5.5.2 Lab - Configure and Verify Extended IPv4 ACLs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi friends welcome to work in this video we are going to solve this lab activity configure and verify extended ipv4 sels before coming to this activity friends if you like to get any cns support you can contact our team using our website link you will get from the description below and also if you like to get these type of technical videos in future consider subscribing and don't forget to enable that bell icon so that you will get notification message whenever we upload a new video now back to this activity here we can see the topology we will design this topology in cisco packet tracer also we can see addressing table here we can see vlan table we have a vlan 20 30 and 40 with these names management operations and sales and we have to assign these ports uh to its respective vlan we will go through the objectives part one build the network and configure basic device settings in part two configure and verify extended access control list here is the scenario you have been tasked with the configuring access control list on small companies network acls are one of the simplest and the most direct means of controlling layer 3 traffic r1 will hosting an internet connection simulated by interface loopback 1 and sharing the default route information to r2 after initial configuration is complete the company has some specific traffic security requirements that you are responsible for implementing yes we will do that they given a node the routers used with the ccna hands-on labs are cisco 402.1 with the cisco ios xc release okay the switches used in the labs are cisco catalyst 2960 series then other routers switches and cisco ios versions can be used depending on the model and the cisco ios version the commands available and the output produced might vary from what is shown in the labs refer to the router interface summary table at the end of the lab for the correct interface identifiers yes these instructions they give in all the labs and through that the routers and the switches have been erased and have no startup configurations if you are unsure contact your instructor we will go to the required resources we need two routers two switches then two pcs then the cables console cable uh to configure the cisco ios device via the console ports then ethernet cables as shown in the topology coming to the instructions build the network and configure basic device settings cable the network as shown in the topology attach the devices as shown in the topology diagram and cable as necessary okay we will do that first of all we will design this topology in our cisco packet tracer here we don't have this four double to one router what they specified so instead we will use this 4 3 1 router we will add 2 routers 2 switches 2 9 6 0 series then the two computers pc we will rename these devices as per this topology here we can see this is r1 here is r2 here we have s1 and this is s2 coming to pcs pc dash a and pc dash p now we will connect these devices coming to connections choose copper straight through press control from the keyboard and click on this copper straight through so that we can connect multiple devices from r 1 g 0 0 1 to f a 0 5 from r 2 g 0 0 1 2 s 2 f s 0 5 then from s 1 f a 0 6 to this p c dash a from s 2 f a 0 18 to this pc b then we will choose scope crossover to connect this s1 and s2 because they are same devices from fs01 to fs01 we just designed the topology now we will configure basic settings for each router assign a device name to the router we will give no enable configure terminal set the hostname as r1 then coming to r2 now enable we'll give kanti in short hostname r2 disable dns lookup to prevent the router from attempting to translate incorrectly enter the commands as though they were host names coming to r1 here we will give the command no ip domain lookup r2 no ip domain lookup assign class as the privileged exec encrypted password you will enable secret class coming to r2 enable secret class say in cisco as the console password and enable login we will go to line console 0 password cisco login coming to r2 line console 0 password cisco login assign cisco as the vty password and enable login now we will go to exit and go to line vty we'll go to 0 to 4 password cisco login then coming to r2 exit from line console and go to line vty 0 to 4 will set the password as cisco then login command encrypt the plain text passwords service password encryption so we have to exit from this uh line mode and here we have to give service password dash encryption coming to r2 exit service password dash encryption create a banner that wants anyone accessing the device that unauthorized access is prohibited so just i will copy this message coming to r1 banner m or td and here is the message coming to r2 one remote td then the message save the running configuration to the startup configuration file end so here we will give this command copy run space start enter two times then coming to r2 exit copy run space start press enter again coming next we will set these passwords as in class as the privileged exit encrypted password then assign cisco as the console password and enable login also assign cisco as the vty password and enable login finally we will encrypt the plain text passwords coming to s1 enable secret class you will