Free CCNA 200-301 Course 28-06: Numbered ACLs Lab Demo

00:00

just a quick reminder before we get into

00:02

the lesson

00:03

to download the hands-on lab exercises

00:05

that accompany this complete ccna course

00:08

i'll include the link in the description

00:11

also remember to subscribe

00:13

and hit the notifications bell so you

00:16

don't miss any of the lessons in the

00:17

course

00:18

okay let's get into it

00:26

in this lecture you'll learn how to

00:28

configure access

00:30

control lists with a lab demo

00:33

so here's the lab i've got to open in

00:35

gns3 here

00:37

and i've got a couple of routers r1

00:40

and r2 i've got pc1

00:44

and pc2 are in the 10.0.1 subnet

00:48

and pc3 is in 10.0.2.0

00:52

24. i've already

00:56

configured the routing

00:59

so if i control onto

01:02

pc1 and let's try pinging r2

01:06

at 10.0.0.2 so paying 10.002

01:11

from pc1 works okay

01:15

i know for sure it's going to work from

01:18

pc2

01:19

as well because it's in the same subnet

01:22

but let's just do it anyway

01:24

so paying 10.002 from here

01:27

as well and

01:30

let's check that everything's okay from

01:32

our 10.0.2

01:34

subnet as well so i'll ping

01:38

10.0.0.2 which is r2 from there as well

01:40

okay so connectivity is all working just

01:44

fine actually let's have a look at the

01:46

routing table

01:48

on r1 so

01:51

i'll jump on there i'll do a show ip

01:54

route

01:55

and try to do it without a typo

01:59

and i've just got my connected and

02:02

local routes on there and because r2

02:05

is also on the 10.0.0 network at

02:08

10.00.0.2

02:09

that's why i've got connectivity

02:11

everywhere okay looking back

02:13

at the topology diagram

02:17

and the scenario is that we're the

02:20

network administrator

02:21

and we've been given some security tasks

02:25

to secure the network so the first

02:27

scenario

02:29

is that pcs in the 10.0.2 network

02:33

should not have any connectivity to r2

02:36

at 10.00.0.2 but

02:40

the the pcs and the 10.0.1 subnet they

02:44

should have connectivity to r2

02:46

and also pc3 and 10.2 still should have

02:50

connectivity to 10.0.1 as well

02:53

so usually when we configure an acl

02:56

to do security we'll secure it as close

03:00

to the source as possible so the traffic

03:02

isn't going over any part of a network

03:04

but it doesn't need to

03:05

but if we look at the scenario here

03:07

let's see that we've been given a task

03:09

that we have to configure a standard

03:12

numbered access list to do that and it

03:14

has to be

03:15

on our one so

03:18

we could do it inbound on fast ethernet

03:21

2

03:22

0 at the bottom here with a

03:26

standard acl you can only specify the

03:29

source address

03:30

to be able to specify source and

03:32

destination that it's going to that

03:34

needs to be an extended or a named

03:36

extended

03:36

acl so what we want to do is we want to

03:40

block traffic from 10.0.2

03:43

to r2 but we need to allow

03:46

traffic from 10.2 to 10.0.1

03:50

so we can't put the acl inbound

03:53

on that fast 2 0 interface on r1

03:57

because if we blocked traffic from

03:59

10.0.2

04:00

would be blocking it going to r2 but

04:02

we'd be blocking it to the 10.0.1

04:05

subnet as well so the only way that we

04:07

can do this task

04:09

using a numbered standard acl

04:13

is by putting it on that outside fast

04:16

zero slash

04:16

zero interface on r two

04:20

so if that's not clear yet let's do it

04:22

and then you'll see

04:23

what i mean so we want to block traffic

04:27

from

04:27

10.0.2 allow traffic from 10.0.1

04:32

so let's go on to the command line on r1

04:36

i'll go to global config

04:39

and i'll make this accession list

04:44

one and i'm going to deny

04:48

traffic from the 10.0.2.0 subnet

04:52

the wildcard mask is 0.0.0.0

04:56

because it's a slash 24

05:00

and it's a standard acl i can tell

05:03

because it's number one

05:05

so i can only specify the source address

05:07

so that's all that i need to put in here

05:10

now in all of your accessories there's

05:12

always an

05:14

implicit deny any any at the bottom of

05:17

