Video error: extra black box @ 15:08. Thanks for the video! EDIT: Just trying to be helpful but also @ 35:49, Quiz 5 the last command should be "ip access-group 150 out" not 110
I caught that as well was about to write something but found this comment. This actually means that Jeremy is doing a great job teaching us and we were able to catch it. Best Online Course out in the market and can't believe it's free.
I've recommended Jeremy's free TH-cam to my classmates who are looking for clear and organised trg videos. Many paid online learnings can't even match that.
Jeremy is definitely a top G for his efforts to educate humanity. Thank you for your immense contribution to the development of skills for everyone. Education should truly be free!
honestly i jsut stare blankly at a screen for 40 min and somehow ik enough to answer the questions at the end of every video. your freakishly good and breaking down information
I have studied ACLs before and I was definitely a little confused when you suggested using "access-list " commands for every single ACE rather than simply going into ACL config mode. Glad you cleared that up lol. I used "deny icmp any 10.0.1.0 0.0.0.255" and "deny icmp any 10.0.2.0 0.0.0.255" since no hosts are allowed to ping, but obviously in a real environment I would be more specific to allow for future upgrades where we may actually want a host to be able to ping those networks.
my proposed ACL for question located at 28:27 timing of your lecture is as follows :- R1(config)#ip access-list extended BLOCK_ICMP R1(config-ext-nacl)#deny icmp 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255 R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#interface G0/0 R1(config-ext-nacl)#ip access-group BLOCK_ICMP out
Jermy i am from sri lanka far far away from your location but you know what ,your work here is masterpiece ,its more valuable to us like living in poor country 🙏
In the Boson quiz: Wouldn't the 0.0.0.3 wildcard mask also include a potential/future 10.10.10.3-server? Bit-pattern of last octet would be 0000.0011, and 2 to the power of 2 gives 4 hosts. The first one, 0, would be the network id.
Yeah you're absolutely correct, so it's not the ideal way to fulfill the requirements given in the scenario. However, it is the best choice among the options provided, so it is the correct answer.
It does give 4 hosts, but we subtract 2. 1 for network, 1 for broadcast. We are left with 2 usable ip adds. 10,10,10,0 | 1-2 | 3 10,10,10,4 | 5-6| 7 (the additional srv should be in ,4) Do I make sense or am I missing something?
@@robfilms6264 You might understand this now if you've been studying up but the Subnet is 10.10.10.0/24, so the network address is 10.10.10.0 and the broadcast is 10.10.10.255. The wildcard includes 10.10.10.3 which is a host address, the best solution to this would be to deny TCP any 10.10.10.1 0.0.0.1 eq FTP. This address range would include 10.10.10.1 - 10.10.10.2. Hope this helps
Boson's having a holiday sale! Get 25% OFF Boson ExSim, NetSim, etc with code MERRY20 (until the end of this month!) 📚Boson ExSim: jeremysitlab.com/boson-exsim ← the BEST practice exams for CCNA 💻Boson NetSim: jeremysitlab.com/boson-netsim ← 100+ detailed guided labs for CCNA 💯ExSim + NetSim: jeremysitlab.com/boson-ccna-kit ← get BOTH for a discount! 📗Boson Courseware: www.jeremysitlab.com/boson-courseware ← Boson's COMPLETE CCNA Courseware
Thank Jeremy! Note, I believe there is typo @ 12:00 R1(config)# ip access-list extended [ permit | deny ]... R1(config-ext-nacl)# [ seq-num ] [ permit | deny ].... in both cases there must be curly braсes instead of square braces - { permit | deny } instead of [ permit | deny ] because this parameter is required.
JEremy I'm watching your ccna video july 2023 and I'm very happy to find out your video because they way you are explaining is amazing . I'm not english native and I don't speak a good english but your english is understandable than other TH-camrs everyone can understand your simple english and your simple explanation
Sir, you are the finest. Many thanks for all of the information you have provided. I enjoy these questions far too much. I feel happy when I grasp things after being explained, even though I made some mistakes while I tried to figure out the answers on my own.
Start trust my self at question 5 by saying "oh there must be a mistake, lets check comments" thank you Jeremy for this kind of sneaky mistakes. Intentional or not, was very good.
Could "deny icmp 192.168.0.0 0.0.3.255 10.0.0.0 0.0.3.255" be used to optimize the third requirement in 28:57? Not sure about the .3 there cause i had done the maths on my head, but it was the only thing i could think to solve the problem in a better way, please correct me if im wrong =)
@@JeremysITLab that`s what I though as well but I had put like this: "None of the hosts in 192.168.1.0/24 or 192.168.2.0/24 can ping 10.0.1.0/24 or 10.0.2.0/24." R1(config-ext-nacl)#deny icmp 192.168.2.0 0.0.3.255 10.0.2.0 0.0.3.255 R1(config-ext-nacl)#permit ip any any Is it the same result?
