1
00:00:11,420 --> 00:00:20,580
So let's verify that the PCs can access Cisco.com, so on PC 1 browse to Cisco.com.

2
00:00:21,110 --> 00:00:27,770
Now in your lab, it may take a while for it to work, wait for it to either time out or work.

3
00:00:28,430 --> 00:00:35,480
So in this example, I can see that PC 1 can access Cisco.com, on the router show access list 1

4
00:00:35,480 --> 00:00:37,040
01 notice

5
00:00:37,040 --> 00:00:44,000
we are getting DNS hits and hits on this line in the access list.

6
00:00:45,370 --> 00:00:48,940
What about if we go to Facebook.com?

7
00:00:50,780 --> 00:00:59,690
That works, notice DNS entries increase and so do matches on this line in the access list.

8
00:01:01,590 --> 00:01:05,970
It's a similar test from PC 2, can PC 2

9
00:01:06,890 --> 00:01:08,900
access Cisco.com?

10
00:01:09,770 --> 00:01:10,670
Yes, it can.

11
00:01:12,840 --> 00:01:16,590
Back on the router , notice the entries changed

12
00:01:18,620 --> 00:01:20,640
Facebook.com.

13
00:01:21,380 --> 00:01:32,350
That also works previously we had 546 matches notice that's increased to 722 8 DNS matches.

14
00:01:32,750 --> 00:01:38,390
We still need to prove that this PC can access the servers in the internal network.

15
00:01:39,800 --> 00:01:48,050
So can it access 10.1.1.100? We're getting request time out, but we don't see any matches on the

16
00:01:48,050 --> 00:01:51,320
access list and that's because I made a mistake.

17
00:01:51,410 --> 00:01:55,280
These entries should be 10.1.1.0.

18
00:01:56,400 --> 00:02:04,660
So show access lists 101 should be able to see the line numbers with that command.

19
00:02:06,200 --> 00:02:14,990
But notice all the line numbers, so what I can do is go IP access list extended 101, No

20
00:02:15,530 --> 00:02:16,640
10, No

21
00:02:16,640 --> 00:02:17,210
20.

22
00:02:19,300 --> 00:02:27,100
So now do show access lists, we only have line 30 and 40, so I should be able to add this line back.

23
00:02:27,520 --> 00:02:37,150
So 10 permit TCP any going to 1.1.1.0 equal

24
00:02:37,570 --> 00:02:39,700
80, equal

25
00:02:40,870 --> 00:02:46,990
443 for line 20, so do show access lists.

26
00:02:47,920 --> 00:02:55,750
Notice I've now corrected those two entries, so show access lists once again.

27
00:02:56,510 --> 00:03:02,980
Let's try and connect to that server that now works, so we see six matches.

28
00:03:03,490 --> 00:03:08,260
If we use https, we see five matches.

29
00:03:08,270 --> 00:03:09,720
So that looks good.

30
00:03:10,480 --> 00:03:15,970
Now that we've done that, we should verify that we can still go to Facebook.com, which we can.

31
00:03:17,330 --> 00:03:23,480
Still go to Cisco.com, which we can, can we still get to our internal servers?

32
00:03:23,810 --> 00:03:24,830
Yes, we can.

33
00:03:26,160 --> 00:03:34,200
It's important to verify that what you think you've done has actually been done, routers do what you

34
00:03:34,200 --> 00:03:36,930
told them to do, not what you think they should do.

35
00:03:37,470 --> 00:03:44,790
So always verify this was a fairly complex lab, but we've been able to prove that our access lists

36
00:03:44,790 --> 00:03:46,770
are working as expected.

37
00:03:47,460 --> 00:03:54,810
Not very easy, but hopefully this has helped you think through how access lists work and hopefully

38
00:03:54,810 --> 00:03:56,670
you've learned one or two tricks along the way.

39
00:03:57,300 --> 00:03:59,220
Don't forget to save your configuration.

40
00:03:59,500 --> 00:04:01,920
I'm hoping that you found this video useful.

41
00:04:02,550 --> 00:04:04,620
I want to wish you all the very best.