Join Chris Bryant for an in-depth discussion in this video A refresher, part of CCNP Troubleshooting (300-135) Cert Prep.
- [Instructor] Before we dive into this section on access lists, just a quick word here about this first video in the ACL section. I'm going to do something I rarely do, and that is go only from the screen. And the reason I'm going to do that is that this is more of a refresher video; and do not go to the next video just 'cos I said that, I saw that one person doing that. Sincerely, this is an important refresher on the fundamentals of ACLs and we know by this point in our studies, ACLs are not just for permitting and denying traffic, they are everywhere in your Cisco configs.
You're going to use them in NAT, you're going to use them in security, you're using them to identify traffic more often, really, than you are just blocking and permitting packets to go through a router. And the voice of experience speaks here, believe me, whether it's in a lab, whether it's in a production network, certification exam, you can save yourself a lot of troubleshooting time when you have the fundamentals of ACLs down cold. And speaking of those, the first fundamental is that they run from top to bottom, this is not a best match situation.
When a packet exits, or enters an interface, that has an ACL applied, the packet is compared to the first line of the ACL. And if a packet, if the value of the packet matches the first line, then the action defined is taken and that's it; so that's a long-winded fancy-schmancy way of saying if the first line matches, that's it, that's the end of it. And the ACL I have for you on the board here, ACL 6 permits 188.8.131.52 and denies everything else, and we're going to review any and host in a moment, but we know that deny any denies everything, so if a packet with a source IP 184.108.40.206 is matched against the ACL, the permit is going to be applied anything else, and it's going to be the deny that leads us to a discussion of the number one ACL troubleshooting issue, especially when you're getting started, man.
I went through the exact same thing when I was getting my CCNA, and it's like, you know, don't forget the invisible denies, I would call it from time to time, and officially, it's called the implicit deny, don't call it the invisible deny like I did. When no match is found in a given ACL, the ACL still has to be able to take some kind of action, and that's what the implicit deny is. Because if a packet is not expressly permitted, it is implicitly denied, and explicit denies do not override the implicit deny.
And this could be a classic CCNA question, I think you'll agree with me, it's like, I'll show you this ACL and then ask you what the net effect of the ACL is. And it's really easy to look at it and say, okay, well the first line denies 220.127.116.11, the second denies 18.104.22.168, and then the third line, you know, 22.214.171.124 slash 16. And the truth is, those are true statements, but these explicit denies do not override the implicit deny, so actually what this ACL does, it denies everything.
If we wanted to permit everything that was not denied by the first three lines, of course, we'd put a permit any in. Now, as far as standard ACLs go, how can I know, how do I know what value is actually shown here, and I know it's an IP address. We all know that. But is it a source address? Is it a destination address? You know, what is it? Well, we know it's a standard ACL because of the number, we know that's in one of our two standard ACL ranges. And the reason we know that's a standard ACL, is that's the limitation we run into with standard ACLs, is that they can only match on one value, and that's a source IP address.
No destination IP option, no port numbers, no nothin'. So if you only need to match on the source IP address, and that does happen from time to time of course, you know, that's perfectly fine; and here's the full numeric range of ACLs. And still there are one or two in here I've never used, I mean, I know they exist, but you could go a long time in your career and of course, depending on what you're doing without using some of these ACL types, but I would certainly be familiar with the two standard ACL ranges, one through 99 and 1300 through 1999, and of course your extended ACL list, the first one 100 through 199, and the expanded range 2000 through 2699.
Now, all you have to do for standard ACL is this, you know, that's really it; you put the number in, you put the source IP address range even if it's just one address, add the log option if you want to log the matches, and you are all set, you know, that's really all there is to it. Now, there are two different ways you can really verify an ACL show IP access list or show access list. And I like to use show IP access list just to have in mine, and if you just want to look at once ACL, this is an important filter people forget about.
Show IP access list and follow it with a number, because you can go on a router that's got hundreds of ACLS, and you don't want to just do, you know, show access list or show IP access lists, 'cos you're going to be hitting the enter key a lot, you're going to be hitting the space bar a lot trying to get to your ACL; so just put the number in, and it's going to give you all the lines for it. And if you're wondering what that 10 is in front of that permit, this is a feature you haven't seen before, it's a sequence number, and we're going to be working with those live, because they really come in handy.
