1 00:00:09,000 --> 00:00:12,510 This is an ACL or access control list lab. 2 00:00:21,700 --> 00:00:31,960 The second access list entry will be to permit PC 2 and only allow it to access server 2 using HTTPS. 3 00:00:35,010 --> 00:00:40,680 So this PC has an IP address of 10.1.2.102 4 00:00:42,190 --> 00:00:48,230 and the server has an IP address of 10.1.1.101. 5 00:00:49,180 --> 00:00:54,660 So both of those devices simply have the next IP address in the list. 6 00:00:56,800 --> 00:01:07,510 So Access List 100 permit TCP host, host is going to be 10.1.2.102, so 10.1.2.10 7 00:01:07,510 --> 00:01:14,530 2 destination host is going to be 10.1.1.101. 8 00:01:15,990 --> 00:01:22,830 Now, notice the mistake I've made, I'm going to ignore it for the moment and later on I'll correct 9 00:01:22,830 --> 00:01:25,790 it when I show you how to edit access lists. 10 00:01:26,250 --> 00:01:29,630 Be very careful when you edit your access lists. 11 00:01:30,060 --> 00:01:34,110 You could, by mistake, delete your entire access list. 12 00:01:37,550 --> 00:01:44,340 And in this example, we need to permit HTTPS, which is Port 443. 13 00:01:45,680 --> 00:01:48,830 It's important that you learn your port numbers. 14 00:01:49,460 --> 00:01:52,150 So do show run pipe include access? 15 00:01:53,060 --> 00:01:56,000 We've now got those two entries in our access list. 16 00:01:57,860 --> 00:02:04,790 Now, we're told that no other PCs or servers on subnet 10.1.2.0 should be able to access devices 17 00:02:04,790 --> 00:02:06,860 on subnet 10.1.1.0. 18 00:02:09,199 --> 00:02:19,040 So Access List 100 denied in this case, IP 10.1.2.0 with our mask. 19 00:02:20,290 --> 00:02:29,920 Going to a destination of 10.1.1.0 with our mask, now in the real world, you'd use a word 20 00:02:29,920 --> 00:02:36,520 such as log here, but I'm simply going to press enter here because packet tracer doesn't support logging. 21 00:02:38,130 --> 00:02:50,880 Notice the difference on a real router access-list 100, deny, IP 10.1.2.0 going to 10.1 22 00:02:50,880 --> 00:02:51,930 1.0 23 00:02:53,820 --> 00:03:02,460 and notice we have the option to log traffic so there are more options than available in packet tracer. 24 00:03:03,060 --> 00:03:05,180 But packet trace is great for learning. 25 00:03:06,120 --> 00:03:10,410 Now we're told that hosts on the subnet can access any other network. 26 00:03:11,640 --> 00:03:21,110 So we need to add a line here permitting IP from 10.1.2.0 going anywhere. 27 00:03:23,090 --> 00:03:31,610 So show access lists, that's the access list that we've configured, notice access list number entries are 28 00:03:31,610 --> 00:03:32,690 added automatically 29 00:03:35,530 --> 00:03:46,620 and that allows you to do this, so IP access list extended 100 notice instead of using access list 30 00:03:46,740 --> 00:03:55,890 100, I used the command IP access list that would allow me, for example, to delete an entry in the 31 00:03:55,890 --> 00:04:02,560 access list, so if I said no study and then type do show access list. 32 00:04:02,940 --> 00:04:06,420 Notice that individual line has been removed. 33 00:04:07,470 --> 00:04:13,320 If I typed no access list 100, that would remove the entire access list. 34 00:04:13,620 --> 00:04:17,490 So be careful doing that. 35 00:04:18,060 --> 00:04:20,510 Notice the whole access list has disappeared. 36 00:04:21,240 --> 00:04:26,310 So you want to go into the access list and then edit the access list manually. 37 00:04:27,730 --> 00:04:31,210 So that was the first line access list 100. 38 00:04:32,760 --> 00:04:35,660 And here's the problem when you remove entries. 39 00:04:36,440 --> 00:04:40,710 So let me try that again, access list 100. 40 00:04:46,000 --> 00:04:47,500 Access List 100. 41 00:04:53,760 --> 00:04:56,690 So be careful deleting access lists. 42 00:04:56,820 --> 00:05:01,050 You'll regret it in the real world if you do it by mistake. 43 00:05:06,620 --> 00:05:07,970 And our last entry 44 00:05:13,590 --> 00:05:20,730 is that so, again, do show access list, let's confirm that. 45 00:05:20,850 --> 00:05:21,740 That's correct. 46 00:05:22,290 --> 00:05:28,230 We are permitting the first host to access the first server using HTTP. 47 00:05:29,150 --> 00:05:35,790 We're permitting the second host and notice there is a typo there, so let's correct that. 48 00:05:36,980 --> 00:05:43,010 So IP access list extended 100 no 49 00:05:43,160 --> 00:05:55,890 20, and then I can add it back by saying permit TCP host 10.1.2.102 host 10.1.1.1 50 00:05:55,910 --> 00:05:56,570 01 51 00:05:59,640 --> 00:06:06,960 equal 443, so do show access list, that looks better. 52 00:06:08,310 --> 00:06:15,180 It's important to verify things, so I've checked that line, that line looks good. 53 00:06:16,700 --> 00:06:28,220 That line has also got a mistake, so no 30, 30 deny, 30 needs to be 54 00:06:31,750 --> 00:06:45,080 255, so let's verify again, that looks good, that looks good, that looks better, that looks good. 55 00:06:45,700 --> 00:06:48,910 So once I verified my access list, I need to bind it. 56 00:06:48,910 --> 00:06:58,660 So interface gigabit 000 command to use is IP Access Group 100 because that's the access list 57 00:06:58,690 --> 00:06:59,860 number that we using. 