bit comparison. The zero means; okay any IP with the 172 in the first octet, zero means any IP with the 16 in the second octet, so that’s got it.  And what I have here is I have the .4 subnet, the .5 subnet, the .6 subnet and the.7 subnet. I broke into binary so we could look it as actually what’s happening with this Wildcard Mask.  So any machine with the 172.16.4.0; 5.0; 6.0 and a 7.0 is going to matche one statement 172.16.4.0.0.0.3.255.  I broke it in binary. So they’re all going to have 172 and the 16 in the first two octets and then let’s take a look at what happens next.  Zero if we’re looking at this three here; this is the three broken into binary. So zero in this binary here must mean – it must match so they’ll have to match the first six bits in the wildcard mask have to match.  And if you notice in binary in the third octet here the 4, 5, 6 and 7 all have the same first six bits, they have a 0, 0, 0, 0, 0, 0 and a one in the first six binary spaces of that octet.  Then they differ 400, 501, 610, 711. So since they all differ; we tell a range by using a Wildcard Mask of a turned on value.  There it means it doesn’t matter what is in that binary space.  So it doesn’t matter that there’s a zero or a one there. Any value matches.  And by having another one there, any value matches there.  So we cover an entire range of 4, 5, 6 and 7 by using this custom Wildcard Mask of 3.255.  255 again means doesn’t matter what it’s in this last octet. So anything with the172.16.4 .5 .6 or 7 and anything between any of those combination of 1 and a 255 in the last octet is going to be valid and allowed to go through.

So again it comes down to where do they become different and they become different right here between the 6th and 7th binary space in the octet. So to cover that, we just turn those bits on and any combination is permitted now. We can’t just add any combination to get there. They’ve got to sequential. It's going to start with an even number because we need to be able to cover any of these numbers in the back.  So, all we have to do is create a custom Wildcard Mask there. If we had the right subnets and I wanted to do it in easy way; I want to figure out what would allowed me to block 172.16.4.0 through 172.16.7.0. If I wanted to figure out what would allow that all I would have to do is subtract the four. I know it’s got to be 172  and it's got to be 16. I will subtract the 4 from the 7 and that gives me 3. Anything goes in the last octet that will tell me my Wildcard Mask. 

But you have to be careful and again this is what’s happening in that binary. We’re actually just turning a portion of that third octet on the bit values so anything goes in the last two binaries spaces but the first six have to match at 00001; n the first six.  So that’s our Wildcard Mask and again we can manipulate that in many different ways to permit or deny specific IPs, specific subnets, specific networks or a range of IPs.  So, in this CCNA video we’ve talked about packet filtering with Access List and a basic concepts; standard versus extended 1 to 99 means IP standard Access List .100 to 199 IP extended and again the big difference is standard only looks at the source address.  Extended looks at the source the destination, protocol, port number a lot more information so we can get very specific as to what type of traffic we’re blocking.  Some general guidelines, don’t forget that implicit deny any at the end of every Access List. Every Access List has to have at least one permit statement If it doesn’t; it’s going to block all traffic period and then the manipulation of that Wildcard Mask to get specific as to whether we’re going to be blocking a host of a subnet or in network.  So I hope you have enjoyed this CertificationKits CCNA training video on Access List Concepts.