Free CCNA | Standard ACLs | Day 34 Lab | CCNA 200-301 Complete Course
Vložit
- čas přidán 30. 06. 2024
- Free CCNA 200-301 flashcards/Packet Tracer labs for the course: jitl.jp/ccna-files
📖 My CCNA Book: www.manning.com/books/acing-t...
📚Boson ExSim: jitl.jp/ccna-exsim ← the BEST practice exams for CCNA
💻Boson NetSim: jitl.jp/ccna-netsim ← 100+ detailed guided labs for CCNA
💯ExSim + NetSim: jitl.jp/ccna-kit ← get BOTH for a discount!
🥇CCNA Gold Bootcamp: www.flackbox.com/cisco-ccna-c... ← the course I used to get my CCNA (top rated course on the Internet)
Get the course ad-free with bonus quizzes and more on JITL Academy: courses.jeremysitlab.com
Download Packet Tracer: www.netacad.com/courses/packe...
In this lab for day 34 of my free CCNA 200-31 complete course, you will practice configuring standard IPv4 ACLs (Access Control Lists).
In this FREE and COMPLETE CCNA 200-301 course you will find lecture videos covering all topics in Cisco official exam topics list, end-of-video quizzes to test your knowledge, flashcards to review, and practice labs to get hands-on experience.
SUPPORT MY CHANNEL
The best way to support my channel is to like, comment, subscribe, and share my videos to help spread the word!
If you can spare to leave a tip, here are some options:
PayPal: paypal.me/jeremysitlabYT
BAT (Basic Attention Token) tips in the Brave browser (www.jeremysitlab.com/brave-br...)
======================
Patreon: / jeremysitlab
======================
Cryptocurrency Addresses
Bitcoin: bc1qxjpza7nx46e8a2rtz6vkcrvxx9mfjnufdrk0jv
Ethereum: 0x08B4325b1B99B05d850A3bfCd4A6620D770cfB64
======================
0:00 Introduction
1:26 Step 1
4:02 Step 2
13:03 Boson NetSim
#cisco #CCNA - Věda a technologie
Dear Jeremy, Because of you, I was able to switch my job. I followed up and studied your videos only and able to crack interview for Network Engineer in mnc during this pandemic. Thank you soooo much for your great help in my career.
Wow, that's awesome! Best of luck in your career. I'm glad to hear my videos were helpful :)
It's the best course ever! I wish to be like him, expert at networking one day.
we all want to be experts we just have to keep learning and practicing 🙏
As Jeremy is saying here, ACLs can be configured in lots of ways, but the best practice is to try and achieve the policies in as few ACL listings as possible.
Perfect execution as always. Makes these topics so easy to understand.
Thank you Jeremy for another great Lab practice! Keep up the good work.
Thanks Alberto, cheers!
Hey Jeremy,
Your explanation for the Boson lab is so awesome.😀
Hi Jeremy, Really worth to go through your classes. Thank you very much for the excellent classes.
Thanks for your comment, I'm glad you like the videos :)
amazing lab in this video. great pace for beginners!
awesome lab from both you and boson. And thanks so much for sharing those with everyone. 😀
love all your videos jeremy , thank you , a great channel very helpful ;)
Thanks Samir :)
best cisco teacher its my 7th day of started watching this playlist and reached to 67 videos very interesting videos thanks
You are a brilliant teacher! Absolutely invaluable.
You are right ACLs are flexible. I completed this lab little differently than yours. But I understood the concept. Thanks to you!
Amazing quality like always!
Thanks Anthony :)
Awesome video! Very imformative..thank you Jeremy
Thanks Nicholas :)
can you explain the logic and how you quickly knew what to use as wildcard mask @ 19:20 to include both 10.10.2 and 10.10.3? thanks for your time
You’ll never be able receive enough gratitude and thanks for what you’re doing man! Thank you sooooooooooooooo much!!!!!
The internet takes me often back to this channel and I can only say; this Person is really the best Ciscoteacher in town, sorry.
Thank you Abdul :)
These labs are amazing! I got though it without the video.
But I failed to add the permit any to the ACLs on R1 watched the video for correction and I cannot thank you enough for these lessons and labs
Thanks for the effort
Thanks for the video always nice
Mind-blowing video !!!!