@@fernandoc8876 2 years later response, I think it would work but the syntax is confusing as it doesn't look like it mentions the 192.168.1.0 network (BUT it actually does). Denying 192.168.2.0 0.0.3.255 is saying everything that matches 192.168. 0-3.anything DON'T ALLOW. The wildcard mask 0.0.0.3.255 includes addresses 192.168.1.0, 192.168.2.0 PLUS 192.168.0.0 and 192.168.3.0 since the bit values of 1 and 2 are on. 0+0, 0+1, 2+0, 2+1. The two in 192.168.2.0 doesn't really matter as the wildcard mask is allowing very specific range of addresses. But because it doesn't matter, putting a zero in the address 192.168.0.0 looks better and makes one stop and consider what the wildcard mask is actually saying. Is this correct @JeremysITLab ?
This is really a massive job! I'm tired just studying the material, how about preparing it. I am really grateful and I wish you were the President of the US with such a big heart❤
The first sections on advantages of named ACL confit mode explained so much to me lol. When I was doing the standard ACL labs I was using the no command on the traditional ACL statements when I entered them incorrectly or made a mistake. I didn’t realise this was deleting the whole ACL and not just the ACE!
the problem is that the /23 would be either ranged 192.168.0.0-192.168.1.255 or 192.168.2.0-192.168.3.255, there is no /23 for 192.168.1.0-192.168.2.255. You could do a /22 which would cover 192.168.0.0-192.168.3.255 but that opens up potentially security holes if the network expands to include more hosts/subnets later on
for the extended ACL example, we could just put each ICMP entry in the appropriate ACL on g0/2 or g0/1 and eliminate the need for a third ACL on g0/0.. same amount of entries but fewer ACLs.
🙏🏻i reached here to watch this upholds the rope ( the q 3rd March link) although I am already on same playlist yet not reached on this lecture now🙏🏻 Thanks for the quize 🙏🏻
For 28:00 i believe the most ideal would be to assign the 3rd ACL's ACEs to the respective 1st and 2nd ACLs and apply to the interfaces as before, inbound.
Hi Jeremy . You are the best . It’s because of you that I have started my journey in networks and I’m progressing day by day . I’m sorry if I may sound stupid but you have given examples of protocols that either run tcp or udp like http and tftp. I would like to know how you would write sections in you acl which includes both tcp and udp like dns.
Hey, not Jeremy but I think I can answer this for him. For DNS it would be wise to put in two ACEs for it, one for TCP and another for UDP, same port number 53. Please look into this video's lab, where you will find an example that covers your very question. Thanks!
Thanks Jeremy for the great lectures in your videos. @ 36:44, that access-list 101 is to be applied to the inbound not outbound on the Fa0/0 interface. Help verify
Thanks Jeremy. there is a small error in 35:00 in the last line of script you wrote access-group 110. I think the coorrect number is 150. thanks a lot.😘
In the resequence part (8:40) entry number 3 changed to entry number 20 and entry number 2 changed to number 30 which changes the order of ACL. In this example it doesn't change the effect of ACL but if it would block some part of network it may have changed the final result. Is that normal in resequencing ?
The order didn't actually change, entry 3 was already before entry 2 (I think I explained about IOS re-ordering /32 entries in this video or day 34). There's no need to worry, the re-ordering will never change the effect of the ACL.
@28:56 SIMPLE ANSWER EXTENDED ACL EXAMPLE OPTION c (none of the hosts in 192.168.2.0/24 can ping 10.0.1.0/24 or 10.0.2.0/24) R1(config)#ip access-list extended BLOCK_ICMP R1(config-ext-nacl)#deny icmp 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255 R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#INT g0/0 R1(config-if)# ip access-group BLOCK_ICMP out
Question 5 at the end of this online lecture has an error. As for the interface, the ACL number should have been 150 (instead of 110) The rest is fine. Thanks for these videos. Very comprehensive review of the CCNA material.
I watch your videos from Tunisia and you really you are the best . In the exercice at minute 28 can we apply just one extended access-list in R1 g0/0 out
Hi Jeremy! may sound like too much to ask but could you make a video only tackling wild card mask like the boson question where you have to use a diferen WC mask to filter only 2 ips I still don’t get how to cover some range of IPs using a WC /30 or /28 etc
Actually, in the Boson Q the /30 covers more than 2 IPs (it covers 4), but if I remember correctly they wanted it to be done in a single command so I used that /30, even though it covers more than the required 2.
