1
00:00:11,190 --> 00:00:13,410
So let's work through this tricky

2
00:00:13,450 --> 00:00:18,090
lab, don't be worried if you didn't get it working, it's very tricky.

3
00:00:18,610 --> 00:00:27,240
So the first thing we need to do is bind access list 100 in the most efficient place on router 1 with

4
00:00:27,240 --> 00:00:29,130
extended IP access lists.

5
00:00:29,550 --> 00:00:33,760
You want to bind traffic as close to the source as you can.

6
00:00:34,740 --> 00:00:40,140
So we're going to bind the access list to gigabit 0/0/0.

7
00:00:41,170 --> 00:00:50,080
We're told that inside PC 1, this PC can only access HTTP server 1 and 2 on subnet 10.1.1.

8
00:00:50,080 --> 00:01:00,000
0/24 using HTTP and HTTPS, and we only allowed to use two lines in an access list to do this.

9
00:01:00,730 --> 00:01:02,950
So first thing, this server

10
00:01:04,000 --> 00:01:08,110
has an IP address of 10.1.1.100.

11
00:01:09,330 --> 00:01:10,340
This server

12
00:01:12,220 --> 00:01:17,470
has an IP address of 10.1.1.101.

13
00:01:18,620 --> 00:01:21,500
And now this is where it's important to know your binary.

14
00:01:23,880 --> 00:01:30,720
That IP address and that IP address, 10.1.1.100.

15
00:01:39,390 --> 00:01:45,870
Let's start the Windows calculator and put one hundred into the calculator notice that's what the

16
00:01:45,870 --> 00:01:47,950
binary value of 100 is.

17
00:01:48,540 --> 00:01:57,250
So both 10.1.1.100 and 101 have the first three octets the same.

18
00:01:57,750 --> 00:02:03,070
So if we want to match both of those IP addresses, we would match that followed by something.

19
00:02:03,990 --> 00:02:09,509
So what's the difference between 100 and 101?

20
00:02:11,410 --> 00:02:13,000
100 looks like that.

21
00:02:15,690 --> 00:02:16,620
101

22
00:02:18,370 --> 00:02:19,690
looks like this.

23
00:02:22,190 --> 00:02:31,280
And what you'll notice is the only difference between these two IP addresses is the last bit 100 and

24
00:02:31,280 --> 00:02:37,550
101 are exactly the same in binary except for the lost bit.

25
00:02:38,150 --> 00:02:46,970
So if we want to match both those IP addresses, we would use an inverse mask that looks like that.

26
00:02:47,920 --> 00:02:56,110
Remember, if we want to match that portion, we would write 0.0.0 in our access list and to

27
00:02:56,110 --> 00:03:01,910
match both of those IP addresses, we would make a mask like that.

28
00:03:02,350 --> 00:03:03,880
This means we're matching 10.

29
00:03:04,360 --> 00:03:07,270
This means we're matching 1 second octet.

30
00:03:07,540 --> 00:03:09,880
This means we're matching 1 in the third octet.

31
00:03:10,330 --> 00:03:15,820
And this means we're matching both 100 and 101 in the fourth octet.

32
00:03:19,500 --> 00:03:27,290
So if we want to match both those hosts, we would create an access list, so access list 100 permit

33
00:03:28,260 --> 00:03:34,020
and in this example we have to permit HTTP and HTTPS.

34
00:03:34,290 --> 00:03:41,610
Both those protocols use TCP, the source that we matching is PC 1.

35
00:03:43,620 --> 00:03:45,660
So 10.1.

36
00:03:48,260 --> 00:03:54,230
and if you look at the IP address 2.101, so this is the IP address of the source.

37
00:03:56,570 --> 00:04:03,560
So 2.101 you could tie this down to ephemeral port numbers or random port numbers, but

38
00:04:03,560 --> 00:04:04,970
for now, I'm not going to do that.