go to line console 0 then set the password as cisco login command exit and go to line bty 024 set the password as cisco login exit and set service password dash encryption we will go to s2 enable secret class line console 0 password cisco login exit and go to line bty 024 set the password at cisco login exit and give service password dash encryption next we will create a banner that wants anyone accessing the device that unauthorized access is prohibited okay i will copy this text then we have to save the running configuration to the startup configuration file coming to s1 we will set the banner motd here is the message give exit copy run space start then coming to s2 banner mo td then the message exit and copy run space start next is configure vlans on the switches s1 rs2 step 1 create vlans on both switches create and name the required vlans on each switch from the table above so here we can see they given this vlan table and we have to create these vlans we land 20 management we land 30 operations we ran 40 sales then we land triple nine that is parking lot then 1080. we will create these vlans in this switch s1 as well as s2 first of all coming to s1 configure terminal vlan 20 its name is management next is vlan 30 name is operations vlan 40 its name is a sales bill and 50 where there is no vlan 50 i think so we have to remove vlan 50 no vlan 50 okay so don't create vlan 50 because we have vlan triple 9 and its name is parking lot then we have vlan 1000 its name is 780 yeah we have only till 40 then triple nine 1000 same next is configure the management interface and a default gateway on each switch using the ip address information in the addressing table so coming to our tracing table here we can see s1 and s2 uh interface is vlan 20 we have to set this ip address to mask and here we can see uh it's a default gateway just i will copy this ip address s1 ip address okay and here we can see it's the to mask and the default gateway 0.21 coming to s1 kanfty we will go to that virtual interface that is vlan 20 press enter again because here we can see this vlan 20 is changed it's a state to up we will set the ip address i already copied it then we have to give it to mask dot zero okay then we will exit and we will set ip default gateway it's uh 10.20.0.1 next we will configure s2 with this ip address uh 10.20.0.3 and here we can see the to mask and the default gateway for the interface vlan 20 configure terminal we will go to interface vlan 20 press enter again then we will set the iep address i already copied it then we have to give the mask then exit and we will set ip default gateway it's 0.120.0.1 yeah as seen all unused ports on the switch to the parking lot vlan configure them for a static access mode and administratively deactivate them also they given a node the interface range command is helpful to accomplish this task with as few commands as necessary yeah we can do that first of all we will do in this switch s1 and we will check what are the ports we used so here we can see we connected to fs05 and here we have fs06 and here we have fs01 so except these ports we have to assign them to a vlan triple n and also we have to deactivate them coming to s one and here we will give this command interface as a range f a zero slash one already be used so we will start from 2 till 4 because 5 already be used then f a 0 slash we have to give a let me verify yeah 5 and 6 they used okay that means so we have to give a seven seven till uh 24 also we have a two gigabit ethernet interfaces g 0 slash 1-2 we will give a switchboard to mode access so chipotle access vlan triple nine then shut down these parts okay just give end and we can verify it show vlan brief and we can see these unused ports we are saying to vlan triple line that is a parking lot also we deactivated them so iep interface brief and here we can see those interfaces are administratively down next we coming to s2 so we will give an interface as a range uh fs0 starts to one already be used uh till 17 because 18 we already used a face 0 19 till 24 also we have a two gigabit ethernet interfaces g 0 slash 1 and a 2 so we give a 1-2 switch import to mode access switch report access vlan triple name that is a parking lot then shut down all these unused interfaces now in step 2 assign vlans to the correct switch interfaces a scene used to ports to the appropriate vlan as specified in the vlan table above and configure them for static access mode and then we have to issue this a show variant brief command and verify that the vlans are assigned to the correct interfaces okay we'll go back to our vlan table and here we can see we have to ascend these spots to the survey land in s2 we can see fs05 we have to ascend to vlan 20. uh in s1 fs06 we have to ascend to vlan 30 then in s2 fs 0 18 to vlan 40 and the old unused ports we have to ascend to a vlan triple nine and this is native in s1 we have this spot fs0 6 and we have 2 assigned to vlan 30 so coming to s1 okay password is cisco enable password is class confit then we will go to interface fs06 switch import to mode access so two port access vlan 30 now in s2 here we can see uh this port fs05 we have to ascend to 20 then face 0 18 we have to ascend to uh vlan 40 okay we will do that fs 0 slash 5 which is connecting to this router r2 exit then go to interface surface 0 5 switch port to mode access switch port access