58 00:07:00,580 --> 00:07:05,620 And then we specified either inbound or outbound in this example, it's going to be inbound. 59 00:07:07,000 --> 00:07:13,420 If you're working remotely, you're going to want to use a command like that. 60 00:07:14,440 --> 00:07:18,990 If you working remotely, you're going to want to use a commander like that. 61 00:07:19,360 --> 00:07:28,390 So before you apply your access list, and only if you are able to do a reload of the device, you would 62 00:07:28,390 --> 00:07:30,900 say reload in 10 or something like that. 63 00:07:31,540 --> 00:07:34,920 That means that the device will reload in 10 minutes. 64 00:07:35,470 --> 00:07:43,990 So the idea is if you by mistake, lock yourself out of your router, you can get it back by forcing 65 00:07:43,990 --> 00:07:48,400 it to go back to an older configuration if something goes wrong. 66 00:07:49,390 --> 00:07:55,930 So for the real world, that's a good thing to do, especially if you're working remotely via telnet 67 00:07:55,930 --> 00:08:01,020 or SSH, here we're connected to the console, so it doesn't matter. 68 00:08:01,180 --> 00:08:03,000 We're working directly on the console. 69 00:08:03,370 --> 00:08:11,350 So an access list won't block us out of a telnet session, which it may do if we working remotely. 70 00:08:12,670 --> 00:08:15,310 So we've bound the access list to this port. 71 00:08:18,630 --> 00:08:26,130 There's our access list, so let's test it. Can PC 1 open up a Web browser 72 00:08:28,130 --> 00:08:35,289 to the first server? Yes, it can. Can it open up a Web browser to the second server? 73 00:08:35,789 --> 00:08:37,030 Looks like it can't. 74 00:08:37,880 --> 00:08:41,179 And as you can see there, the request timed out. 75 00:08:41,900 --> 00:08:43,429 We could also test it this way. 76 00:08:43,429 --> 00:08:44,270 Can it ping 77 00:08:46,180 --> 00:08:52,060 the servers? Notice it can't ping the servers even though 78 00:08:53,320 --> 00:09:06,100 that server 10.1.1.100 is available via the Web browser, so the access list is working as expected. 79 00:09:07,570 --> 00:09:08,770 What about PC 2? 80 00:09:08,770 --> 00:09:13,030 Can it ping either of the servers? 81 00:09:13,060 --> 00:09:13,930 No, it can't. 82 00:09:15,900 --> 00:09:22,440 Can it connect to the second server using HTTPS? 83 00:09:25,780 --> 00:09:27,620 Need to specify the right IP address. 84 00:09:28,100 --> 00:09:28,910 Yes, it can. 85 00:09:33,270 --> 00:09:42,330 So notice, first PC can access the first server using HTTP, second PC can access the second server 86 00:09:42,540 --> 00:09:47,120 using HTTPS, but not using HTTP. 87 00:09:48,240 --> 00:09:56,670 If we look at our access list show access list, we see matches on the various lines.. 88 00:09:57,600 --> 00:10:01,620 So at the moment, 65 matches on the first line. 89 00:10:05,000 --> 00:10:07,610 Let's generate some traffic. 90 00:10:09,830 --> 00:10:13,160 Notice that's increased, so that's working well. 91 00:10:16,050 --> 00:10:18,880 Look at the image page using a HTTPS. 92 00:10:19,710 --> 00:10:21,460 It was 66 matches. 93 00:10:21,810 --> 00:10:23,570 Now it's 88 matches. 94 00:10:24,000 --> 00:10:24,840 So that's working. 95 00:10:24,840 --> 00:10:27,420 Well, this is 52 matches. 96 00:10:30,590 --> 00:10:39,010 Ping the servers notice that's increasing, we should be able to access devices on the Internet. 97 00:10:39,620 --> 00:10:44,360 So if I go to Cisco.com that should hopefully work. 98 00:10:45,050 --> 00:10:46,970 It took it a while, but there you go. 99 00:10:47,210 --> 00:10:49,970 There's Cisco.com show access lists. 100 00:10:50,600 --> 00:10:52,340 We see the matches. 101 00:10:52,980 --> 00:10:56,630 What about Facebook.com? 102 00:10:57,950 --> 00:11:09,330 That also works, we see the matches, so as an example, on this PC, can we ping Cisco.com? 103 00:11:09,650 --> 00:11:10,640 Yes, we can. 104 00:11:11,240 --> 00:11:13,400 And we see the matches. 105 00:11:16,470 --> 00:11:19,710 So at this point, we've completed the lab. 106 00:11:21,630 --> 00:11:24,130 We configured the router with an access list. 107 00:11:24,990 --> 00:11:27,390 We found the access list. 108 00:11:29,160 --> 00:11:38,790 On gigabit 0/0/0 inbound and we verified that things work as expected. 109 00:11:39,540 --> 00:11:44,300 I also fix some mistakes that were made in the access list configuration. 110 00:11:45,000 --> 00:11:48,870 Don't just configure, always verify. 111 00:11:50,060 --> 00:11:50,740 How did you do? 112 00:11:51,200 --> 00:11:54,530 Were you able to complete the lab, did you get it working? 113 00:11:56,280 --> 00:12:03,990 The last step before I forget is to save the router configuration, so WR, for the exam, you may have 114 00:12:03,990 --> 00:12:07,890 to use copy running config startup config. 115 00:12:08,580 --> 00:12:11,760 Don't forget to save your configuration when finished.