1

00:00:00,171  -->  00:00:04,823
In the previous video, we already
learn about standard access list,

2

00:00:05,162  -->  00:00:10,419
so the case is we block the
packet from vlan 20 to the server.

3

00:00:10,575  -->  00:00:16,373
We assign the access list in
the fa0/0 with direction out.

4

00:00:17,181  -->  00:00:22,084
Next in this video, we are going
to learn more about direction.

5

00:00:22,526  -->  00:00:31,837
We will remove the access-group in the fa0/0
and then try to assign the access list to fa0/1.

6

00:00:32,283  -->  00:00:40,000
And absolutely if we assign the access
list to fa0/1, the direction will be in,

7

00:00:40,421  -->  00:00:48,839
because if we see the flow, from vlan 20 go to server,
the packet will be go like this.

8

00:00:49,114  -->  00:00:59,825
So here in the fa0/1, the packet will be in,
but in fa0/0, the packet will be out.

9

00:01:00,594  -->  00:01:09,234
Okay now let’s go to interface fa0/0,
and then no ip access-group 1 out.

10

00:01:11,261  -->  00:01:18,008
Now the access list is not assign to any
interface, so now, vlan 20 should be able

11

00:01:18,008  -->  00:01:25,840
to ping to the server again, let’s try. Okay
here we can see that the result is success.

12

00:01:26,286  -->  00:01:38,012
Now let’s assign the access-list to fa0/1,
interface fa0/1, ip access-group 1 in.

13

00:01:38,636  -->  00:01:42,141
Let’s test from vlan 20 to the server again,

14

00:01:43,653  -->  00:01:50,149
okay here failed. Test again from
vlan 20 to server 2, also failed.

15

00:01:50,552  -->  00:01:58,933
Let’s see the access-list, do show access-list,
here we can see that now the match is 6.

16

00:01:59,630  -->  00:02:03,650
Okay now let’s talk more about direction.

17

00:02:04,190  -->  00:02:11,897
If we assign the access-list in fa0/1 with
direction in like this, the packet that blocked

18

00:02:11,897  -->  00:02:19,890
is not only from vlan 20 to the server, but
from vlan 20 to the router will also blocked.

19

00:02:20,362  -->  00:02:26,043
Why? Remember that we assign
the access list in the fa0/1,

20

00:02:26,423  -->  00:02:31,486
so packet from vlan 20 to the
router will also blocked here.

21

00:02:32,206  -->  00:02:40,606
Let’s test it, vlan 20 to the router 2, here we
can see that the result Is failed, test again,

22

00:02:43,032  -->  00:02:44,213
still failed.

23

00:02:45,093  -->  00:02:50,823
Let’s see the access list, here we
can see that now the match is 8.

24

00:02:51,356  -->  00:02:59,478
Let’s test from vlan 10 to pc 2, success,
vlan 10 to the server, also success.

25

00:03:00,381  -->  00:03:10,099
Okay so if we assign the access list in fa0/0,
from vlan 20 to the router is still success,

26

00:03:10,312  -->  00:03:13,139
but to the server absolutely failed.

27

00:03:13,550  -->  00:03:21,867
But if we assign the access list in fa0/1,
from vlan 20 to the router is already blocked.

28

00:03:22,312  -->  00:03:36,941
Let’s try, now let’s remove the access list from
fa0/1, interface fa0/1, no ip access-group 1 in,

29

00:03:37,562  -->  00:03:48,488
and then let’s assign the access list to fa0/0
again, interface fa0/0, ip access-group 1 out.

30

00:03:49,535  -->  00:03:55,810
Okay now from vlan 20 to the router
should be success. Let’s test it,

31

00:03:56,480  -->  00:04:04,080
Okay here we can see that the result is success.
Let’s see the access list , do show access-list,

32

00:04:04,609  -->  00:04:16,236
here we can see that the match on second rule is
19, let’s test again, show again, okay here we can

33

00:04:16,236  -->  00:04:25,091
see that the match is still 19, this is because
we assign the access list to fa0/0,

34

00:04:25,091  -->  00:04:35,000
and the packet from vlan 20 to the router is not go through
fa0/0, this is why the packet is not match.