the list

05:18

but i need to allow traffic from the

05:21

10.0.1 network

05:23

so for that i'm gonna do access

05:27

list this is also on list one and i'm

05:30

gonna permit

05:32

10.00.1.0

05:34

and 0.0.0.255

05:38

again and that's all that i need to do

05:42

and well apart from actually applying

05:45

the access list of course

05:46

so to do that let's look at the topology

05:48

diagram again

05:50

and i'm going gonna do on the outside

05:52

interface fast zero

05:53

slash zero so back on the command line

05:56

i go to interface fast zero slash zero

06:00

and the command now is ip access

06:03

group it was group one and i'm doing it

06:06

in the direction towards r2

06:09

so that is in the outbound direction

06:12

looking at the topology diagram again if

06:14

i wanted to control traffic

06:16

going from the 10.0.2 network to

06:19

r2 i could either do it inbound on fast

06:22

2

06:23

0 as it comes into r1 or i can do it

06:27

outbound on fast 0 0 as it goes out of

06:30

r1

06:30

on its way to r2 but like we said

06:33

earlier

06:35

you can't do that in this particular

06:37

scenario because if i blocked

06:39

traffic coming from 10.0.2.0 coming in

06:42

on fast 2

06:43

0 it wouldn't just stop it getting it to

06:45

r2

06:46

it would stop it getting to the 10.0.1

06:48

network as well

06:50

and i need to allow that so that's my

06:53

whole config

06:54

let's just have a look at again

06:57

so i denied traffic from 10.0.2

07:00

i permitted traffic from 10.0.1 and

07:03

applied that

07:04

outbound on the fast 0 0

07:07

interface so let's check that it is

07:10

working

07:11

so let's go on to pc1 first

07:15

and check that pc1 still has

07:17

connectivity to the router

07:18

so i'll ping 10.0.0.2 and that is all

07:22

good pc1 has so i know that pc2 does

07:26

as well pc3 should not have connectivity

07:30

to 10.002 so let's check that ping

07:33

10.0.0.2

07:35

and there we go the ping fails so my

07:38

access list is working

07:39

but it should have connectivity to the

07:42

pc's in the other subnet so i'll ping

07:44

pc1 10.0.1.10

07:47

and that is successful so that is the

07:50

first task completed

07:51

we used a numbered standard acl

07:55

to block traffic from the 10.0.2 subnet

07:58

to r2810.0.0.2 but allow

08:02

all of our other traffic everywhere else

08:05

okay so that was a numbered standard acl

08:08

next up let's have a look at a numbered

08:11

extended

08:12

acl and if i go back to

08:15

the topology again the scenario

08:19

this time is going to be we're going to

08:21

permit

08:22

telnet from pc1 to r2

08:26

let's say that pc1 is our administrator

08:29

workstation

08:30

and telnet is a way that you can

08:32

remotely get onto the command line on

08:34

our router we'll cover it in more detail

08:36

in a later section so we're going to

08:38

allow it from

08:39

pc1 but pc1 is the only administrator

08:43

workstation

08:44

so no other pc no other subnet is

08:46

allowed to telnet on to

08:49

r2 so let's

08:52

configure that so i'll go on to

08:57

the command line on r1 again and in my

09:00

hcl

09:01

i'm going to do an extended acl

09:04

which allows traffic from 10.0.1.10

09:07

to 10.0.0.2 when it's telnet traffic

09:10

but denies it from everywhere else and

09:13

is going to allow

09:14

all other traffic so let's go into

09:17

our one to configure this

09:21

so let's go down a few lines i'll say

09:25

access list and it's an extended hdl

09:28

this time so that starts with 100 i'll

09:31

use that for my number

09:32

and i'm going to permit traffic from

09:36

host 10.0.1.10 but i'm going to specify

09:39

it's telnet traffic

09:41

so i need to say that this is tcp

09:44

so i permit tcp and i'm going to say

09:47

from host

09:48

10.0.1.10 and it's going to host

09:52

r2 at 10.0.0.2

09:55

and then equals the part is telnet

09:58

i could also have said equals 23 the

10:00

router would take that command as well

10:03

so i'm allowing it from pc1 i don't want

10:06

to allow it from

10:07

any other pc in that subnet so i'll see

10:10

access list 100

10:11

and i'm going to deny tcp from the

10:16

10.0.1.0.0.0.

