1
00:00:09,170 --> 00:00:12,680
This is an ACL or access control list lab.

2
00:00:21,870 --> 00:00:29,790
We've been told that we need to restrict traffic internally using router 1 as follows, one of the big

3
00:00:29,790 --> 00:00:33,780
decisions to make is where are you going to bind the access list?

4
00:00:34,500 --> 00:00:40,110
We've been told to bind it in the most efficient place on router 1, In these examples

5
00:00:40,140 --> 00:00:47,430
we are restricting traffic from the user PCs the most efficient place to bind the access list

6
00:00:47,430 --> 00:00:50,840
would be here gigabit 000.

7
00:00:51,630 --> 00:00:58,350
That's because we don't want the border to have to process the traffic and then simply drop it on the

8
00:00:58,350 --> 00:00:59,520
outbound interface.

9
00:01:00,150 --> 00:01:06,180
Extended access lists allow us to be very granular and we are able to specify individual traffic types

10
00:01:06,180 --> 00:01:09,490
and port numbers when permitting or denying traffic.

11
00:01:10,260 --> 00:01:13,240
So this is where we're going to bind the access list.

12
00:01:13,950 --> 00:01:21,570
We generally want to bind extended access lists as close to the source as possible to stop devices having

13
00:01:21,570 --> 00:01:24,870
to process the traffic and then simply drop it.

14
00:01:25,920 --> 00:01:33,600
Now, firstly, we need to permit traffic from PC 1 to HTTP server one using HTTP.

15
00:01:34,590 --> 00:01:35,700
So here's our router.

16
00:01:39,950 --> 00:01:47,690
Show IP interface brief, we can see the IP addresses on the router, the router has been configured with

17
00:01:47,690 --> 00:01:48,980
IP addresses already.

18
00:01:51,220 --> 00:01:54,880
This PC has an IP address

19
00:01:56,170 --> 00:02:02,150
of 10.1.2.101, for the real world and for the exam

20
00:02:02,710 --> 00:02:09,870
don't forget about the command IP config that also shows you the IP address of the PC.

21
00:02:10,449 --> 00:02:12,040
So it has an IP address of 10.

22
00:02:12,040 --> 00:02:13,660
1.2.101.

23
00:02:15,200 --> 00:02:16,130
This server

24
00:02:17,960 --> 00:02:22,310
has an IP address of 10.1.100.

25
00:02:26,090 --> 00:02:30,230
So we want to permit traffic from this IP address

26
00:02:31,220 --> 00:02:32,510
to this IP address

27
00:02:33,910 --> 00:02:36,400
but only permit HTTP.

28
00:02:37,330 --> 00:02:42,820
We've been told which access list number to use, so that makes it simple.

29
00:02:44,770 --> 00:02:47,170
Remember extended access lists

30
00:02:49,520 --> 00:02:54,270
have this range, standard IP access lists have this range.

31
00:02:54,770 --> 00:03:00,670
Now, if you check this on a real device, you'll notice that there are actually additional numbers.

32
00:03:01,400 --> 00:03:06,860
So in this example, I'll telnet to a real physical router that I have

33
00:03:07,930 --> 00:03:11,170
and if I access list question mark.

34
00:03:12,140 --> 00:03:19,640
Notice standard access list in the range 1 to 99, but there's also this range, which is called the

35
00:03:19,640 --> 00:03:21,740
expanded range. IP

36
00:03:21,740 --> 00:03:28,130
extended access lists are in this range, but there's also this expanded range of extended IP access

37
00:03:28,130 --> 00:03:29,780
lists. For the exam

38
00:03:29,810 --> 00:03:32,480
those are the two most important ranges to know.

39
00:03:32,870 --> 00:03:41,570
And that's what we have in packet tracer. So on the router access list 100 and we are going to

40
00:03:41,570 --> 00:03:44,330
permit specific traffic. First

41
00:03:44,780 --> 00:03:49,340
we're using TCP here because HTTP resides on top of TCP.

42
00:03:50,150 --> 00:03:52,700
Now the source address is going to be host

43
00:03:54,180 --> 00:04:03,060
10.1.2.101, so 10.1.2.101 now we could use greater than

44
00:04:03,970 --> 00:04:05,530
but we're not going to do that here.

45
00:04:07,080 --> 00:04:08,160
The destination

46
00:04:09,160 --> 00:04:12,320
is our server 10.1.1.100.

47
00:04:12,880 --> 00:04:15,520
So 10.1.1.100

48
00:04:16,120 --> 00:04:23,700
we need to specify the port number, which in our example is going to be 80 HTTP.

49
00:04:24,730 --> 00:04:29,040
So now do show run pipe include access.

50
00:04:30,070 --> 00:04:41,350
Notice this line access list 100 permit TCP host 10 .1.2.101 host 10.1.1.100 equal WWW.

51
00:04:42,130 --> 00:04:48,960
So the router has automatically converted the port number to a word which is fine.

52
00:04:49,900 --> 00:04:52,360
So that's the first access list entry.