Hi Jeremy. Thx providing this exceptional course. I want to correct a mistake. at time 20:13 when configuring the extended acl, it shows config-std-nacl on config mode which is confusing. I think it is supposed to be R1(config-ext-nacl) .....
At 28:15 For requirement #3, can we use 192.168.0.0 0.0.255.255 wildcard mask, this will deny any packet that matches the first two octets the same thing goes with 10.0.0.0 0.0.255.255 And thank you for your great explanation, you are changing lives!!
I don't think this will ever be answered but: Wouldn't it benefit the network at around 23:30 to have all the requirements on one ACL, then apply it on outgoing packets on R1's G0/0 int? At the small cost of having it a little farther away than needed, there are less resources to manage on each other int, and because we're using extended ACLs the problem of editing/removing the ACL is mitigated by the way you mentioned earlier in the lecture. Why is it necessary to create separate ACLs for each requirement?
Hi Jeremy, Do you know what could cause this? We observed no outage on either lines but for some reason the HSRP keeps switching the traffic between the two routers. This is only a small part of the logs but this kept going on for hours: 000280: Oct 6 12:27:42.363: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.101 Grp 101 state Standby -> Active 000281: Oct 6 12:27:43.215: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.100 Grp 100 state Standby -> Active 000282: Oct 6 12:28:26.500: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.101 Grp 101 state Active -> Speak 000283: Oct 6 12:28:28.858: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.100 Grp 100 state Active -> Speak 000284: Oct 6 12:28:38.355: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.101 Grp 101 state Speak -> Standby 000285: Oct 6 12:28:40.411: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.100 Grp 100 state Speak -> Standby
Hmm I'd have to see the configs and network diagram to troubleshoot it. If you want you can ask on my Discord server and I or someone else will help you out: jeremysitlab.com/discord
Jeremy, I am using Packet Tracer and unable to use "ip access-list resequence" command. I even used "?" to see my options and cannot find on there. Is this common for packet tracer not being able to execute all commands? Thanks for all your vides!! Planning to take CCNA end of June and have been watching your videos primarily on repeat - always learning something new, brain turning in mush. Thank you!!!
Hi Jeremy , Thanks a lot for this fatanstic course. Deep diving into details of networking and that too for free, its unbelievable. - In the Quiz question 3rd there is an ACL entry with equal to port/protocol no - 'domain'. Can you please explain where we use 'domain' as port/protocol no?
I'll create only one ACL and apply to g0/0 outbound interface. here are my commands.. 1. ip acc ext 100 2. deny ip 192.168.2.0 0.0.0.255 10.0.2.0 0.0.0.255 3. deny tcp 192.168.1.0 0.0.0.255 10.0.0.100 range 1 443 4. int g0/0 5. ip access-group 100 out
Hi Jeremy! Your videos are awesome and so helpful. The only thing I'm still struggling with in the extended ACL are the specified ports. I don't really understand when I put the port behind the source IP or destination IP. Can you help please?
It depends on if you want to filter traffic based on the source port or the destination port, and there are use cases for both! More common would be destination I guess, since if a client tries to access a certain service on server they send it to that port, not from a particular port.
Thank you so much Jeremy :) How would you have done the configuration if it was in one direction communication for instance STV1 can access PC1 but PC1 cannot access the SRV1. Thanks in advance!
Hello Jeremy . There is a mistake in this video. It was told we cant insert any new entries in between existing entries in numbered ACL. But in actual. We can insert it.
Hi, at what time did I say we can't insert new entries between existing entries in numbered ACLs? At 5:57 I demonstrate how to insert new entries between existing entries in a numbered ACL.
I don't think so, you should consider which direction is most appropriate (following the rules: standard ACL = close to destination, extended ACL = close to source).
27:00 I know the "general rule" that you mentioned, but to me it looks like this 2nd rule is way too broad, and even though we're using extended ACL, it functions like a regular ACL. Shouldn't this 2nd rule be applied to R2 G0/2 out?
Hi Jeremy. In quiz question 1, you say that ACL 102 is similar to 103, with the difference being that 102 specifies the source port instead of the destination port and you say that is incorrect, which makes me think.. when PC1 tries to access SRV1, arent those packets labeled with source port 69 in the UDP header?
Not to be mean but you should study subnetting if that's a question for you. /30 only allows 4 hosts -2 because one is the network and the other one is broadcast address. So it would only include 10.10.10.1 and 10.10.10.2. And EVEN if it was included, remember there is already a prior ACL that would take priority.
Answer to the other efficient way asked at 28:46 in the video, Sir can I do the following: 20 deny icmp 192.168.0.0 0.0.1.255 10.0.0.0 0.0.1.255 Kindly advise!