vlan 5 uh sorry it's a 20 then we will go to fa0 18 this port which is connected to this pc b and we have to ascend to vlan 40. exit interface surface 0 18. so chipotle mod access so to port access vlan 40 okay we can verify it end show vlan brief and here we can see if a 0 5 is assigned to vlan 20 fs 0 18 is assigned to vlan 40. coming to s1 end show vlan brief and we are sent fa 0 6 to vlan 30. next is configure tracking step one manually configure trunk interface f a zero slash one change the switch support mode on interface fs01 to force trunking make sure to do this on both switches okay we can see this s1 and s2 connected using fa 0 1 both side we will configure a tanking between this is one and s2 confit we will go to ifa 0 1 so support mod trunk and we have to go to the other side in s2 fs01 interface fs01 support mode trunk as a part of the trunk configuration set the native vlan to 1000 on both switches you may see error messages temporarily while the two interfaces are configured for a different native vlans yeah so once you do on both side that error message will be taken away first of all we will do it in this switch s1 we will set sutureport trung atv land it's a 1000 okay now we will go to the other side coming to s2 and here we can see that message inconsistent pure vlan id okay we will configure this site also such a port trungan atvlan 1000 and now this problem restored port consistency restored as another part of trunk configuration specify that vlans 10 20 30 and 1000 are allowed to cross the trunk okay and then issue the show interfaces trunk command to verify trunking ports the atv land and allowed vlans across the trunk first of all we will do it in this switch s1 so here already we are in this interface surface 0 1 which is a trunking here we will give a support trunk alloy vlan 20 comma 30 comma 40 comma 1000 same way we will give in s2 already we are in fs01 20 comma 30 comma 40 comma 1000 now we will verify it give end show interfaces trunk and here we can see the details port fa0 slash one mode is on stairs trunking native vlan is 1000 and here we can see a vlans allowed and active in the management domain you will verify in s1 also end show interfaces trunk fs01 mode is on stairs trunking native vlan is 1000 also we can see vlans allowed step 2 manually configure s1's trunk interface fa 0 slash 5 so here we can see this fa 0 5 which is connecting to this router r1 now configure s1's interface fs05 with the same trunk parameters as fa 0 1 this is the trunk to the router correct coming to this switch s1 and here we will give a conf t then we will go to interface that is a face 0 5 such port mode trunk and we will give a switchboard a trunk nativiland 1000 and also here we can give a support trunk allowed a vlan they are at 20 30 40 and 1000 save the running configuration to the startup configuration file uh issue the show interfaces trunk command to verify trunking okay give end copy run space start show interfaces trunk but here we can see only the cfs 0 1 which is a trunking and we cannot see f s 0 5 because we have to activate this link between r1 and s1 configure routing step 1 configure interval and routing on r1 activate interface g 0 0 1 on the router r1 which is connecting to this switch s1 so we will go to that interface password is cisco enable password is class conf t and here we will go to that physical interface g 0 0 1 then we will activate it now shut down so here we can see the link between this router r1 and this switch is up now we can go to this switch and we can verify the interfaces i mean a trunk show interfaces trunk and here we can see that uh faster theron 0 5 is trunking with an atv and 1000 configure sub interfaces for each vlan as specified in the ip addressing table all sub interfaces use eight node two dot one queue encapsulation ensure the sub interface for the native vlan does not have an ip address assigned include a description for each sub interface yes now we will configure these sub interfaces in this router r1 coming to our addressing table here we can see r1 sub interfaces g 0 0 1.20 1.30 1.40 and their ip address to mask also we can see this 1.1000 we have to activate and we have to give encapsulation for the sub interface also but no need to set the ip address here here we can see the ip address for this sub interface g 0 0 slash 1.20 just i will copy that and here we can see it's a mask also coming to r1 exit and go to interface g0 0 1.20 sub interface we will set the description also uh this is uh management vlan right so we can give this also we will give encapsulation dot one queue vlan id is a 20 then we will set the ip address already we copied it then to mask next we will configure this sub interface we will copy its ip address and here we can see its mask also we will no need to exit directly we can type interface g 0 0 slash 1 dot 30 we will set a description this is uh operations vlan then we have to give a encapsulation dot one queue vlan id is a 30 then set the iep address with the to mask next we will configure this sub interface 1.40 let me copy its ip address and here we can see it's a mask also you will go to that sub interface g 0 0 1 dot 40 set the description we will give this is for sales sales vlan encapsulation dot one queue varian id is 40 then set the ip address with the to mask then we will configure this sub interface g 0 