1
00:00:09,170 --> 00:00:12,680
This is an ACL or access control list or lab.

2
00:00:21,330 --> 00:00:29,370
In this lab, you've been asked to configure router 1 to restrict traffic based on these instructions,

3
00:00:29,910 --> 00:00:31,910
we need to use access list 100.

4
00:00:32,369 --> 00:00:41,310
In other words, an extended IP version 4 access list. Inside PC 1, which is this PC here, should

5
00:00:41,310 --> 00:00:51,450
be restricted so that it can only access HTTP server 1 using HTTP on subnet 10.1.1.0/24.

6
00:00:52,080 --> 00:00:58,290
In other words, this PC should only be able to access the server using HTTP.

7
00:00:59,240 --> 00:01:08,660
These two servers are in subnet 10.1.1.0/24, the inside PCs are in subnet 10.1.2.0

8
00:01:08,900 --> 00:01:20,930
/24, inside PC 2 this PC here should only be able to access HTTP server to this server using HTTPS

9
00:01:21,770 --> 00:01:23,090
on that subnet.

10
00:01:24,200 --> 00:01:32,030
So in other words, the only device that PC 1 should be able to access on subnet 10.1.1.0

11
00:01:32,480 --> 00:01:41,450
is this server using HTTP, the only device that PC 2 should be able to access on subnet 10.1.1

12
00:01:41,450 --> 00:01:45,410
0 is this server using HTTPS.

13
00:01:46,370 --> 00:01:53,660
No other PCs or servers on the subnet 10.1.2.0 should be able to access any other devices on

14
00:01:54,110 --> 00:01:57,460
network 10.1.1.0/24.

15
00:01:58,220 --> 00:02:01,100
At the moment we only have these two PCs.

16
00:02:01,430 --> 00:02:09,169
But if you had another device connected to this switch in this subnet, 10.1.2.0/24.

17
00:02:09,590 --> 00:02:19,520
That device should not be able to access any other devices in subnet 10.1.1.0/24. Now by default

18
00:02:19,670 --> 00:02:24,470
there is an implicit deny any in Cisco IP access lists.

19
00:02:25,040 --> 00:02:33,650
Normally you would add an explicit line to log traffic so you would use the word log at the end of your

20
00:02:33,650 --> 00:02:34,340
access list

21
00:02:34,340 --> 00:02:38,290
entry to log traffic to a syslog server for example.

22
00:02:39,110 --> 00:02:42,350
Now packet tracer doesn't support that logging option.

23
00:02:43,250 --> 00:02:45,590
So we're going to add the line explicitly.

24
00:02:46,340 --> 00:02:51,440
But in the real world, we would add a log keyword to log that traffic.

25
00:02:52,310 --> 00:02:56,840
It will allow us, however, to see matches on an access list.

26
00:02:57,440 --> 00:03:05,960
So we're going to explicitly specify that line host on subnet 10.1.2.1 should be able to access

27
00:03:05,960 --> 00:03:07,110
any other network.

28
00:03:07,850 --> 00:03:14,210
So in other words, these two PCs should be able to access Cisco.com and Facebook.com.

29
00:03:14,780 --> 00:03:19,250
Now you need to bind the access list in the most efficient place on router 1.

30
00:03:20,150 --> 00:03:22,670
So where are you going to place the access list on router 1?

31
00:03:23,660 --> 00:03:30,320
You need to decide where that access list will be placed, will it be placed here, here or here?

32
00:03:31,330 --> 00:03:37,180
Now, don't forget, just because you've configured something doesn't mean that it's working the

33
00:03:37,180 --> 00:03:39,010
way you think it's working.

34
00:03:39,520 --> 00:03:43,200
Routers do what you tell them, not what you think they should do.

35
00:03:43,570 --> 00:03:47,170
So make sure that you verify that things are working properly.

36
00:03:47,860 --> 00:03:56,020
So verify that inside PC 1 can access internal HTTP server 1 using HTTP, but it's not able to ping

37
00:03:56,560 --> 00:04:06,460
HTTP server 2 for example, verify that inside PC 2 can access the internal HTTP server 2 using HTTPS

38
00:04:07,030 --> 00:04:09,540
but can't ping HTTP server 1.

39
00:04:09,970 --> 00:04:19,269
You could also do some additional tests like PC 2 shouldn't be able to browse using HTTP to server

40
00:04:19,269 --> 00:04:25,980
1,PC 1 shouldn't be able to browse, using it to server 2 and so forth and so on.

41
00:04:26,860 --> 00:04:34,510
You should also verify that both inside PC 1 and PC 2 can browse to Cisco.com and Facebook.

42
00:04:34,510 --> 00:04:34,900
com.

43
00:04:35,890 --> 00:04:42,520
Now, we'll do a more complex lab in a separate video, but this is an example to get you started.

44
00:04:43,360 --> 00:04:50,140
Are you able to complete the lab? Download the attached packet tracer a file and see if you can complete

45
00:04:50,200 --> 00:04:51,150
the lab yourself.

46
00:04:52,260 --> 00:04:57,750
In the next video, I'll give you some tips and tricks, as well as show you how to complete the lab.