Wouldnt applying them outbound to the closest interface to the source do the same thing since it woukd have to exit that interface to reach its destination anyway For example 192.168.1.0/24 to 10.0.1.0/24 can be applied outbound at g0/1 because it needs to exit the interface in order to make it to g0/1 on r2 I feel like the only instant where it is necessary to make it an inbound rule is if there it was in the 203.0.113.0/30 and the subnet was bigger to hold more host and a host was using .1 as the gw
I would assume that because we are using HTTP/HTTPS - PCs from 192.168.0.1/24 "receive" those protocols from the server in 10.0.1.0/24, so the inbound rule at R1's interface g0/0 is okay.
Video error: extra black box @ 15:08. Thanks for the video!
EDIT: Just trying to be helpful but also @ 35:49, Quiz 5 the last command should be "ip access-group 150 out" not 110
yes that last question stumped me and I got it wrong Just a bit confused there :(
Thank you!
true, Noticed this too
I caught that as well was about to write something but found this comment. This actually means that Jeremy is doing a great job teaching us and we were able to catch it. Best Online Course out in the market and can't believe it's free.
I was waiting for that to be a choice to change the 110 to 150. Surprised that hasn't been fixed but suppose don't want to have to re-record the video
I've recommended Jeremy's free TH-cam to my classmates who are looking for clear and organised trg videos. Many paid online learnings can't even match that.
Thanks for recommending! :)
Jeremy is definitely a top G for his efforts to educate humanity. Thank you for your immense contribution to the development of skills for everyone. Education should truly be free!
honestly i jsut stare blankly at a screen for 40 min and somehow ik enough to answer the questions at the end of every video. your freakishly good and breaking down information
Sir, your course deserves the name " ccna is easy"
Simply the best ccna tutorial ever. I'm speechless with this masterpiece. Thank you Mr Jeremy.
Answering every quiz question correctly just made my day! Thanks Jeremy Sensei!
I have studied ACLs before and I was definitely a little confused when you suggested using "access-list " commands for every single ACE rather than simply going into ACL config mode. Glad you cleared that up lol. I used "deny icmp any 10.0.1.0 0.0.0.255" and "deny icmp any 10.0.2.0 0.0.0.255" since no hosts are allowed to ping, but obviously in a real environment I would be more specific to allow for future upgrades where we may actually want a host to be able to ping those networks.
This and spanning tree are the most hard part of the CCNA
Yeah they are tough topics! Take your time to understand them, no rush
@@JeremysITLab Ya agreed. Very tough, specially spanning tree. Plus, so many technical words... to know
for me IPv6 has a lot of information.
my proposed ACL for question located at 28:27 timing of your lecture is as follows :-
R1(config)#ip access-list extended BLOCK_ICMP
R1(config-ext-nacl)#deny icmp 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#interface G0/0
R1(config-ext-nacl)#ip access-group BLOCK_ICMP out
Yeah that works, nice! 👍
That was my answer too thanks for answering sir.
Hi, you can also use /23 wildcard mask of 0.0.1.255. It works the same.
But what about port 443?
@@xaanx I don't think is enough, /22 actually should be fine
Jermy i am from sri lanka far far away from your location but you know what ,your work here is masterpiece ,its more valuable to us like living in poor country 🙏
In the Boson quiz: Wouldn't the 0.0.0.3 wildcard mask also include a potential/future 10.10.10.3-server? Bit-pattern of last octet would be 0000.0011, and 2 to the power of 2 gives 4 hosts. The first one, 0, would be the network id.
Yeah you're absolutely correct, so it's not the ideal way to fulfill the requirements given in the scenario. However, it is the best choice among the options provided, so it is the correct answer.
It does give 4 hosts, but we subtract 2.
1 for network, 1 for broadcast.
We are left with 2 usable ip adds.
10,10,10,0 | 1-2 | 3
10,10,10,4 | 5-6| 7
(the additional srv should be in ,4)
Do I make sense or am I missing something?
@@robfilms6264 You might understand this now if you've been studying up but the Subnet is 10.10.10.0/24, so the network address is 10.10.10.0 and the broadcast is 10.10.10.255. The wildcard includes 10.10.10.3 which is a host address, the best solution to this would be to deny TCP any 10.10.10.1 0.0.0.1 eq FTP. This address range would include 10.10.10.1 - 10.10.10.2. Hope this helps
I am very grateful to you. Your videos help thousands of people. Now i am studying "Cisco CCNA 4".
Thanks for your comment :) Good luck in your studies!
Netflix tried to buy the rights to Jeremy's life story, but he declined because their network was too slow.