We must atleast like and subscriber to thank Jeremy for the intelligent and hardwork he has done
Thank you!
Great lab, Jeremy Thanks
Thank you :)
wow jeremy i love you for this
Thanks for the love ;)
Thanks a lot Jeremy!
Thanks Omar! And thanks for being a member :)
cool and easy! thanks so much!!!
Thank you :)
thank you so much
Jeremy, your labs, as well as all course structure is amazing!! Thank you.
Thanks Piotr :)
GOOD LESSON, PLEASE KEEP UP
thnaks for the great content Jeremy
Thanks Fethi :)
HI Jeremy thanks in advance,
Thanks for watching :)
Great lab!
Thanks Miguel!
very good video
Hi Jeremy. Thanks. This is great as always.
Footnote. I did:
R2#sh run | section access-list
ip access-list standard to192.168.1.0
permit host 172.16.1.1
permit host 172.16.2.1
applied it to R2 g0/0 "out" and P4's still was able to ping 192.168.1.100 (which was wrong). Next I added "implicit deny" to that ACL:
"30 deny any" at the bottom, and applied on g0/0 out again.
Only then PC4 stopped being apple to ping 192.168.1.100.
Resume. Looks like Packet Tracer 8.2.0.0162 does not apply "implicit deny" at the end, so you have to input it manually. Your lab walkthrough didn't have this problem, you added "deny any" as a good practice. :)
I found this exact problem but a little different. It allowed 172.16.1.2 but denied 172.16.2.1.
The problem was in the new lab files (redownloaded them 2 months ago). I have an older copy from a year and a half, which is working just fine.
thanks
Boson's having a holiday sale!
Get 25% OFF Boson ExSim, NetSim, etc with code MERRY20 (until the end of this month!)
📚Boson ExSim: jeremysitlab.com/boson-exsim ← the BEST practice exams for CCNA
💻Boson NetSim: jeremysitlab.com/boson-netsim ← 100+ detailed guided labs for CCNA
💯ExSim + NetSim: jeremysitlab.com/boson-ccna-kit ← get BOTH for a discount!
📗Boson Courseware: www.jeremysitlab.com/boson-courseware ← Boson's COMPLETE CCNA Courseware
Very fruitful video
Thank you :)
tysm
Thank you for your videos Jeremy
Just a question, I wonder why at 2:04, you a apply a wildcard mask of 0.0.255.255 which correspond to /16 if I'm correct, but the network 172.16.2.0 is specified /24
Was going through the comments to see if it was just me who noticed. Same question!
It is to enable ospf on both the .1.0 and .2.0 networks at the same time
Makes perfect sense, thank you so much :) @@HemanthJabalpuri
@@HemanthJabalpuri would you be be able to elaborate please? I'm still a bit confused
@@dylannoronha5414the first step is to activate ospf, so he activated ospf on both the g0/0 and g0/1 interfaces of Router1 with the command
“172.16.0.0 0.0.255.255”
(because 172.16.0.0 with a 0.0.255.255 mask includes both 172.16.1.0/24 and 172.16.2.0/24 networks which are g0/0 n g0/1)…..(technically it actually includes everything between 172.16.0.0 to 172.16.255.255) hope i didnt make things more confusing.
Thanks.
Thanks for watching :)
That's way i pay the internet . Thank you man u'r the best
Thank you ;)
yay!!!!
Hi Jason! 😀
merry christmas Jeremy, wish you all the best
Jeremy, in this scenario because its a standard ACL will you not just need one access list on the g0/1 interface "access-list 1 deny 172.16.1.0 0.0.0.255" to deny the traffic from both networks as it uses the source IP address? PC4 --> R1 --> PC1(will accept) then PC1-->R1-->PC4(will deny). love your videos thanks for the help !!
I watched ever video and did every lab...and made my comments 4 algorithm :P
Cheers, thanks for the comments ;)
Are the boson labs meant for us to recreate in packet tracer? Or just an example to follow along with and complete it in NetSim (if we have it)?
I am confuse with the first exercise (blocking telnet from Vlan 2 and 3), why the ip access-group was apply as "IN". I had the idea that every traffice comming from outside the router trying to access inside this router should be apply as "OUT".
