Keep in mind if you’re matching the response traffic. Which means if you’re trying to match this packet right here then you might end up seeing the port number specified on the source side to match this right here and then the destination part admitted to account for whatever random port number might been selected by hosting. But for our purposes we’ll continue looking at just the outbound traffic. So let’s take a look at everything we’ve configured so far I’m going to go ahead and do my shown from before take a look at our access list. Notice our access list has 6 lines one remark a couple permit IP lines a permit ICMP line and then some permit TCP lines such moment I’ve got all permits. The still question have an answer and that is what happens if a packet shows up on a router that doesn’t match any of these entries.
Well from the router’s perspective these entries are explicitly telling the router which package to allow through. If the package shows up that doesn’t match one of these explicit permit statements the rat is going to take a restrictive stance and say if you didn’t explicitly tell me to allow the traffic I’m going to tonight. This is called the implicit deny and exist at the end of every single axis list even though you don’t see it at the end there is a simple deny IP any which will prevent any other traffic from coming through the router interfaces. So again these are all explicit permit statements and at the end of every access list is an implicit deny statement denying all traffic not specifically permitted in the access itself. So technically at the end of the cyclist everything else is being dropped not just for the sake of showing you a nice statement we’re going to go ahead and configure it denies statement to deny a particular type of traffic. Specifically we want to deny any NTP traffic from host a to that bottom web server down there.
NTP stands for network time protocol uses UDP port 123 for its communication so we’re going to create a new tonight statement in this axe list that’s going to deny this packet right here. Just like before we’ll start with themed access list. What a tight if you want to want to continue adding to the same Max list this time the action is going to be denied. The protocols can be UDP again it’s not in the illustration politico in assume that this is a UDP packet. And that we specify the source. We’re going to specify the source the way we did over here we’re we don’t use a source port number because again every time host a creates a new U. N. T. P. connection it’s going to re randomize the source port number. Will specify the source IP address however has host a. The destination. Is going to be V. I. P. address of the server at the bottom. In the destination ports can equal 123 the idea is this tonight statement is going to match this packet.
Okay let’s go and take a look at our show come in again to see the entire tax list. Here is everything we’ve configured and we did indeed configure this tonight statement to accurately match this packet. But there’s a problem this package is still being allowed through let me tell you why. The way packets are match annex list is based upon what’s called first match meaning when this package shows up on this router interface threat takes a look at the first entry in the access list and try to see if there’s a match on this particular case the first entry is a remark so we’re not having a look at that line so then look at the next line. Threat Connect itself is this the IP protocol yes. Is the source 100011 yes is the destination 54 to 4 to 4 to 7 no so we don’t have a match here so now the router is going to look at the next line in the A. C. L.. Is the protocol I. P. yep because the UDP protocol is carried within I. P. so this is still an I. P. packet. Is the source in the subnet 1000.0 slash 24 yep is the destination 4555.8 yep this packet matches this line and therefore this action is can be taken. So even though we can figure this correctly we have a problem because this line will match this packet first.
To fix this I would have to have this line appear above this line or alternatively this line appear below this line. This is an important fact about access list is that they are processed based upon first match. So we just went through a few configuration examples of a numbered extended access list to match traffic in our topology over here. We covered the basic configuration of access list then we also covered to specific important points the first is that at the end of every single actually is an implicit deny the idea is any traffic not explicitly permitted is assumed to be undesired and therefore dropped by the router. And the second is that the order of the entries in the cell matter ACL entries are process based upon first match.
There’s one last thing I want to show you we pull up our configuration again let’s see if we can fix this member he said the problem was this more specific tonight statement needs to happen before this less specific permits statement so we can do is simply remove this entry and reconfigure it at the end. That’s what I can do is take that and. Put a no in front of it to blow away that entry. But we’re going to have a problem if I right now. Do my show run and again you’ll notice everything has been blown away. One of the limitations with number tax list is that when you do a no on a particular entry yeah actually blew away the entire ACL. In order to re order individual lines what I would have to do is reconfigure the entire ACL from scratch in the correct order. That is a limitation with number tax list that doesn’t exist with named axis which we’re going to be looking at in the next video. The key take away for this video is understanding the demonstration of the ACL entries reconfigured as well as understanding the implicit deny and that the ACL entries are processed on first match. I hope you enjoy this video I want to thank you for watching I’ll see you in the next video as we looked at named access list and some of the additional features they provide above number access.