Then Jeremy bought Netflix and made the network much faster
Why am I always reqding maxwell’s comments with Jeremy’s voice lol?
Boson's having a holiday sale!
Get 25% OFF Boson ExSim, NetSim, etc with code MERRY20 (until the end of this month!)
📚Boson ExSim: jeremysitlab.com/boson-exsim ← the BEST practice exams for CCNA
💻Boson NetSim: jeremysitlab.com/boson-netsim ← 100+ detailed guided labs for CCNA
💯ExSim + NetSim: jeremysitlab.com/boson-ccna-kit ← get BOTH for a discount!
📗Boson Courseware: www.jeremysitlab.com/boson-courseware ← Boson's COMPLETE CCNA Courseware
Thank Jeremy!
Note, I believe there is typo @ 12:00
R1(config)# ip access-list extended [ permit | deny ]...
R1(config-ext-nacl)# [ seq-num ] [ permit | deny ]....
in both cases there must be curly braсes instead of square braces - { permit | deny } instead of [ permit | deny ] because this parameter is required.
JEremy I'm watching your ccna video july 2023 and I'm very happy to find out your video because they way you are explaining is amazing . I'm not english native and I don't speak a good english but your english is understandable than other TH-camrs everyone can understand your simple english and your simple explanation
Thank you Jeremy Sir! I can't stop thanking you. I thought I'm losing it in ACL day 33 but this day 34 cleared the pipes. You are the best sir!
Your videos are so simple,easy to understand. U have great way to teach networking .thank you so much. God bless u
Thank you :)
We must atleast like and subscriber to thank Jeremy for the intelligent and hardwork he has done
Sir, you are the finest.
Many thanks for all of the information you have provided.
I enjoy these questions far too much. I feel happy when I grasp things after being explained, even though I made some mistakes while I tried to figure out the answers on my own.
What’s confusing me is sometimes you put the port number before the destination and sometimes it’s after
Really appreciate the practice sections, I find them super helpful.
Start trust my self at question 5 by saying "oh there must be a mistake, lets check comments" thank you Jeremy for this kind of sneaky mistakes. Intentional or not, was very good.
Thank you very much We wish lessons on the ccnp certification
Maybe after the CCNA course!
Quiz 5 ACL should also be changed to 150. Thank you for the video.
What a question by BOSON. Mind blowing...
Could "deny icmp 192.168.0.0 0.0.3.255 10.0.0.0 0.0.3.255" be used to optimize the third requirement in 28:57? Not sure about the .3 there cause i had done the maths on my head, but it was the only thing i could think to solve the problem in a better way, please correct me if im wrong =)
Yeah that would work!
@@JeremysITLab that`s what I though as well but I had put like this:
"None of the hosts in 192.168.1.0/24 or 192.168.2.0/24 can ping 10.0.1.0/24 or 10.0.2.0/24."
R1(config-ext-nacl)#deny icmp 192.168.2.0 0.0.3.255 10.0.2.0 0.0.3.255
R1(config-ext-nacl)#permit ip any any
Is it the same result?
Thank you! I was scrolling through the comments just to find this 'cause it was really bugging me.
You would also be blocking the 192.168.3.0/24 from pinging 10.0.1.0/22 network if you did this@@fernandoc8876 I'm not sure if that is most efficient
@@fernandoc8876 2 years later response, I think it would work but the syntax is confusing as it doesn't look like it mentions the 192.168.1.0 network (BUT it actually does). Denying 192.168.2.0 0.0.3.255 is saying everything that matches 192.168. 0-3.anything DON'T ALLOW. The wildcard mask 0.0.0.3.255 includes addresses 192.168.1.0, 192.168.2.0 PLUS 192.168.0.0 and 192.168.3.0 since the bit values of 1 and 2 are on. 0+0, 0+1, 2+0, 2+1. The two in 192.168.2.0 doesn't really matter as the wildcard mask is allowing very specific range of addresses. But because it doesn't matter, putting a zero in the address 192.168.0.0 looks better and makes one stop and consider what the wildcard mask is actually saying. Is this correct @JeremysITLab ?
This is really a massive job! I'm tired just studying the material, how about preparing it. I am really grateful and I wish you were the President of the US with such a big heart❤
thanks Jeremy i forgot you said you will be doing a video every tuesday
Yep, that's the current schedule ;)
The first sections on advantages of named ACL confit mode explained so much to me lol. When I was doing the standard ACL labs I was using the no command on the traditional ACL statements when I entered them incorrectly or made a mistake. I didn’t realise this was deleting the whole ACL and not just the ACE!