Hi Jeremy,
Min 19:20mn, the way you configured wildcard mask to cover both vlans 1&2... should we look at it the same way we look at wildcard masks when it comes to activate interfaces using network command? Thanks
Yeah it's the same concept. 0 in the wildcard mask = the bit must match, 1 in the wildcard mask = the bit doesn't have to match.
As I was watching the lecture, I was like, I kind of understand it. I get the logic. When I was doing the lab, it clicked for me for some reason.
Hi Jeremy
Quick question. When you were configuring the ospf network command on r1 and r1 you used a wildcard mask of 0.0.255.255 for both the 172.16 and 192.168 networks. I don't know if I'm forgetting something but could you explain why its set to that and not a /24 wildcard mask of 0.0.0.255? Thank you. Your videos have been the best source of learning the CCNA for me.
There's no need for the wildcard mask to match the subnet mask configured on the interface. As long as the proper bits in the configured IP address match the configured OSPF network command, OSPF will be activated on the interface.
@@JeremysITLab Perfect thank you for clearing that up. Much Appreciated.
I did a different configuration. I allowed PC1, and PC3 explicitly to access the 192.168.1.0/24 and then denied any entry from 172.16.1.0/24 and 172.16.2.0/24 and then allowed all other any entries. I am halfway this video , let's see full and I then point out if I had any different configurations as well
Hey Jeremy! Between Lammel and Odom CCNA certification study guide book. Which one you would recommend and why if you don’t mind me asking?
I haven't read Lammle's books, only Odom's (which are very good). The general opinion of most people is that Odom is more in-depth but more dry/less interesting. Lammle has less depth than Odom but his writing style is more interesting and the books are easier to read.
@@JeremysITLab Thank you 👍
11:28 what if we reverse the interfaces? I mean apply access-list 1 for g0/0 inbound?
Dear Jeremy, thank y so much for all. Could I ask u in this lab. Do we need to passive-interface g0/1,g0/0. Thank you so much
If you want, feel free to!
@@JeremysITLab thank u 🙏
Hi Jeremy,
Just a question. Why can I ping R1's G0/0 Interface (172.16.1.254) with PC3 and PC4? Is it because the actual packet from PC3 and PC4 did not actually exit R1's G0/0 interface?
Also, why can I ping PC3 and PC4 using R1's G0/0 Interface (172.16.1.254) as the source via the extended ping command? It should be blocked by ACL right? because the source is 172.16.1.254 and it is going out of R1's G0/1 interface.
Thanks!
@jeremy's I goofed, I purchased ExSim-Max Exams, and I realized does not have Labs that I can self-practice like NetSim is so painful..is there any other way
Is it possible to silently drop the packet instead of sending an ICMP host unreachable?
for those of you that don't know he is using tab button to finish the commands automatically
Thank you once again for this great lab sir! I got memory blocked on OSPF for not labbing enough but i got refreshed back in this video.Sir i tried this lab successfully but one thing i noticed when i tried to add remarks and it was incorrect i tried to issue the "no" command like below in packet tracer, and what happened next is that the configured access-lists command for which i issued the command were automatically deleted. here's the command issued and you can see that i had to redo the ACL 1 config , i am not sure if this is a bug for Packet tracer or it is the same in the real cisco ios:
R1(config)#do sho running-config | include access-list
access-list 1 deny 172.16.1.0 0.0.0.255
access-list 1 permit any
access-list 1 remark ## block 172.16.2.0 ##
access-list 1 remark ## block 172.16.1.0 ##
access-list 2 deny 172.16.2.0 0.0.0.255
access-list 2 permit any
access-list 2 remark ## block 172.16.2.0 ##
R1(config)#no access-list 1 remark ## block 172.16.2.0 ##
R1(config)#do sho running-config | include access-list
access-list 2 deny 172.16.2.0 0.0.0.255
access-list 2 permit any
access-list 2 remark ## block 172.16.2.0 ##
R1(config)#do sho ip access-lists
Standard IP access list 2
10 deny 172.16.2.0 0.0.0.255
20 permit any
R1(config)#access-list 1 deny 172.16.1.0 0.0.0.255
R1(config)#access-list 1 permit any
R1(config)#access-list 1 remark ## block 172.16.2.0 ##
R1(config)#int g0/1
R1(config-if)#ip access-group 1 out
R1(config-if)#do sho running-config | include access-list
access-list 2 deny 172.16.2.0 0.0.0.255
access-list 2 permit any
access-list 2 remark ## block 172.16.2.0 ##
access-list 1 deny 172.16.1.0 0.0.0.255
access-list 1 permit any
access-list 1 remark ## block 172.16.2.0 ##
Hi Jeremy Thank you for this but I'm unable to access the lab its missing
Sorry, just uploaded it!
