1

00:00:00,463  -->  00:00:07,293
In the previous video, we already learn the
differences between standard and extended access list.

2

00:00:07,924  -->  00:00:15,000
Now in this video, we are going to configure extended access list based on this example case.

3

00:00:15,608  -->  00:00:21,563
Let’s just start, we are free to configure
on router 1 or router 2,

4

00:00:21,937  -->  00:00:26,159
in this case, let’s try to configure on router 1.

5

00:00:28,059  -->  00:00:31,224
Enable, configure terminal.

6

00:00:32,318  -->  00:00:40,597
Access-list, here for extended access list,
we can use id 100 until 199,

7

00:00:40,971  -->  00:00:43,897
let’s say here I use 100.

8

00:00:45,797  -->  00:00:56,207
And then here we want to block http, so here
deny, and then question mark,

9

00:00:56,610  -->  00:00:58,890
here we can define the protocol.

10

00:00:59,394  -->  00:01:08,730
For http, the protocol is tcp, question mark,
here we need to define the source,

11

00:01:08,730  -->  00:01:18,537
we will use any, because we want to block http from
anywhere to all server, so the source is any.

12

00:01:19,128  -->  00:01:25,546
And then here we can define the destination,
in this case the destination is server,

13

00:01:25,891  -->  00:01:34,416
so here 192.168.1.0 0.0.0.255.

14

00:01:34,992  -->  00:01:43,311
question mark again, here we need to define
eq, eq means the port that we are going to

15

00:01:43,311  -->  00:01:51,994
block, in this case we want to block http,
and the port of http is 80.

16

00:01:52,627  -->  00:01:55,446
So here eq 80.

17

00:01:56,339  -->  00:01:59,518
Okay now we have done for the first case.

18

00:02:00,000  -->  00:02:10,050
For the second case, all vlan is allowed to
access server 1, access-list 100 permit

19

00:02:10,050  -->  00:02:12,833
and then we need to define the protocol.

20

00:02:13,495  -->  00:02:21,447
Here the case is all vlan is allowed to access
server 1, so all protocol should be allowed.

21

00:02:21,979  -->  00:02:27,687
Here we can use ip, ip is means any protocol.

22

00:02:29,817  -->  00:02:37,345
And then the source, we will allow from all
vlan, so the source is any, the destination

23

00:02:37,345  -->  00:02:46,475
is server 1, so here host and then the ip address of server 1, 192.168.1.10.

24

00:02:48,000  -->  00:02:50,525
Okay for the second case is done.

25

00:02:50,899  -->  00:03:00,000
Next for the third case, we will only allow
from vlan 20 to the server, so here

26

00:03:00,000  -->  00:03:09,472
access-list 100 permit here we will also use protocol
ip, and then the source is vlan 20,

27

00:03:09,789  -->  00:03:16,530
so network 192.168.20.0 0.0.0.255.

28

00:03:17,192  -->  00:03:24,078
The destination is server 2, so host 192.168.1.20.

29

00:03:25,719  -->  00:03:34,643
Last, we need to allow from vlan 30 to the
server 3, access-list 100 permit ip,

30

00:03:34,931  -->  00:03:50,459
the source is vlan 30, so 192.168.30.0 0.0.0.255, the
destination is server 3, so host 192.168.1.30.

31

00:03:51,553  -->  00:03:58,052
Okay we have done configuring the access list,
let’s check it, do show access list.

32

00:03:58,282  -->  00:04:06,761
Here we can see access list 100, we have 4
rule in here, the first rule is block http

33

00:04:06,761  -->  00:04:09,191
from all vlan to all server.

34

00:04:09,853  -->  00:04:18,000
Second rule all vlan is allowed to access
server 1, third rule, only vlan 20 is allowed

35

00:04:18,000  -->  00:04:25,306
to access server 2. And last only vlan 30 is allowed to access server 3.

36

00:04:25,796  -->  00:04:32,580
And remember that we have default rule to
deny any, so let’s say from vlan 10 to the

37

00:04:32,580  -->  00:04:36,571
server, this is will be blocked by default
rule.

38

00:04:36,873  -->  00:04:40,321
Vlan 10 to server 3 will also blocked.

39

00:04:41,256  -->  00:04:47,212
Next, let’s assign the access list to the
interface, let’s say we will assign the

40

00:04:47,212  -->  00:04:58,302
access list to fa0/1, so here interface fa0/1, and then ip access-group 100 out.

41

00:04:58,719  -->  00:05:06,496
Pay attention here that we use direction out,
because the flow is from client to the server,

42

00:05:07,763  -->  00:05:14,282
so fa0/0 will in, and fa0/1 will out.

43

00:05:14,772  -->  00:05:22,470
But we can not assign the access list to fa0/0,
we need to assign the access list on the sub

44

00:05:22,470  -->  00:05:32,268
interface, fa0/0.10, fa0/0.20, or fa0/0.30.

45

00:05:33,103  -->  00:05:40,030
Okay I think enough for this video, in the
next video, we are going to test our configuration.

46

00:05:40,404  -->  00:05:43,877
Thankyou for watching and see you on the next video.