28:55 I believe that using a mask of /23 would be most appropriate to lower the number of ACEs
the problem is that the /23 would be either ranged 192.168.0.0-192.168.1.255 or 192.168.2.0-192.168.3.255, there is no /23 for 192.168.1.0-192.168.2.255. You could do a /22 which would cover 192.168.0.0-192.168.3.255 but that opens up potentially security holes if the network expands to include more hosts/subnets later on
for the extended ACL example, we could just put each ICMP entry in the appropriate ACL on g0/2 or g0/1 and eliminate the need for a third ACL on g0/0.. same amount of entries but fewer ACLs.
Excellent explanation as always. I thoroughly enjoy detail.
Thank you :)
Thanks for everything Jeremy. Your lessons are very great.👍👍👍
hi jerely every things about this topic is much clear now thx
On question 5 I paused too soon and was scratching my head for ages as I only had a,b,c,d.... oh my god I thought I was going mad!
🙏🏻i reached here to watch this upholds the rope ( the q 3rd March link) although I am already on same playlist yet not reached on this lecture now🙏🏻 Thanks for the quize 🙏🏻
Hi Jeremy, thank you so much for the update!
Merry Christmas and a happy new year :D
may the next year be full of success and opportunities for ya
Thanks Ariadna :) Merry Christmas and a happy new year to you, too!
For 28:00 i believe the most ideal would be to assign the 3rd ACL's ACEs to the respective 1st and 2nd ACLs and apply to the interfaces as before, inbound.
Awesome video! Thank you Jeremy
Thanks Nicholas!
Very Superb Videos, big thanks to you master Jeremy
Hi Jeremy . You are the best . It’s because of you that I have started my journey in networks and I’m progressing day by day . I’m sorry if I may sound stupid but you have given examples of protocols that either run tcp or udp like http and tftp. I would like to know how you would write sections in you acl which includes both tcp and udp like dns.
Hey, not Jeremy but I think I can answer this for him. For DNS it would be wise to put in two ACEs for it, one for TCP and another for UDP, same port number 53. Please look into this video's lab, where you will find an example that covers your very question. Thanks!
I dont know how but im getting good and good in ACLS . THAnKS FOR GEREMY , Ive done almost the whole course , will be sitting in the exam soon.
]
Thanks Jeremy for the great lectures in your videos. @ 36:44, that access-list 101 is to be applied to the inbound not outbound on the Fa0/0 interface. Help verify
if it's inbound the packets that will be filtered are the ones coming from the servers, we want to filter the ones coming from the internet
Thanks Jeremy. there is a small error in 35:00 in the last line of script you wrote access-group 110. I think the coorrect number is 150.
thanks a lot.😘
Great video, thank you very much!
In the resequence part (8:40) entry number 3 changed to entry number 20 and entry number 2 changed to number 30 which changes the order of ACL. In this example it doesn't change the effect of ACL but if it would block some part of network it may have changed the final result. Is that normal in resequencing ?
The order didn't actually change, entry 3 was already before entry 2 (I think I explained about IOS re-ordering /32 entries in this video or day 34). There's no need to worry, the re-ordering will never change the effect of the ACL.
ты самый лучший учитель спасибо за уроки
Thanks for watching :) (and thanks to Google for the translation! haha)
Thanks so much!
Please make a video about NAT
I will cover all CCNA exam topics 👍
very good lecture, very good quiz, helps a lot, many thanks.
Perfect as usual !. greetings
Thank you Mahmoud! Greetings :)
As of 29:00.
deny icmp 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255
@28:56 SIMPLE ANSWER EXTENDED ACL EXAMPLE OPTION c (none of the hosts in 192.168.2.0/24 can ping 10.0.1.0/24 or 10.0.2.0/24)
R1(config)#ip access-list extended BLOCK_ICMP
R1(config-ext-nacl)#deny icmp 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#INT g0/0
R1(config-if)# ip access-group BLOCK_ICMP out
Happy New Year Jeremy!
Thanks, happy new year to you too!
Love from Vietnam!!!
Thanks Jason!
Thanks Jeremy!
Thanks Jeremy.
Thanks for watching, Stephen :)
Question 5 at the end of this online lecture has an error.
As for the interface, the ACL number should have been 150 (instead of 110)
The rest is fine.
Thanks for these videos. Very comprehensive review of the CCNA material.
what do you mean. there is no error
@@NetworkingwithHamzathe last command specifies ACL 110 outbound but the ACL he created is 150
Thanks for the videos
Thanks Jeremy!!!
Thanks for watching :)
I watch your videos from Tunisia and you really you are the best . In the exercice at minute 28 can we apply just one extended access-list in R1 g0/0 out
Thank you for this course. Happy New Year!
