what is an ACL's and its rules

Lazaro Diaz
A free video tutorial from Lazaro Diaz
Network Engineer, Cisco & Microsoft Instructor
4.3 instructor rating • 25 courses • 97,965 students

Lecture description

In this lesson you will learn the rules of ACL's when creating and applying them to an interface.

Learn more from the full course

Cisco CCNA R/S (200-120 & 200-125): The Complete Course

This complete Cisco CCNA course will cover everything you need to prepare for the 200-120 & the NEW CCNA 200-125

48:26:32 of on-demand video • Updated February 2019

  • This is a complete & comprehensive CCNA R/S, the CCENT & ICND2. It is designed to prepare the student to be able take any of these certification exam.
  • Once you finish this course, the student will not only have the confidence to take and be able to pass the test, but they should be able to transfer the knowledge acquired to a networking environment.
  • Understanding the concepts as provided in this course is an essential part of any network in order to communicate and transmit information. Mastering this knowledge will make the student or IT Professional a much more valuable asset in any Network or IT environment.
  • This course will change over to the new CCNA 200-125.
  • The student will have both the lectures from the old CCNA 200-120 (which covers about 70% of the new test), but it also covers all the new topics and lectures for Cisco's new exam, the CNA 200-125
English [BLANK_AUDIO] Welcome back, ladies and gentlemen. We have traveled far. We've gone through routing protocols. We've gone through static routes. We've learned how to configure our switches and spanning-tree in VLAN. It now comes time to secure our network. Now obviously, there's many ways to secure a network. The way that we need to secure a network, the, the way that we need to learn is really through the use of ACLs. I'm gonna use the lab that we used, in the previous session, or section. That we have all these configurations, we got connective going back and forth between are VLANs and all that. So we will be doing access lists in order to control the traffic. Right? It's like a filter. An access list is like a filter that will permit or deny certain types of traffic. Now you'll see this in, internal or trusted networks, is where you usually will see these ACLs. Obviously, if you're talking about security, the first thing is physical security. You will have firewalls, you will have group policies, you will have DMZs, you have all sorts of types of security. Security is just not one layer; it is a multitude of layers. So you can try and prevent somebody from trying to get in. Think of this, and, I mean, it goes beyond what we're gonna talk about with the ACL, but just to give you an idea. If you're gonna secure your home, you have a gate. Let's say you customize that gate and now you have barbed wire around the gate. Inside your yard, that's around your house the, this gate is around you have dogs, right? Attack dogs and on top of that you have an alarm system. So it's different layers of security that somebody needs to circumvent in order to get inside your house. So how bad does this individual or individuals want to get inside your home. So, security is about layering. For the CCNA certification, all we need to understand is basically standard and extended access lists. And that's what, that's what we're gonna talk about. And access lists, again, is a set of conditions, it's a filter. Let's open up Notepad, [BLANK_AUDIO] All right? So, as a set, ACLs, small s is a set of conditions. That's it. You either permit or deny. And we're gonna do several types of access list. There's basically only two types, standard and extended. But yeah, okay, there's a third. Because when you talk about standard, standard, we're talking about numbered access lists. But there's one called named, which is either an extended or a standard. But instead of giving it a number, standard, but instead of giving it an actual number, we're giving it a name. Just to make it easier to identify. So we'll be doing all of these. Now, they're certain things you need to understand about access list. There are rules to access list, there are rules to access list. Now, when we talk about the rules and let me bring this up a little higher. You can see this right? I want to make sure you can see that. Let's maximize this. Okay? Rules of access list, basically is an, a, an ACL is read in order. Meaning, first line, second line, third line and so forth. All right, so if you're, you have an access list that's made up of you know, 100 lines. It's going to keep reading each line in order, one, two, three, four, five, six, seven, eight, nine, ten. We're talking about numbered access, any access list, actually. It's gonna go in sequential order until it makes a match. Once it makes a match, then it stops at that point and applies whatever condition is set at that point. So that's one of the rules. Also, and not a, an ACL and this is extremely important, has an implicit deny at the end. So if you write an access list statement, let's say, standard access list one Deny, host, 1.1.1.1. And you leave it like that. Right underneath that, it's invisible. You don't see it, but there's an actual deny everything. So, if you start an access list, with a deny statement, you must end it with a permit any, or any any. Depending on the type of actions you are doing, but you must end it with a permit statement. Because if not, everything