10:19

subnet going to host 10.000.2

10:23

equals telnet

10:27

and you can see it's important i get

10:28

these in the right way if i put

10:31

that second command in first i'd be

10:33

blocking traffic from all hosts on the

10:35

10.0.1 subnet

10:36

including pc1 so i need to make my more

10:39

specific commands

10:41

up at the top of the acl and then i want

10:44

to allow all

10:46

other traffic i'm just controlling

10:48

telnet here

10:49

so i need to also say access list

10:53

100 permit ip

10:56

nanny to allow all other traffic and

10:59

that overrides

11:01

the implicit deny nana

11:05

at the bottom of the acl the implicit is

11:07

an ine is still down there at the bottom

11:10

but the router reads the permit ipnene

11:12

first

11:13

so this is going to allow all traffic

11:15

apart from what i explicitly denied

11:17

okay so that's my acl configured and

11:21

importantly we need to remember to apply

11:24

it

11:24

at the interface it's really easy to

11:26

forget to do this

11:27

so you're looking at the topology

11:29

diagram

11:30

and it's always best practice to secure

11:32

as close to the source as you can

11:35

so here we could put the hdl either

11:37

inbound

11:39

on this interface on the outside here

11:43

which

11:43

is fast zero slash one

11:46

fast one slash zero sorry on the

11:50

router actually let me make a note just

11:52

to make

11:53

that clear so i'll save this

11:56

is fast one slash zero and

12:01

that is the interface that we're gonna

12:04

put this on let me try to clear that up

12:08

a bit

12:09

okay that's right okay so we're going to

12:10

put it on fast one slash zero

12:13

let me just clear that up a bit making a

12:16

mess my topology diagram here

12:18

okay so it's going to go inbound there i

12:20

could also have put it outbound on fast

12:23

0.0 but i've already got an acl

12:26

configured on there the acl that i did

12:28

earlier my standard numbered

12:30

you can only have one acl per interface

12:34

per direction

12:35

so i'm going to put it on fast one slash

12:37

zero so

12:38

back on r1 i go interface fast one slash

12:42

zero

12:42

and it's ip access group

12:45

100 and it's in this time because it's

12:49

coming in

12:50

fast one slash zero going out fast zero

12:53

slash

12:53

zero okay so that is my scl configured

12:57

let's test it next so if i go on a pc

13:00

one

13:01

i should be able to telnet to 10.00

13:07

telnet's already been configured and

13:09

there you go i can see it's working

13:10

because i'm getting the password prompt

13:12

so i'm able to tell it onto r2

13:14

from pc1 i should not be able to get on

13:18

there from pc2

13:21

so let's check that i'm going to pc2

13:25

and i'll telnet to 10.0.0.2

13:30

and there we go destination unreachable

13:32

that's good it's because my acl

13:34

is blocking the traffic but it should

13:36

just be telnet traffic i should be able

13:38

to ping

13:39

10.002 and that's working so that is

13:42

all good actually looking back at the

13:45

topology diagram again

13:46

i didn't need to specify anything about

13:50

pc3 because i already had my first dcl

13:55

blocking traffic going out to r2 from it

13:57

so it was getting blocked already okay

14:01

so that was a numbered standard

14:05

and a numbered extended

14:08

i'll do a named

14:12

acl in the next lecture because i feel

14:15

like this one's gone on for a little

14:16

while now

14:17

so go get yourself a cup of coffee if

14:19

you want to i'll see you back here

14:21

for named acls thanks for watching

14:25

if you'd like to get the complete course

14:27

ad free

14:28

right now then you can enroll in my ccna

14:31

gold bootcamp

14:32

by clicking the link above my head or in

14:35

the description

14:36

it also includes full study notes

14:38

quizzes

14:39

and 150 pages of additional

14:41

troubleshooting labs

14:42

you can't find anywhere else