1
00:00:12,800 --> 00:00:20,260
This is an ACL or access control list lab. Now before we get started, I need to warn you.

2
00:00:20,730 --> 00:00:22,580
Warning, warning.

3
00:00:23,480 --> 00:00:25,450
This is a challenging lab.

4
00:00:25,760 --> 00:00:32,330
You need to be careful of a number of pitfalls and tricky requirements that can cause you problems.

5
00:00:33,440 --> 00:00:38,420
This topology consists of a subnet 10.1.1.0/24.

6
00:00:39,170 --> 00:00:42,780
They are full HTTP servers in that subnet.

7
00:00:43,670 --> 00:00:52,850
There's also an internal user subnet, 10.1.2.0 that has 2 user PCs connected to it, for the

8
00:00:52,850 --> 00:00:53,210
moment

9
00:00:53,210 --> 00:01:01,430
assume that you have multiple other devices in the subnet, but for testing and verification, two devices

10
00:01:01,430 --> 00:01:02,060
is enough.

11
00:01:03,200 --> 00:01:10,250
We also have servers on the Internet, including a DNS server and Web servers such as Cisco.com

12
00:01:10,490 --> 00:01:11,930
and Facebook.com.

13
00:01:13,030 --> 00:01:20,500
We also have an outside PC, which we can use to test and verify our access control lists, the first

14
00:01:20,500 --> 00:01:27,610
requirement is that you need to restrict traffic internally by configuring an access list on the router

15
00:01:27,820 --> 00:01:31,410
and binding it to an interface where it will be most efficient.

16
00:01:31,960 --> 00:01:37,370
You need to use access list 100 and then permit inside PC 1.

17
00:01:37,870 --> 00:01:47,500
In other words, this PC so that it can access the HTTP servers, but only HTTP server 1 and HTTP server

18
00:01:47,500 --> 00:01:48,160
2.

19
00:01:49,440 --> 00:01:56,220
It needs to be able to access those two servers using HTTP and HTTPS.

20
00:01:56,790 --> 00:02:05,700
But and here's the first tricky requirement you can only configure two access list entries in your access

21
00:02:05,700 --> 00:02:07,950
list to accomplish this requirement.

22
00:02:08,639 --> 00:02:19,050
So in other words, you are permitting one PC to access two servers using HTTP and HTTPS, but you can only

23
00:02:19,050 --> 00:02:21,850
use two access control list entries to do it.

24
00:02:22,770 --> 00:02:23,970
So here's your first hint.

25
00:02:24,600 --> 00:02:31,140
You need to think about how binary works and how that would apply to your access list and the requirements

26
00:02:31,350 --> 00:02:32,430
in this lab.

27
00:02:33,180 --> 00:02:35,360
I don't want to say too much at this point.

28
00:02:35,700 --> 00:02:37,860
Have a look at the answers video.

29
00:02:38,130 --> 00:02:41,490
If you want to get more information about how to accomplish that.

30
00:02:42,240 --> 00:02:48,080
We're also told that no other PCs or servers on subnet 10.1.2.0.

31
00:02:48,660 --> 00:02:55,030
In other words, the subnet should be allowed to access subnet 10.1.1.0/24.

32
00:02:55,680 --> 00:03:00,270
We want to explicitly add this line, in the real world

33
00:03:00,270 --> 00:03:06,630
We may want to do that for logging purposes, but packet tracer doesn't support the log option on an

34
00:03:06,630 --> 00:03:07,590
access list entry.

35
00:03:08,400 --> 00:03:11,090
So we'll just pretend that that's what we're going to do.

36
00:03:11,670 --> 00:03:18,900
But you need to add to this line so that you can see the matches against the entry hosts on subnet 10

37
00:03:18,900 --> 00:03:23,370
.1.2.0/24 should be able to access any other network.

38
00:03:23,700 --> 00:03:29,070
So they should be able to, for instance, connect to Cisco.com and Facebook.com.