0 1.1 but no need to set any ip address okay we'll go to interface g 0 0 1 dot 1000 okay because we have to give a description this is an atv land don't sit in ipa trust but we have to give a encapsulation dot one q variant id is one thousand and this is for native so we have to specify native then we have to configure interface loopback one on r1 with addressing from the table above so coming to our addressing table again and here we can see this loopback one we have to set this ip address with this mask okay we will configure that coming to r1 exit then we will go to interface loopback one okay then set the ip address already we copied it with the submit to mask perfect use the show ip interface brief command to verify the sub interfaces are operational ok we will use this show command in this router r1 just give end and give show ip interfaces brief sorry show ip interface brief and here we can see the sub interfaces we configured uh g 0 0 1 dot 20 here we can see its ip address 1.30 here we can see it's iphs 1.40 also we activated this native sub interface 1.1000 we can see the status they are up also we can see protocol it's up step two configure the r2 interface g 0 0 1 using the address from the table and a default route with the next hope 10.20.0.1 okay we will do that coming to our addressing table here we can see the ip address of this interface g 0 0 1 in this router r2 just i will copy that ip address then uh also we can see it's a to mask okay coming to r2 password is cisco enable password is class conf t will go to that interface that is g 0 0 1 then set the iep address already we copied it then give a submit to mask activate this interface and wash it down then we will exit and we will set this uh static default route ip root 0.0.0.0 space 0.0.0.0 then we have to give that address the specified the next hope address right so it's here just i will copy that 10.20.0.1 space next to ip address okay so but still here we can see this link is down already we given noise down command for this interface g 0 0 1 let us verify this interface surface 0 5 in this just to cisco enable password is class show ip interface brief sorry show ip interface brief and the faster third zero slash five oh here i given this interface administratively down so let me bring it up conf t interface fs05 we will give no short command so now we can see the link between this router r2 and s2 is up also i have to verify the vlans and trunking let me give a show vlan brief and here we can see fs05 is assigned to vlan 20 yeah that's correct also let me verify show interfaces trunk fs01 is trunking yeah that's fine next is configure remote access step one configure all network devices for basic ssh support create a local user uh with the username ssh admin and the encrypted password uh that is a dollar cisco123 then this exclamation symbol yeah first of all we will create this username and password coming to r1 conf t username is ssh admin then encrypted password it's a dollar cisco one two three then this is a symbol exclamation let me copy this command because we can give in all other network devices coming to s1 cisco enable class conf t paste it and press enter coming to s2 so we are just creating username and password coming to r2 paste it and press enter use ccna dash lab.com as the domain name okay just i will copy that and here we will set that ip domain name it's here ccna dashlab.com we will copy this command coming to s1 paste and press enter coming to s2 page 10 press enter coming to r2 it's really easy right just copy and paste next is generate crypto keys using a one zero two four bit modulus okay coming to r1 we'll give that here crypto key generate rsa general keys modulus1024 okay so just i will copy this line coming to s1 paste and press enter coming to s2 paste and press enter coming to r2 page 10 press enter configure the first five vty lines on each device to support ssh connections only and to authenticate to the local user database okay we can do that coming to r1 here we will go to line vty five lines that means from zero to four here we will give a transport input only ssh login local coming to s1 line vty 0 to 4 transport input ssh login local sorry line vty zero to four transport input ssh login local and finally coming to r2 zero two five sorry four transport input ssh login local step 2 enable secure authenticated web service on r1 enable the https server on r1 http secure server okay we will give in this router r1 we will exit in global configuration mode we will give ip http here we will put a question mark and here we can see that command is not accepting here in this packet tracer we will try ip http secure server and invalid input detected okay configure r1 to authenticate users attempting to connect to the web server okay we will try this also ip we put a question mark here and we cannot see that http command here okay fine so anyways we are not going to do that next is a verify connectivity step one configure pc host refer to the addressing table for pc host at truss information okay here we can see pc a iep address just i will copy that then coming to pc a desktop ipconfiguration here is the ipv4 address to mask we have to change it to this mask then default gateway 10.30.0.1 okay it's here then coming to pc b desktop change this assignment to mask then default gateway it's a 0.1 step two complete