1 00:00:00,000 --> 00:00:00,499 2 00:00:00,499 --> 00:00:03,720 Sing a demonstration often helps reinforce a concept. 3 00:00:03,720 --> 00:00:05,550 And that also applies to this Nugget. 4 00:00:05,550 --> 00:00:07,100 Let's go ahead and do a demonstration 5 00:00:07,100 --> 00:00:08,670 of setting up an access control list 6 00:00:08,670 --> 00:00:12,460 to filter specific types of traffic through our network. 7 00:00:12,460 --> 00:00:14,010 So we'll use this typology. 8 00:00:14,010 --> 00:00:15,610 And here is our objective. 9 00:00:15,610 --> 00:00:17,920 We want to filter all UDP traffic. 10 00:00:17,920 --> 00:00:19,800 So at the transport layer, we want 11 00:00:19,800 --> 00:00:23,160 to filter all UDP traffic between computer one, which 12 00:00:23,160 --> 00:00:26,790 is this guy right here at the IP address of 10.1.0.11 13 00:00:26,790 --> 00:00:31,350 and the server out here at 67.83.0.2. 14 00:00:31,350 --> 00:00:33,420 And before we apply any filtering, 15 00:00:33,420 --> 00:00:35,700 let's just verify basic connectivity 16 00:00:35,700 --> 00:00:38,590 with a few protocols between this PC, which is 17 00:00:38,590 --> 00:00:41,504 at 10.1.0.11 11 and the server. 18 00:00:41,504 --> 00:00:43,170 And this little virtual machine that I'm 19 00:00:43,170 --> 00:00:45,210 running as a virtual PC has a command 20 00:00:45,210 --> 00:00:47,336 called Trace, which, among other things, 21 00:00:47,336 --> 00:00:48,960 is going to help us verify connectivity 22 00:00:48,960 --> 00:00:51,240 all the way to the destination along with the path 23 00:00:51,240 --> 00:00:52,620 that we're taking to get there. 24 00:00:52,620 --> 00:00:55,890 So we're going to Trace, the IP address of our server, which 25 00:00:55,890 --> 00:00:58,230 is 67.83.0.2. 26 00:00:58,230 --> 00:01:01,070 And then we're doing a dash, capital P, space 1. 27 00:01:01,070 --> 00:01:05,290 Now protocol number 1 is ICMP, which means it's going 28 00:01:05,290 --> 00:01:07,830 can do this Trace leveraging ICMP. 29 00:01:07,830 --> 00:01:13,200 If we change that number for the protocol to a 6, 6 is TCP. 30 00:01:13,200 --> 00:01:15,280 And that'll come in handy in our testing as well. 31 00:01:15,280 --> 00:01:17,190 And then if we change it to a 17, 32 00:01:17,190 --> 00:01:20,177 17 is the protocol number for UDP. 33 00:01:20,177 --> 00:01:22,510 As see the cool thing is, if we set up an access control 34 00:01:22,510 --> 00:01:24,700 list that just blocks one of these, 35 00:01:24,700 --> 00:01:27,130 we can still verify connectivity with the other two. 36 00:01:27,130 --> 00:01:29,160 So let's get a baseline by testing all three 37 00:01:29,160 --> 00:01:29,960 of these first. 38 00:01:29,960 --> 00:01:32,370 So the first is a Trace with ICMP. 39 00:01:32,370 --> 00:01:33,480 And then we'll put 6. 40 00:01:33,480 --> 00:01:36,060 We'll do our trace with TCP. 41 00:01:36,060 --> 00:01:38,190 And then last, but not least, we'll put in a 17 42 00:01:38,190 --> 00:01:39,510 there for the protocol number. 43 00:01:39,510 --> 00:01:40,980 And then I'll use UDP. 44 00:01:40,980 --> 00:01:43,950 All right, so with out baseline set, let's go over to router 1. 45 00:01:43,950 --> 00:01:45,810 So here on router 1, let's take a quick look 46 00:01:45,810 --> 00:01:49,290 and see if we have any access control lists already in place. 47 00:01:49,290 --> 00:01:52,050 And we do have one access list in place. 48 00:01:52,050 --> 00:01:54,870 It basically is identifying any source PCs 49 00:01:54,870 --> 00:01:57,420 that have the IP address of 10.1 or 10.2. 50 00:01:57,420 --> 00:01:59,940 So this access control list, access list 1, 51 00:01:59,940 --> 00:02:02,280 is being used with translation statements 52 00:02:02,280 --> 00:02:04,434 for the benefit of network address or port address 53 00:02:04,434 --> 00:02:06,600 translation, depending on how the rest of the router 54 00:02:06,600 --> 00:02:07,810 is configured. 55 00:02:07,810 --> 00:02:10,474 So let's go ahead and create a new access control list 56 00:02:10,474 --> 00:02:12,390 that we can then apply to the router interface 57 00:02:12,390 --> 00:02:13,737 to block the UDP traffic. 58 00:02:13,737 --> 00:02:15,570 So we'll do that by going into configuration 59 00:02:15,570 --> 00:02:16,990 mode on the router. 60 00:02:16,990 --> 00:02:20,660 And we'll create the new access list with this entry. 61 00:02:20,660 --> 00:02:21,590 Let's break it down. 62 00:02:21,590 --> 00:02:24,350 This is creating an access list numbered 100. 63 00:02:24,350 --> 00:02:27,249 The action is deny, regarding this access list entry. 