Thank you, happy new year! Thanks for being a channel member :)
Hi Jeremy!
may sound like too much to ask but could you make a video only tackling wild card mask like the boson question where you have to use a diferen WC mask to filter only 2 ips I still don’t get how to cover some range of IPs using a WC /30 or /28 etc
Actually, in the Boson Q the /30 covers more than 2 IPs (it covers 4), but if I remember correctly they wanted it to be done in a single command so I used that /30, even though it covers more than the required 2.
Thank you well explained
Thank you :)
I Jeremy!
What ACL type is most implemented in real life standard or extended ACL's ?
Great work! the most easy to understand course..
Both are used, I'm not sure which is used more often. They're both useful tools!
Hi Jeremy. Thx providing this exceptional course. I want to correct a mistake. at time 20:13 when configuring the extended acl, it shows config-std-nacl on config mode which is confusing. I think it is supposed to be R1(config-ext-nacl) .....
At 28:15
For requirement #3, can we use 192.168.0.0 0.0.255.255 wildcard mask, this will deny any packet that matches the first two octets the same thing goes with 10.0.0.0 0.0.255.255
And thank you for your great explanation, you are changing lives!!
you will prevent the
192.168.3.0 also
Good idea but too restrictive - source 192.168.0.0 0.0.1.255 and destination 10.0.0.0 0.0.1.255 will be more specific
Thanks J
Hey Glenn, thanks for watching :)
Thank you very much
Thanks for watching :)
Jeremy, would you agree that tech would be better off with only extended ACL's-- depreciating the "standard ACL" would be a good thing?
I don't think there's anything wrong with standard ACLs when you only need to filter based on source IP
Hi Jeremy and thanks for your great effort which opened new horizons
How many days will this course end up with?
I think the course will be about 50 to 60 days in total
Awesome course
Thank you, Jeremy
I don't think this will ever be answered but:
Wouldn't it benefit the network at around 23:30 to have all the requirements on one ACL, then apply it on outgoing packets on R1's G0/0 int? At the small cost of having it a little farther away than needed, there are less resources to manage on each other int, and because we're using extended ACLs the problem of editing/removing the ACL is mitigated by the way you mentioned earlier in the lecture. Why is it necessary to create separate ACLs for each requirement?
Yes, that's the more efficient way of doing it that he was talking about to try out ourselves. You figured it out.
I had this same thought. I think you're right friend.
Hi Jeremy,
Do you know what could cause this? We observed no outage on either lines but for some reason the HSRP keeps switching the traffic between the two routers. This is only a small part of the logs but this kept going on for hours:
000280: Oct 6 12:27:42.363: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.101 Grp 101 state Standby -> Active
000281: Oct 6 12:27:43.215: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.100 Grp 100 state Standby -> Active
000282: Oct 6 12:28:26.500: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.101 Grp 101 state Active -> Speak
000283: Oct 6 12:28:28.858: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.100 Grp 100 state Active -> Speak
000284: Oct 6 12:28:38.355: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.101 Grp 101 state Speak -> Standby
000285: Oct 6 12:28:40.411: %HSRP-5-STATECHANGE: GigabitEthernet0/0/2.100 Grp 100 state Speak -> Standby
Hmm I'd have to see the configs and network diagram to troubleshoot it. If you want you can ask on my Discord server and I or someone else will help you out: jeremysitlab.com/discord
Thanks!
Jeremy, thank u, i love u, I really wanna send u a Hamburguer by Ubereats for your effort to do this videos, jaja, thanks Jeremy, God Bless u!
Haha, please send me a hamburger! Does Ubereats do international delivery? 😂
@@JeremysITLab jajaja i don't know, i will check it, I promise u!
Jeremy, I am using Packet Tracer and unable to use "ip access-list resequence" command. I even used "?" to see my options and cannot find on there. Is this common for packet tracer not being able to execute all commands? Thanks for all your vides!! Planning to take CCNA end of June and have been watching your videos primarily on repeat - always learning something new, brain turning in mush. Thank you!!!
Yeah that's normal, packet tracer is quite limited compared to what's available on a real Cisco device. But it's still a great resource for the CCNA!
Hi Jeremy , Thanks a lot for this fatanstic course. Deep diving into details of networking and that too for free, its unbelievable.
- In the Quiz question 3rd there is an ACL entry with equal to port/protocol no - 'domain'. Can you please explain where we use 'domain' as port/protocol no?
'Domain' is 'Domain Name Service', DNS. So, it means port 53.
I'll create only one ACL and apply to g0/0 outbound interface. here are my commands..