the following test all should be successful you may have to disable the pc firewall for things to be successful anyways we are using a cisco packet tracer so we have to ping from pc-a to this destination coming to a command prompt we get the replies from pc dash a to this address default gateway okay then from pc b we have to ping to this address coming to pc b okay we have to get the replies perfect from pc-b we have to use https protocol and we have to give this ip address but here anyways it's not going to work as this uh this step we did not complete here next we can see ssh yeah it should work just i will copy this address then go to pc b command prompt here we have to give ssh space dash l then username is ssh admin and the target is here password here is the password just i will copy that and paste here and yeah it's working next is configure and verify extended access control list when basic connectivity is verified the company requires the following security policies to be implemented so here we have four policies policy one the sales network is not allowed to ssh to the management network but other ssh is allowed policy two the sales network is not allowed to access ip addresses in the management network using any web protocol that is http or https the sales network is also not allowed to access r1 interfaces using any web protocol all other web traffic is allowed note sales can access the loopback one interface on r1 policy 3 the sales network is not allowed to send icmp a core request to the operations or management networks icmp a co request to the other destinations are allowed then the last policy policy for the operations network is not allowed to send icmp a co request to the sales network icmp echo request to other destinations are allowed here step one analyze the network and the security policy requirements to plan acl implementation okay before uh implementing this uh access control list we will plan and we will write it down all the acls then develop and apply extended access list that will meet the security policy statements then finally verify security policies are being enforced by the deployed access list we will go through these policies here we can see the first policy the sales network is not allowed to ssh to the management network but other ssh is allowed okay sales so that means that is a pc dash b even we can verify that show vlan brief and here we can see uh vlan 40 sales port fs 0 18 which is connected to this pc b coming to this vlan table here we can see ran 40 sales and also here we can see a vlan 20's management they clearly specified at this network that is a sales we can see that network vlan 40 this network 10.40.021 network is not allowed to um ssh to the management uh network cover is management network that is vlan 20 this network 10.20.0.1 okay first we will write down these access control entries in this notepad so here in the global configuration mode we have to create access list we will create a numbered extended acl we will give the number 100 and we are going to deny tcp because we are going to deny ssh and we have to give the source network address let me get that sales 40 here we can see that let me copy this uh address and we will change it to 10.40.0.0 then we have to give its wild card mask 0.0.0.255 then we have to specify its destination network address that is management vlan 20 here we can see its address and here is the mask 10.20.0.0 and we have to give it a wildcard mask 0.0.0.2 okay then we have to give a eq and the port number of ssh that is a 22. perfect where we will apply this acl we can apply to this sub interface g 0 0 1 dot 40 uh in the interaction okay so we have to go to that interface i mean that sub interface g 0 0 1.40 and we have to give ip access group number is 100 in the direction in next we will go to the second policy here polo c2 the sales network okay again a sales network is not allowed to access ip addresses in the management network using any web protocol http or http yes okay that means port number 80 and port number 443 okay the management network the sales network is also not allowed okay this is all this sales network is not also not allowed to access r1 interfaces using any web protocol okay that means uh you know all the sub interfaces let me complete this all other web traffic is allowed note sales can access the loopback one interface on r1 okay that means we have to deny these sub interfaces g 0 slash 0 slash 1.20 1.30 and 1.40 and we have to apply this acl here to the source again near to the sales we can apply to this sub interface g 0 0 1.40 in the interaction okay that's perfect so we can copy this line access list so we will give the same number 100 and we are going to deny a tcp this is same as source network with this wild card i think we can copy this entire line except this port number here we have to change the port number so access list 100 deny tcp this is a sales network address it's wild regard mask first of all we will deny this network management network okay it's a wild card mask perfect and here we have to give http port number 80. so we can give 80 or we can give www also we have to give for uh https so just i will copy this the same line and here we have to give port number of 443 this is for https next we will deny to this destination g 0 0 1 dot 30 so here we have to change only this second octet but i will copy these two lines source is again sales and here we can see deny tcp source wild card mask and here in destination network we have to change it to 30. 