64 00:02:27,249 --> 00:02:29,540 And what we're looking for is anything at the transport 65 00:02:29,540 --> 00:02:35,540 layer, which is UDP and if it's coming from the host 10.1.0.11, 66 00:02:35,540 --> 00:02:41,750 that's the source, going to the destination host of 67.82.0.2, 67 00:02:41,750 --> 00:02:43,500 which is our server. 68 00:02:43,500 --> 00:02:46,280 And if we knew specific UDP port numbers, 69 00:02:46,280 --> 00:02:49,010 we could also tack them on with a little eq space. 70 00:02:49,010 --> 00:02:50,990 And then put the actual port number there. 71 00:02:50,990 --> 00:02:52,656 But in our case, what we're going to is, 72 00:02:52,656 --> 00:02:55,640 we're just going to block any UDP traffic between computer 73 00:02:55,640 --> 00:02:58,309 1's address and the server with an access control list 74 00:02:58,309 --> 00:03:00,350 that we're going to use for filtering of traffic. 75 00:03:00,350 --> 00:03:03,020 If we apply this access control list to the interface gig 76 00:03:03,020 --> 00:03:05,810 1/0 on the router, it's basically 77 00:03:05,810 --> 00:03:07,294 going to follow this to the letter. 78 00:03:07,294 --> 00:03:08,960 It's going to compare all traffic coming 79 00:03:08,960 --> 00:03:09,896 into the interface. 80 00:03:09,896 --> 00:03:12,020 And traffic that does match is going to be dropped. 81 00:03:12,020 --> 00:03:15,080 But traffic that does not match, by default, 82 00:03:15,080 --> 00:03:16,740 is also going to be dropped. 83 00:03:16,740 --> 00:03:18,680 So we need one more entry to permit 84 00:03:18,680 --> 00:03:20,720 everything else that's not exactly 85 00:03:20,720 --> 00:03:22,250 matching the first line. 86 00:03:22,250 --> 00:03:24,530 So the second entry in our access control list 87 00:03:24,530 --> 00:03:27,560 numbered 100 says it wants to go ahead and permit traffic 88 00:03:27,560 --> 00:03:31,010 if it happens to be IP, which is referring to layer 3. 89 00:03:31,010 --> 00:03:34,664 That means anything this IP from any source to any destination. 90 00:03:34,664 --> 00:03:36,080 So we'll go ahead and press Enter. 91 00:03:36,080 --> 00:03:38,180 And let's take a look at this access control list. 92 00:03:38,180 --> 00:03:40,700 So the access list, list 100, has two entries. 93 00:03:40,700 --> 00:03:42,720 It has line number 10, line number 20. 94 00:03:42,720 --> 00:03:44,600 And after this is applied to an interface, 95 00:03:44,600 --> 00:03:46,550 these entries will be processed top to bottom. 96 00:03:46,550 --> 00:03:48,980 So every packet coming into the interface 97 00:03:48,980 --> 00:03:51,050 is going to be checked against line number 10. 98 00:03:51,050 --> 00:03:53,527 If it doesn't match, it will checked against line the 20. 99 00:03:53,527 --> 00:03:55,860 And then our last step is to apply this to an interface. 100 00:03:55,860 --> 00:03:57,710 So we'll go to interface configuration 101 00:03:57,710 --> 00:04:00,620 on router 1 for gig 1/0. 102 00:04:00,620 --> 00:04:04,340 And we'll use the Cisco command of IP access group to 100. 103 00:04:04,340 --> 00:04:07,346 And then we want to apply this to all inbound traffic 104 00:04:07,346 --> 00:04:08,095 on that interface. 105 00:04:08,095 --> 00:04:09,149 And we'll press Enter. 106 00:04:09,149 --> 00:04:10,440 So our next step is to test it. 107 00:04:10,440 --> 00:04:13,010 So let's go over to PC 1 and do a test. 108 00:04:13,010 --> 00:04:14,930 And we'll do a Trace with ICMP. 109 00:04:14,930 --> 00:04:16,640 That should work, great. 110 00:04:16,640 --> 00:04:18,829 We'll do a Trace with TCP. 111 00:04:18,829 --> 00:04:20,470 That should also work. 112 00:04:20,470 --> 00:04:24,800 However, if we do a Trace with protocol 17, which is UDP, 113 00:04:24,800 --> 00:04:26,260 that should fail. 114 00:04:26,260 --> 00:04:28,010 And right here we have some telltale signs 115 00:04:28,010 --> 00:04:29,120 that that's happening. 116 00:04:29,120 --> 00:04:31,557 Communication administratively prohibited, 117 00:04:31,557 --> 00:04:33,140 which is the router communicating back 118 00:04:33,140 --> 00:04:34,820 to PC 1 saying, sorry buddy. 119 00:04:34,820 --> 00:04:36,380 Couldn't do it. 120 00:04:36,380 --> 00:04:38,387 In this Nugget, we've verified one application 121 00:04:38,387 --> 00:04:39,470 of an access control list. 122 00:04:39,470 --> 00:04:42,440 And that is to permit or deny certain types of traffic 123 00:04:42,440 --> 00:04:44,630 at an interface on a router. 124 00:04:44,630 --> 00:04:46,790 I hope this has been informative for you. 125 00:04:46,790 --> 00:04:50,078 And I'd like to thank you for viewing. 126 00:04:50,078 --> 00:04:50,578