39
00:04:05,090 --> 00:04:11,000
I'm going to simply say destination is 10.1.1.100

40
00:04:13,110 --> 00:04:26,280
mask 0/0/1 equal, and we need to match HTTP and HTTPS so I'm going to say port 80 and do another line,

41
00:04:26,280 --> 00:04:27,540
port 443.

42
00:04:29,270 --> 00:04:39,830
So let's confirm that show run, they are our two access control list entries that meet the criteria.

43
00:04:40,920 --> 00:04:43,170
You've got to think in binary.

44
00:04:44,450 --> 00:04:52,460
So pretend that you're in The Matrix and look at the binary, don't look at the decimal, look at the

45
00:04:52,460 --> 00:04:54,950
binary, this is an inverse mask.

46
00:04:55,370 --> 00:04:56,600
Zero means match.

47
00:04:56,930 --> 00:04:59,120
One in binary means don't match.

48
00:04:59,840 --> 00:05:06,650
This actually looks like we've got eight zeros, followed by eight zeros, followed by eight zeros followed

49
00:05:06,650 --> 00:05:07,130
by

50
00:05:08,030 --> 00:05:09,950
seven zeros and a one.

51
00:05:11,340 --> 00:05:13,380
That's what we're looking at here.

52
00:05:14,250 --> 00:05:23,700
OK, so the next step is no other PCs on the subnet can access the 10.1.1.0/24 subnet.

53
00:05:27,060 --> 00:05:41,940
So Access List 100 deny and we want to deny all traffic from this subnet going to 10.1.1.0,

54
00:05:43,530 --> 00:05:44,640
that subnet.

55
00:05:46,610 --> 00:05:49,100
I think this a bit bigger, so it's easier to read.

56
00:05:49,430 --> 00:05:57,190
So show run, that's what our access list looks like at the moment.

57
00:05:59,180 --> 00:06:08,840
The next step is we should be able to access any other network, so access list 100, permit IP 10.1

58
00:06:08,840 --> 00:06:16,490
.2.0 with our mask and we want to permit traffic going to any destination.

59
00:06:17,720 --> 00:06:19,220
So again, show run.

60
00:06:20,540 --> 00:06:21,980
That's our access list.

61
00:06:22,490 --> 00:06:25,000
Show access lists will show you something similar.

62
00:06:25,760 --> 00:06:34,100
There's the access list in the running configuration is the access list and seen with a show command.

63
00:06:34,960 --> 00:06:46,150
OK, so that's the first part we then need to bind it onto our interface using the IP Access Group Command

64
00:06:46,750 --> 00:06:48,760
and then we need to specify a direction.

65
00:06:50,470 --> 00:06:56,950
And I should remember to put the number in, so access group 100 inbound.

66
00:06:58,310 --> 00:07:04,190
So, again, show run on the router, we bound the access list inbound.

67
00:07:05,580 --> 00:07:13,560
On this interface, it's the most efficient place to bind the access list, we want to drop traffic

68
00:07:13,560 --> 00:07:16,470
as quickly as possible if it needs to be dropped.

69
00:07:17,010 --> 00:07:22,590
We don't want the router to process and route the traffic and then simply drop it.

70
00:07:24,690 --> 00:07:27,630
And again, that's what our access list looks like.

71
00:07:29,040 --> 00:07:30,820
So that's the first part.

72
00:07:31,470 --> 00:07:36,810
Now, what you could do at this point is verify that things work as expected.

73
00:07:37,380 --> 00:07:44,290
So on your first host, as an example, verify things, remember to take small steps.

74
00:07:44,290 --> 00:07:52,120
So 101.1.100, that's the IP address of the first server, as we can see here.

75
00:07:52,830 --> 00:07:59,940
So on the PC, we can access both servers using HTTP.

76
00:08:01,350 --> 00:08:05,370
Let's try HTTP to the first server.

77
00:08:07,400 --> 00:08:08,660
HTTPS works.