30.0.0 this is okay 80 and here also we have to change the destination network to 10.30 perfect and for the 40 again i will copy this really easy and here we can see this network yeah this is for uh sales so this sales should not access http or https even using this uh sub interface address network address that is g 0 0 1 dot 40 so here we can give that 40.0 and 40.0 this is for http and this is for https we will see the next policy policy three the sales network is not allowed to send icmp a co request to the operations or management networks echo request to other destinations are allowed this policy is also again from this network sales and we can see to the operations or management network that means a vlan at 20 and 30 okay here we can see 20 and 30 management and operations so we have to deny the icmp from this sales network uh to this management as well as to these operations and again it's from sales and we can apply that acl to this interface g 0 0 1 dot 40 in the introduction okay here let me copy this line so that we can make some changes for this icmp and paste here uh again we will give access list to 100 deny we are going to deny icmp okay and the same uh source network address then while they got a mask it's correct and here we can see this is for the management 10.20.0.0 while they got mask and here we have to give we'll remove this part and here we will give a echo in the same way we have to give for this operations network uh it's uh vlan 30 10.30.0.0 okay so let me copy this the same line only we have to change the destination network address from 20 to 30 so otherwise it's same next we will go to the fourth policy policy for the operations network okay here now the network is changed the source network is changed the operations network is not allowed to send icmp a co request to the sales network icmp a co request to other destinations are allowed here we are going to deny the icmp from this operations network so this is the source network uh to this uh sales network that is vlan 40 and we have to apply this uh access control list uh to the sub interface g zero slash zero slash one dot 30 operations network in the interaction so here let me give i will copy this uh command let me copy this line so that we can edit it access list i will change the number because we have to give in another interface once you open we are going to deny icmp from this 30 network okay this is correct wild regard mask and here is a destination network address we have to change it to sales network that is a 40 dot 0.0 then world record mask echo that's perfect and they specified we must allow this echo i mean this icmp to uh other destinations that means that we have to uh permit uh iep any source to any destination even here also we have to give that that is very important whenever we create a deny statement uh implicitly they deny the entire network i mean the entire services so we must give this command also here at the end we must permit we will give access list 100 okay we must permit ip from any source to any destination okay and here also we have to do that access list 1 0 1 and we must permit ip any any we have to apply this access control list in the sub interface g 0 0 1 dot 30 here interface g 0 slash 0 1.30 ip access group number is one zero one so here it's one zero one so yeah correct in the direction in okay our old policies are ready we have to implement this access control entries in this router r1 now it's easy password is cisco enable class configure terminal and here we will do this we will do it one by one just we can copy and paste this entire commands from first of all we will give from here to here let me copy this and we'll check any errors will receive or not yeah it's perfect there is no errors just we will check it give end show access list and we can verify this access list to be created and here we can see we given here 80 and it changes to www yeah it's same okay that's fine and also we can verify the direction uh show ip interface it's a g 0 0 40 the sub interface is 40. 1.40 and here we can see it's a direction inbound access list is 100 perfect now we will copy this acls coming to r1 we have to go to global configuration mode and here we can paste it press enter okay done give end copy run space start and we will verify it show access list and here we can see this extended ip access list 101 perfect and we applied to this sub interface g 0 0 slash 1.30 we can verify the direction also show ip interface g 0 0 1 dot 30. and here we can see inbound access list is one zero one now run the following test the expected results are shown in the table itself okay we have to go to pc a and we will ping to this destination that means to this pc b coming to pc dash a ping to that pc sales and we can see it says the destination host unreachable it should fail yeah that's correct then from pc dash a we should ping to 10.20.0.21 and it should succeed you'll check that and here we can see we get the replies then from pc b we have two ping to 10.30.0.10 and it should fail let me copy this ip address you have to go to pc-b desktop command prompt here we are going to ping to this uh pc destination host unreachable that means we ping from pc b to