39
00:03:29,990 --> 00:03:36,650
And in addition to make things more complicated, we've got a second access list, we need to configure

40
00:03:36,800 --> 00:03:45,980
access list 101 so that any external device can access the internal servers using HTTP or HTTPS.

41
00:03:46,670 --> 00:03:54,480
We then need to stop any external device from accessing the user subnet 10.1.2.0.

42
00:03:55,100 --> 00:04:02,090
We again want an explicit line for this and then we need to bind the access list in the most efficient

43
00:04:02,090 --> 00:04:03,380
place on Router 1.

44
00:04:04,310 --> 00:04:11,440
Now, be careful with this second access list, it may look simple, but you've got to think about your

45
00:04:11,440 --> 00:04:16,329
DNS traffic and the return traffic from the Internet servers.

46
00:04:17,200 --> 00:04:21,899
This PC needs to be able to access Cisco.com.

47
00:04:22,750 --> 00:04:26,590
So when you open up a Web browser on this PC.

48
00:04:28,130 --> 00:04:30,800
It should be able to navigate to Cisco.com.

49
00:04:31,890 --> 00:04:39,480
If you've configured your access list correctly, that should still work, the PC should also be able

50
00:04:39,480 --> 00:04:42,250
to access a website such as Facebook.com.

51
00:04:42,930 --> 00:04:44,610
Now, what's happening in the background?

52
00:04:46,800 --> 00:04:55,290
This PC is sending a Deerness request to the DNS server that a DNS request needs to be returned back

53
00:04:55,290 --> 00:04:56,250
to the PC.

54
00:04:56,760 --> 00:05:03,300
The PC then connects to Cisco.com and the traffic needs to be returned from Cisco.com.

55
00:05:04,420 --> 00:05:11,500
So you need to think about the return traffic, you need to ensure that both PCs can access Cisco.

56
00:05:11,500 --> 00:05:13,510
com and Facebook.com.

57
00:05:14,050 --> 00:05:23,560
You also need to verify that outside PC one can access the internal servers using HTTP and HTTPS, but

58
00:05:23,560 --> 00:05:26,800
can't ping the internal PCs.

59
00:05:27,760 --> 00:05:34,420
So as an example, this PC should be able to access the Web servers, but shouldn't be able to access

60
00:05:34,420 --> 00:05:42,370
these PCs, but this PC should be able to access Cisco.com and return traffic from Cisco.com

61
00:05:42,670 --> 00:05:44,830
should be returned to that PC.

62
00:05:45,930 --> 00:05:50,820
So there are quite a few things that you need to think about, this is a tricky lab.

63
00:05:51,510 --> 00:05:58,260
So just to check the verifications, we need to verify that PC 1 can access the internal servers, HTTP

64
00:05:58,260 --> 00:06:01,800
server 1 and 2, but not HTTP server 3 and 4.

65
00:06:02,400 --> 00:06:06,720
The PC should be able to access those two servers, but not these two servers.

66
00:06:07,380 --> 00:06:14,430
This PC should not be able to access any of the servers, but should be able to access Internet servers.

67
00:06:15,680 --> 00:06:23,630
And we need to make sure that the external PC can access the HTTP servers, but not the internal PCs.

68
00:06:24,590 --> 00:06:28,150
Again, let me warn you, this is a tricky lab.

69
00:06:28,460 --> 00:06:32,280
Be careful if you get stuck or you struggle.

70
00:06:32,570 --> 00:06:34,730
Have a look at the next video.

71
00:06:35,060 --> 00:06:37,020
We are showing you how to configure this lab.

72
00:06:37,730 --> 00:06:45,020
This will be a good test of your knowledge of binary access control lists, protocols, port numbers

73
00:06:45,470 --> 00:06:48,590
and the way traffic flows through networks.

74
00:06:49,810 --> 00:06:51,280
So why not try it yourself?

75
00:06:51,580 --> 00:06:57,150
Download the attached packet tracer file and see if you can complete the lab yourself.

76
00:06:57,730 --> 00:06:59,560
Otherwise, watch the next video.

77
00:06:59,560 --> 00:07:02,170
We'll show you how to complete this lab.