But note on the previous line I showed you, that the numbers 10, 20, and 30, I did not put those in manually, those are defaults. They start at 10 and increment by 10 for every line that you enter, that's you're preview. Like I said, we're going to go over those shortly and see them in action. Now, back to host and any. Ya know, every once in a while, and we've seen a couple here already in just six minutes, you'll sometimes have an ACL that should-- an ACL line that should only match one particular address. Now there's nothing wrong with using a wildcard mask of all zeroes, you know, you've gotten over that thing in the CCNA where you say, that just looks funny, 'cos I went through the same thing.
It might look funny, but it's perfectly legal. You can also use the host option. And each of the two ACLs I'm showing you here, 11 and 14, they do the exact same thing. You know, you've got permanent host 126.96.36.199 and then in 14 you've got the subnet, excuse me, the wildcard mask of all zeroes. Note that host comes in front of the address and the wildcard mask comes after it. I don't think that's going to pop up on your CCNP level exam, but it's a good thing to note, and if you're writing one live and you get the little caret, that could be why.
Now the any option is especially helpful for those of us who hate to type numbers, and it's used to represent a wildcard mask of all ones, 255, 255, 255, 255, and each of the two ACLs I have here for you, 19 and 20, they do the same thing, so for those of us who hate to type period, or just want to get the line done a little quicker, it is actually much quicker just to type 19 permit any and you're done, and 20 permit, put an address there, and 255 for each quadrant in the wildcard mask simply indicates any.
Now either one of these methods is right or wrong, 'cos I do hear that in CCNC, which one should I use? Use the one you're most comfortable with, and of course, for CCNP level exam, you should be comfortable with all the options shown here. Extended ACLs. Now, if we need to match on something more than just that plain old source IP, this is the way we're going to go. And, not only do extended ACLs allow for a source and destination IP address to be entered for each line, extended ACLs actually require it.
So even if you want to only match one of the two in a given line, and you don't care about the other, you still have to put any for the one you don't want to use. And the ACL I'm showing you here, along with the long list in IOS help, shows you the huge list of options that are available with extended ACLs, and just taking a few, looking at a few here, IP protocol numbers, you've got EIGRP at the top, GRE tunneling, going down you've got IP and then of course TCP and UDP down here at the bottom. We would simply follow that with IP and then the source and then the destination, since we don't care about the source for this particular line, I just put any there.
And here's where we end up. With any host and then you've got to put in your destination, 188.8.131.52, and go from there. So, our final ACL line, we've got any and host in there. So ACL 101 permits IP any source IP address, and then the destination address has to be 184.108.40.206. Now the options you see along the way, and you see some different ones here on the screen now as far as logging, precedence, time range, you may have written time-based ACLs before; uh, the options also include source port and destination port, and note while the source and destination IP addresses are required in each line, the source and destination ports are totally optional.
So, for an extended ACL line to be considered a match, this is an and situation, not an or situation. If you enter something for the source, and something for the destination, which you have to do on every line, both of those most match in order for the event to take place that you've defined, whether that be permit or deny. And of course, if you put in port numbers or anything like that, it has to match as well. But the ACL, I'm showing you a quick illustration of here, it will match only if the source IP address is 220.127.116.11 /24 and the destination is 18.104.22.168 /24.
And I've just written that here quickly for you on the board, and one quick reminder, about the end of this, because you see the ACL that we've written there, you know the syntax, you know the sequence number, and we'll definitely see those in the next video. But something to watch out for, when you're taking any Cisco exam, is the double any any at the end, 'cos that looks a little odd. But to negate the implicit deny in an extended ACL, you have to enter any twice; once for the source, once for the destination. That wraps up our review of standard and extended ACLs.
Take a breather, I'll see you in the next video, and we'll move into some labs.
- Port security fundamentals
- EtherChannel negotiation protocols
- Advanced switching options
- NBMA configuration and troubleshooting
- Spotting and fixing authentication type mismatches
- K-values and passive interfaces
- Route redistribution
- NTP authentication
- Border Gateway Protocol (BGP)
- VPNs and VRF-lite