35

00:04:35,665  -->  00:04:41,886
Some of you may be have a question, why
we don’t configure access list on router1.

36

00:04:42,366  -->  00:04:51,269
If we configure access list on router 1, we
can assign the access list to fa0/0 or fa0/1,

37

00:04:51,901  -->  00:04:55,098
if we assign to fa0/0,

38

00:04:55,098  -->  00:05:03,699
the direction is in, and we assign the
access list to fa0/1, the direction is out.

39

00:05:04,480  -->  00:05:12,789
Let’s say we assign the access list
on fa0/0, so from vlan 20 to router 1,

40

00:05:12,789  -->  00:05:15,680
router 2, and server will be blocked.

41

00:05:16,270  -->  00:05:25,891
Let’s try it, unassign the access list on router2
first, here we assign the access list to fa0/0,

42

00:05:26,575  -->  00:05:33,497
go to interface fa0/0, and
then no ip access-group 1 out.

43

00:05:33,855  -->  00:05:37,451
Next we can copy the access list configuration,

44

00:05:37,756  -->  00:05:43,585
and then next we will paste the
configuration to router 1, do show run,

45

00:05:48,427  -->  00:05:52,541
this is the access list configuration, copy.

46

00:05:54,095  -->  00:05:57,573
Now let’s configure the access list on router 1.

47

00:05:58,000  -->  00:06:05,000
Enable, configure terminal, let’s just
paste the access list from router 2.

48

00:06:05,966  -->  00:06:09,791
Next, let’s assign the access list to interface,

49

00:06:10,190  -->  00:06:20,267
let’s say we will assign to fa0/0, so
interface fa0/0, ip access-group 1 in.

50

00:06:20,929  -->  00:06:28,373
Now from vlan 20 to router 1, router 2, and
server should be blocked. Let’s test it.

51

00:06:29,181  -->  00:06:37,276
Okay this is success, test again
from pc 2 to router 1, still success.

52

00:06:37,695  -->  00:06:45,154
Let’s check it, do show access list, okay
here nothing match with the access list.

53

00:06:45,787  -->  00:06:56,206
This is because the interface that connected
to vlan 20 is not fa0/0, but fa0/0.20,

54

00:06:56,876  -->  00:07:01,307
so let unassign the access list from fa0/0,

55

00:07:02,710  -->  00:07:09,920
and then go to interface fa0/0.20. ip access-group 1 in.

56

00:07:10,522  -->  00:07:19,866
Let’s test again, from vlan 20 to
router1, failed, vlan 20 to router 2,

57

00:07:21,101  -->  00:07:26,827
also failed, vlan 20 to server, also failed.

58

00:07:27,448  -->  00:07:29,482
Let’s see the access list again,

59

00:07:29,482  -->  00:07:37,585
do show access-list, here we can see that the
match is 3. This is because we send 3 packet.

60

00:07:38,156  -->  00:07:42,259
Okay, so now from vlan 20 to anywhere is blocked.

61

00:07:42,808  -->  00:07:48,815
This is why we configure the access list
on router 2, because if we configure the

62

00:07:48,815  -->  00:07:56,225
access list on router 1, so from vlan 20
to router 1 and router 2 will also blocked.

63

00:07:57,006  -->  00:08:04,526
Let’s unassign the access
list, no ip access-group 1 in,

64

00:08:07,196  -->  00:08:08,790
Test the ping again,

65

00:08:17,467  -->  00:08:19,036
okay success.

66

00:08:19,329  -->  00:08:23,375
Now let’s assign the access list on router 2 again,

67

00:08:23,867  -->  00:08:29,078
Interface fa0/0, ip access-group 1 out.

68

00:08:29,615  -->  00:08:37,695
Let’s test again, vlan 20 to router,
success, vlan 20 to router 2 also success,

69

00:08:38,114  -->  00:08:42,274
vlan 20 to server, okay this is failed.

70

00:08:42,857  -->  00:08:48,179
Okay I hope you understand the
implementation of direction in access list.

71

00:08:48,644  -->  00:08:50,946
I think enough for this video

72

00:08:51,129  -->  00:08:54,465
Thankyou for watching and see you on the next video.