19:22 can someone explain why he did the ip and wildcard mask like that?
When will you complete the ccna course?can you tell the exact date
I don't know.
Hi Jeremy, after setting up the access-list on R1, I was trying to ping from SRV1 to SRV2, but it seems like they can't communicate each other, do you have this issue?
If you've configured routers as instruction says then this is expected behaviour. It is because access-list applied on g0/0 interface allow traffic from pc 1 and pc3 only so any other traffic(including one from SRV2) to SRV1 is going to be dropped.
@@piotrwikarski9401 ah got it. Missed that part. Thanks
Piotr's explanation is correct! Good explanation ;)
thanks for the great videos again.
I'm a little bit confused, shouldn't the wildcard for the 192.168.0.0/24 network be 0.0.0.255?
Hi, what time in the video are you asking about?
@@JeremysITLab 2:43 I understand it should match all the addresses, but i'm confused.
@@icecoldnoob6719 If I used the command 'network 192.168.0.0 0.0.0.255', which interface addresses does that match? Does it match 192.168.1.254 or 192.168.2.254?
@@JeremysITLab well, none of them, i just don't get it, did i miss something from previous lessons?
@@icecoldnoob6719 So why would we use 192.168.0.0 0.0.0.255 if it doesn’t match either of the networks we want to match? There are many possible answers that would match both 192.168.1.0/24 and 192.168.2.0/24, I just selected 192.168.0.0/16 for simplicity.
Why do you use /16 wildcard? when it's shown it's /24? 1:56
To enable OSFP on both interfaces with one command.
ACL is in the CCNA 200-3001 exam or not
does anyone know if we can use command abbreviation on the exam ?
Hi, can I ask how many days there will be in total? Sorry if others have asked this lots already.
about 50 "days" he always says
@@nightowl6569 thank you Mr Owl.
Yeah about 50 days, max 60 days I think
sir what is the diff b/w access list and acess group
No difference!
hi jeremy, on step 4 how did you put 1 on the 3rd octet for the wildcard mask? I mean how did you do the calculation for 2 networks together. they are /24 mask. could you please give little explanation, please
Hi, did you write out the two network addresses and my ACL statement in binary?
@@JeremysITLab hello jeremy, I am sorry, I should have mentioned you. I was trying the boson one and watching your video and explanation so on step 4
the ip address 10.10.2.0 0.0.1.255
there was an explanation in boson but I did not get it how they/you calculate that.
@@susmitamazumder8390 Yeah I understand the question, I'm just asking if you wrote those out in binary? The network addresses and the ACL statement.
@@JeremysITLab i did write
@@susmitamazumder8390 And what did you find? Did the ACL statement with the /23 wildcard mask match both networks?
Hi @jeremy ,the lab is not showing up on Google drive.Can you please look into it.
Sorry, just uploaded it!
Thank you sir.
In that ccna lab, how to block PCs in the same LAN (let's say PC3 and PC4 ) accessing each other?
Put them into separate VLANs
@@JeremysITLab what if they are in the same vlan, can we do this with VACL?
So why is it a .3 in the serial configuration for ospf on R1 and R2 ?
it's a wildcard mask.
you see the 203.0.113.0/30? it's a /30 subnet.
/30 translates to .248 , which is 11111100
but remember the wildmask is the inverted subnet mask -- so
00000011 (2 + 1 = 3) , hence .3
Please sir, I need the lab files to practice in packet tracer
hi jermey last requirement deny 172.16.1.0 to 172.16.2.0 and 172.16.2.0 to 172.16.1.0. I did one access list in one direction. it stops traffic both way.
my question is why do we need to do access list in both direction for same subnet
only difference is access list config showing destination unreachable and the other with access list config shows request timeout.
please reply.
You don't need to do an access list in both directions.
Do not forget about the implicit deny. Your ping will reach the destination but you will not get a reply back.
Which ping are you referring to?
21:28 prevent remote networks from pretending to reside on VLAN 1
This is what I can't understand even after explanation.