pc dash a then we will ping to this destination 10.20.0.1 and it should fail destination horse unreachable then from pc b we have to ping to this loopback bring to the loopback and it should succeed yeah we get the replies now we have https and https okay so anyways i know uh here we don't have any https service otherwise we have to add a server and we can test it you know i will do that later so we will try now ssh from pc dash b we have to access it to this destination and it should fail you go to pc b we have to give a ssh dash l username is ssh admin and here is the target ip address and we are waiting and it should fail connection timed out remote host not responding yes now we will try to this address 17216 1.1 the ip address of our loopback and it should success just i will press up arrow from the keyboard and here we will change this address yeah yes it's probably for the password let me get the password from here paste it here and we can see be able to access this router r1 now how we can test this https right and here we can see we have this one seven two sixteen one dot one actually this is our a low back across here we can see loopback 172161.1 okay we will remove this loop back and we can add a server here so that we can have a https service so let me add a server here and we will give this ip address one seven two sixteen one dot one okay coming to r1 we will remove a loop back one configure terminal and first of all we will go to interface loopback one and let me give a no ip address exit and we will give no interface loopback one fine so now exit show ip interface brief and here we cannot see that loopback interface now we will connect this server to this router r1 let me choose crossover from g 0 0 slash 0 to this server now we will set ip address for that interface conf t go to interface g 0 0 slash 0 then set the ip address we will set ip address from this range okay let me give 1.2 because 1.1 will give for that server then it's up to mask activate this interface coming to the server go to desktop ipconfiguration and here we will give one dot one change this to mask then we have to give it's a default gateway that is one dot two okay we will try to access its uh web page from the server itself using this ip address we'll go to the browser and here we get the webpage we'll try https also here i will change it to https okay yeah it's working now here they specified from pc-b we have to access this protocol https using this ip address one seven two sixteen one dot one and it should uh success okay we will go to pc dash b coming to the browser and we will try this okay http even we can try https just i will close and i will reopen https perfect click go yes we are getting the webpage next we have one more https protocol uh using this address 10.20.0.21 that means you know management network so let me add one more server using this network address and we can try it i will add one more server we can add to any one of this switch i will add to this switch and we will connect it using copper straight through from g0 1 to the server then we will set an ip address from this subnet 10.20.0.21 so this is a default gateway okay here i will give a 0. 10 and we have to change this to mask then default gateway and we can see this is a g 0 1 and we have to change it to vlan 20. cisco enable password is class show vlan brief and here we can see 20 management we have only fs 0 5 so we will add this interface g 0 slash 1 also okay interface g 0 1 we will activate that interface by no shutdown command then we will give a support to mode access so chipper taxes vlan 20. now we will go to this server let me copy its ip address and we will browse from this server itself yeah we can see be able to access this you know web page and even let me try from the server yeah so we able to access the web page from this server also here we can see we have to access that https service or that web page from this pc b and it should fail so that policy reset okay we will try it so here we can see 10.20.0.10 and we are waiting for the webpage we should not get the webpage it should fail so that is the policy request timed out it's not going to work even we can try https here i will give https then go and it should fail perfect our policies are working this is the policy right this sales network is not allowed to access this management network even this sales network okay so let us try from this pc dash a we will try to access this server we can see it's working even https also will work no doubt yeah perfect so friends in this video we configured this lab activity uh configure and verify extended ipv for acls now dear friends if you have any doubt any suggestions regarding this lab activity please comment below or even you can contact our team using our website link you will get from the description below and now friends if you like your video give a thumb and share with all your friends and if you don't like please give the suggestions for improvement stay tuned we will meet again with the next video thank you

Info

Channel: Tech Acad

Views: 7,349

Rating: undefined out of 5

Keywords: CISCO, CCNA, ACLs, Access Control List, Extended, CISCO Certification, CCNAv7, Packet Tracer, Routing and Switching, CISCO Routers, CISCO Switches

Id: yWFwf2l7nUE

Channel Id: undefined

Length: 73min 16sec (4396 seconds)

Published: Thu Nov 19 2020