1. ip acc ext 100
2. deny ip 192.168.2.0 0.0.0.255 10.0.2.0 0.0.0.255
3. deny tcp 192.168.1.0 0.0.0.255 10.0.0.100 range 1 443
4. int g0/0
5. ip access-group 100 out
Hi Jeremy! Your videos are awesome and so helpful. The only thing I'm still struggling with in the extended ACL are the specified ports. I don't really understand when I put the port behind the source IP or destination IP. Can you help please?
It depends on if you want to filter traffic based on the source port or the destination port, and there are use cases for both! More common would be destination I guess, since if a client tries to access a certain service on server they send it to that port, not from a particular port.
Thank you so much Jeremy :)
How would you have done the configuration if it was in one direction communication for instance STV1 can access PC1 but PC1 cannot access the SRV1.
Thanks in advance!
Hi Jeremy. I want to know how many more (like this is Day 35) video’s are coming to complete this CCNA course.
The course is about 65 to 70% complete.
@@JeremysITLab roughly how long it takes more to you to complete this course.
@@awaisaslam1608 I remember he said there would be about 50 videos for this course
Hello Jeremy . There is a mistake in this video. It was told we cant insert any new entries in between existing entries in numbered ACL. But in actual. We can insert it.
Hi, at what time did I say we can't insert new entries between existing entries in numbered ACLs? At 5:57 I demonstrate how to insert new entries between existing entries in a numbered ACL.
why I cannot find resequence command in global config mode??
Jeremy, for simplicity, is it better to just stick with using only 1 direction (in vs. out) for all ACLs?
I don't think so, you should consider which direction is most appropriate (following the rules: standard ACL = close to destination, extended ACL = close to source).
27:00 I know the "general rule" that you mentioned, but to me it looks like this 2nd rule is way too broad, and even though we're using extended ACL, it functions like a regular ACL. Shouldn't this 2nd rule be applied to R2 G0/2 out?
the video is best !!!👍👍👍👍👍
Hey,
Can you please create a PDF File including all the commands and upload it to your website for purchase?
@ 25:27 i think you meant standard ACLs should be close to the destination not source
i stumbled on that too. Re-read the second paragraph in the green box carefully, then you will understand. (...So IF they are applied...) HTH
in 28:00 the last req i think there is a better solution which is : deny icmp 192.168.1.0 0.0.1.255 10.0.1.0 0.0.1.255 ,, with just only one command.
So, am I correct to say that the ACLs are very similar to firewall inbound/outbound rules in terms of what they are doing ?
Yeah that's right, in fact in Junos (Juniper Networks' OS), ACLs are called 'firewall filters'.
Hi Jeremy. In quiz question 1, you say that ACL 102 is similar to 103, with the difference being that 102 specifies the source port instead of the destination port and you say that is incorrect, which makes me think.. when PC1 tries to access SRV1, arent those packets labeled with source port 69 in the UDP header?
Wait no! No it doesn’t! It has a randomly selected source port.. right?
Waiting for your videos. How much time is left for the full course? Your videos are really helpful
I think he said that the entire course it will be around 50 days
Yeah it will be 50 to 60 days, we'll see.
really confused at 37:49
Why is 10.10.10.20 not included on /30 and only includes 10.10.10.1 and 10.10.10.2 ? Any insight is appreciated.
Not to be mean but you should study subnetting if that's a question for you.
/30 only allows 4 hosts -2 because one is the network and the other one is broadcast address.
So it would only include 10.10.10.1 and 10.10.10.2.
And EVEN if it was included, remember there is already a prior ACL that would take priority.
Answer to the other efficient way asked at 28:46 in the video, Sir can I do the following:
20 deny icmp 192.168.0.0 0.0.1.255 10.0.0.0 0.0.1.255
Kindly advise!
@@JeremysITLab Thanks for abrupt reply. Greatly appreciated!
Why do we still need standard ACL when extended ACL can do more than standard ACL?
Wouldnt applying them outbound to the closest interface to the source do the same thing since it woukd have to exit that interface to reach its destination anyway
For example 192.168.1.0/24 to 10.0.1.0/24 can be applied outbound at g0/1 because it needs to exit the interface in order to make it to g0/1 on r2
I feel like the only instant where it is necessary to make it an inbound rule is if there it was in the 203.0.113.0/30 and the subnet was bigger to hold more host and a host was using .1 as the gw
I would assume that because we are using HTTP/HTTPS - PCs from 192.168.0.1/24 "receive" those protocols from the server in 10.0.1.0/24, so the inbound rule at R1's interface g0/0 is okay.
28:35
Would this be a better answer ?
Deny tcp 192,168,0,0 0,0,255,255 10,0,0,0 0,0,255,255 eq 1
Ping use ICMP not tcp