will be denied. And this is something that they'll ask questions about. They'll give you, let's say an example of an access list. And all you'll see are a bunch of denies. You will never see a permit statement. So if it's going in sequential order and everything is denied, and at the end it ends with a deny, well there's an implicit deny also. So there is no traffic that's gonna be allowed through that particular interface, period. Because it's denied. So that's an important rule right there, and ACL has an implicit deny at the end, whether it's a standard, extended, whatever it is. If you start an access list with an deny statement, you must finish it with a permit. Always remember that. And the last one is, you can only have one acl per interface, comma, per protocol, per direction. Meaning, when you, you first create an access list you can create as many access lists as you want. Nothing's gonna happen unless you apply it. It is a two step process. You must first create the access list and then you apply it to the interface of the router. Whether it's going into the router, or it's coming out of the router. So you've got to make that decision, so basically you only have two, one going in, one coming out. Those are your ACLs. You will have to create an ACL from scratch. So we must pay very close attention to this particular session, all right? So one ACL per interface, per protocol, per direction, that's another rule. Also, I guess a rule, you can call it that. You cannot, I'll put can't, but cannot remove a numbered ACL that lies within the group. What does that mean? So if I have ten lines. If I have ten lines, okay? If I have ten lines all in ACL, and I want to take off the eighth line, can't do it. It'll remove the whole thing. You can't do that with a numbered ACL. If you try to add something, it's just going to add it to the bottom. It's not going to add it to the very top or to the middle. You have more flexibility with named access lists to do that than you do with number. It is recommended anyway, that you use a text editor or Notepad to create your ACL's and then just paste them onto your routers. Or switches, whatever the case may be, or Layer 3 switches, whatever the case may be. But again, for the CCNA certification, we're doing this on routers, on routers. Also, from top to bottom is most specific to most general. I guess you can consider that another rule. On top most specific. And I'll move out of the way so you can see it. On the bottom, ooh, most general. So that's why, and let me bring this up, so you can see the rules right there. Okay. So on the very top, you're gonna be, I want you to deny this particular individual, to this, from this particular individual. And the bottom, hey, hey, permit everything, so from very specific to most general. So you have got to organize, the hardest thing about access lists is not really the configuration, the syntax of it, but the logic of it, as to what is it you're doing. What, what am I denying? How am I going to deny in this? Where am I going to apply it? That is the most important part. Now remember, and we'll, we'll get into more details. We're going to separate standards from extended and we'll explain each one and do several labs for each one or several configurations for each one so you can understand. But that is the most difficult part. Because your book says one thing, which is correct, but now they're trying to make the test a little bit more real world. And when it comes to the access lists, they wanna make you think, because it's really going against what the book says. And once we get to extended access lists, I will explain that in further detail. All right. But again, what you need to know at this point, that access lists have rules. Especially that implicit deny at the end, you can't forget that, you can't forget that. Most general, I mean most specific to most general. And you can only have one access list, per protocol, per interface, per direction. These are the type of rules. And again, we'll be doing standard and extended access lists. And we're gonna go into each one, and talk about each one independently, so you can understand how to configure it, and why it works the way it works. And now of course, with access list, ha ha, it's just like OSPF, we used wildcard masking. So, I hope you remember how to do our wildcard masking, right? You gotta use your constant number or if you know how, you know the little diagram that I showed you. You use that instead. ACLs are not really that difficult. They really are not. Especially for what we're gonna be using them for, the CCNA, all right? They're very, very they're, they're simple. They're simple. They're very straightforward, they're not as difficult as you'd think. But we'll go through it slowly but surely. But just remember, when we talk about security, I know in your mind, especially if you are IT professionals already. You're like hey, you know, we use policies and we use these firewalls and we use this, and that's what you do do, that's what you use. But again, for the certification, we need to learn these ACLs and know where to actually apply them. And that's how they're going to test you. Where are you going to apply this particular access list based on this scenario. All right? That's basically it. All right, so hope you are ready. This is what access lists are. In our next session, we're gonna start talking about standard access lists. I will see you there. [BLANK_AUDIO]