78
00:08:09,990 --> 00:08:18,650
There's our image, what about HTTPS to the second server that works, but notice I can't browse to the third

79
00:08:18,650 --> 00:08:19,260
server.

80
00:08:19,760 --> 00:08:25,490
In other words, this server here I can't get

81
00:08:26,500 --> 00:08:33,710
to 10.1.1.102 from the client, request times out.

82
00:08:34,299 --> 00:08:36,400
What about the fourth server?

83
00:08:40,039 --> 00:08:43,490
IP config 10.1.1.103, 

84
00:08:45,770 --> 00:08:48,560
I'm not able to get to that server either.

85
00:08:49,720 --> 00:08:56,780
But I can get to the second server as well as the first server using my Web browser.

86
00:08:57,430 --> 00:09:04,000
It's also a good idea to check what's going on by using the show access lists, command notice we're

87
00:09:04,000 --> 00:09:05,800
getting a bunch of matches here.

88
00:09:07,810 --> 00:09:09,520
So let's do some more tests.

89
00:09:10,030 --> 00:09:15,100
This is over 100, so we should be able to access pages, so that works.

90
00:09:15,790 --> 00:09:18,120
We previously had 19 matches.

91
00:09:18,820 --> 00:09:27,150
Notice it's gone up to 51 matches because that was actually HTTPS so 51 matches from 39 matches.

92
00:09:27,940 --> 00:09:37,450
So go back here, click to a small page, 51 matches has now increased to 61 matches, so I'll change that

93
00:09:37,450 --> 00:09:44,200
to HTTP notice 24 matches, which is up from 19 matches.

94
00:09:45,500 --> 00:09:47,900
Click back, go to the image page.

95
00:09:48,580 --> 00:09:52,360
It was 24 matches, now it's 41 matches.

96
00:09:53,080 --> 00:09:55,020
So that's definitely working.

97
00:09:55,510 --> 00:09:58,630
And what about when we go to PC 2?

98
00:10:00,100 --> 00:10:03,220
And try and browse to one of the servers.

99
00:10:04,240 --> 00:10:11,530
At the moment, we have 24 matches on this line, let's browse to10.1.1.100.

100
00:10:13,160 --> 00:10:19,580
Notice 28 matches, 32 matches, so that's definitely working.

101
00:10:20,030 --> 00:10:21,110
Go to 101,

102
00:10:23,320 --> 00:10:29,690
39 matches, 42 matches and so forth, go to another server, 103.

103
00:10:30,130 --> 00:10:32,080
Notice this is also increasing.

104
00:10:34,000 --> 00:10:42,880
And if we go back to PC one, we've got 60 matches at the moment, but let's try and go to server

105
00:10:42,880 --> 00:10:44,590
4 notice

106
00:10:44,590 --> 00:10:46,250
the matches are increasing.

107
00:10:46,840 --> 00:10:48,290
So that's definitely working.

108
00:10:48,940 --> 00:10:52,720
Last test is, can we get to Cisco.com? Now

109
00:10:52,720 --> 00:10:55,280
the verifications are here.

110
00:10:55,540 --> 00:10:56,410
I'm doing it.

111
00:10:56,800 --> 00:11:03,580
Firstly to check that first access list will have to do more checks once we add additional access list.

112
00:11:04,670 --> 00:11:10,160
But we can do some initial testing here, so can we get to Cisco.com?

113
00:11:10,190 --> 00:11:11,300
Yes, we can.

114
00:11:12,890 --> 00:11:19,430
Now, in your lab, it may take a while for that page to display, but notice we've got 72 matches,

115
00:11:19,430 --> 00:11:28,580
whereas previously we had no matches on the last line, Facebook.com, we can get to Facebook.

116
00:11:28,580 --> 00:11:31,310
com notice we have 140 matches.

117
00:11:31,880 --> 00:11:34,040
So that definitely works.

118
00:11:35,070 --> 00:11:36,940
So I'm happy with the first access list.

119
00:11:37,350 --> 00:11:40,650
Now we need to configure the second access list.