I have updated Packet Tracer but still some of these labs not working, It says the file is not compatible with this version of packet tracer ?
Download the latest version of packet tracer from Cisco, then you'll be able to open all the files.
Hi why is network add 172.16.0.0 0.0.255.255 shoulrnt the wildcard mask be 0.0.0.255 as its a /24 prefix length?
I have the same question....I assume you don't use the /24. You are allowing the last two octets so you set 255 for those octets.
As per ACL, PC2 can’t ping 192.168.1.100 but why is it able to ping 192.168.1.0 Network?
Did you add another host to 192.168.1.0/24 and try to ping it?
If you tried to ping R2's IP, that will work because the traffic isn't being sent out of the interface.
hi
I did everything correct 3x and pc2 can still reach server 1.....i dont know what im doing wrong
I was having the same issue, but realized that the access list name is case-sensitive. Re-applied it while my pings were running and they started to be denied. Not sure if this is your problem.
Anyone know why for the subnet mask he put 0.0.0.3 for router 2? Shouldn't it just be 0? So it matches all numbers? So confused.
I'm a noob, but let's learn together.
From my understanding,
0.0.0.0 wildcard mask = 255.255.255.255 subnet mask, aka only those who match ALL 32 bits.
(Like, tell the dating app to find hot moms in my area with specific age, hair color, eye color, breast size, foot size, who can make perfect risotto, and who's also into a specific faction in the Warhammer 40k universe, you'd simply get 0 matches by being so strict with your preferences. You get way more matches by loosening the conditions.)
R2's s0/0/0 interface (203.0.113.2) belongs to 203.0.113.0/30 network.
/30 = 255.255.255.252,
255-252 = 3 (wildcard mask is just inverted subnet mask, hence the 0.0.0.3), have to match first 30 bits.
He told the router to activate OSPF on interfaces that fall only into the specified range of "203.0.113.0/30".
The 203.0.113.2 (R2's s0/0/0 interface), falls into that range. So OSPF gets activated on it.
Then, the router would advertise the network prefix of the interface (NOT the prefix in the "network" command).
For example, earlier he told the router to activate OSPF on interfaces that fall into the 192.168.0.0 0.0.255.255 range.
0.0.255.255 wildcard mask = 255.255.0.0 subnet mask = /16, meaning those that match the first 16 bits.
Both 192.168.1.0/24 network interfaces and 192.168.2.0/24 network interfaces, all fall into that range. Because we only care that the first two octets, the "192.168" portion match, not caring about the rest 2 octets.
Like, no need specifying that only age 18-20 and age 20-40 may enter the club. You can just specify that anyone who falls to age 18-40 may enter.
He just basically killed 2 birds with 1 stone by doing both in one command for convenience.
But in 203.0.113.0/30 case, that club may be some weird kink club, where only people aged 40+ may enter, so you need to specify it stricter.
Correct me if I'm wrong.
Because a /30 subnet mask is equal to 0.0.0.3 in wild card mask. /30 has block size of 4 and wild card is one less than block size, so 4-1=3. That's why 0.0.0.3
Why am I not able to ping srv2 from pc2 ?
I don't know, you haven't given me any information about the configurations you did.
Why did i got the different result? i tried to replicate Jeremy's solution and copy the exact solution but still end up receiving request timed out. Can anyone help?
Is the Lab not showing on google drive for anyone else ?
Yes.
Sorry, just uploaded it!
@@JeremysITLab Top man, keep up the great work!
care to share the google drive link? I can't find it
@@johnkatende3 Top line of the description: 'Free CCNA 200-301 flashcards/Packet Tracer labs for the course: jeremysitlab.com/youtube-join/ '
This was not easy at all. teaching on this topic was confusing
I'm not sure what I did wrong... I have configured OSPF on R1 & R2 and they both have full adjacencies. I have also configured the following ACL and applied it outbound on g0/0 of R2. When I try to ping SRV1 I get "Reply from 203.0.113.2: Destination host unreachable." R2 does have a route to SRV1 though. Please help me understand what I'm doing wrong here.
ACL applied outbound on g0/0 of R2:
ip access-list standard TO_192.168.1.0/24
permit host 172.168.1.1
permit host 172.168.2.1
remark ## ONLY allow PC1 AND PC3 - configured 6/25/2022 ##