Options

Need help with Access Lists...

CompUBugCompUBug Member Posts: 46 ■■□□□□□□□□
in CCNA & CCENT
I have 4 VLAN's running router on a stick on my Network...

VLAN 1 network is 10.10.10.0
VLAN 2 network is 10.10.20.0
VLAN 3 network is 10.10.30.0
VLAN 4 network is 10.10.40.0
VLAN 99 network is 10.10.99.0

I want VLAN 1 and 2 to be able to intercommunicate, ping and IP but NOT beable to access in ANY (includes pinging, IP, everything / no access) way VLAN 3, and 99... and shouldn't beable to PING VLAN 4...

VLAN 3, 4, and 99 should beable to all intercommunicate with each other AND should be able to communicate to VLAN's 1 and 2 as well...

Is this possible?

If so how?
· Share on FacebookShare on Twitter

Comments

  • Options
    Chris_Chris_ Member Posts: 326
    It's all possible with access lists. Why don't you have a go first with the help of some docs and then post your config up if you are having problems. It's always best to give it a go.
    Going all out for Voice. Don't worry Data; I'll never forget you
    :study: CVoice [X] CIPT 1 [ ] CIPT 2 [ ] CAPPS [ ] TVOICE [ ]
    · Share on FacebookShare on Twitter
  • Options
    CompUBugCompUBug Member Posts: 46 ■■□□□□□□□□
    Chris_ wrote: »
    It's all possible with access lists. Why don't you have a go first with the help of some docs and then post your config up if you are having problems. It's always best to give it a go.

    I found some of my problem already, I was applying the access-group to the wrong direction of the interface...

    Okay here's whats going on
    Router wrote:
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.10
    encapsulation dot1Q 10
    ip address 10.10.10.1 255.255.255.0
    ip helper-address 10.10.40.10
    !
    interface FastEthernet0/0.20
    encapsulation dot1Q 20
    ip address 10.10.20.1 255.255.255.0
    ip helper-address 10.10.40.20
    !
    interface FastEthernet0/0.30
    encapsulation dot1Q 30
    ip address 10.10.30.1 255.255.255.0
    ip helper-address 10.10.40.30
    !
    interface FastEthernet0/0.40
    encapsulation dot1Q 40
    ip address 10.10.40.1 255.255.255.0
    !
    interface FastEthernet0/0.99
    encapsulation dot1Q 99 native
    ip address 10.10.99.1 255.255.255.248
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    shutdown

    And this is the way I configured my Access Lists for VLAN 10
    Router Access List Config wrote:
    Router(config)#access 110 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255 <<Allow users from VLAN 30 to access VLAN 10
    Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 30
    Router(config)#access 110 permit ip 10.10.99.0 0.0.0.255 10.10.10.0 0.0.0.255 <<Allow users from VLAN 99 to access VLAN 10
    Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 99
    Router(config)#access 110 permit ip any any <<Allow users from VLAN 10 to access the rest of the VLANs
    Router(config)#int fa0/0.10
    Router(config-subif)#ip access-group 110 in

    The problem with this is...although users from VLAN 10 can't reach VLAN 30 and 99, users from VLAN 30 and 99 ALSO can't reach VLAN 10... is there a way to make a one way channel so to speak?
    · Share on FacebookShare on Twitter
  • Options
    tomaifauchaitomaifauchai Member Posts: 301 ■■■□□□□□□□
    You're mixing up things now, if you apply an access list to the IN direction, you can't block vlan 30 or vlan 99 from entering subinterface 10, because it's considered OUT

    You can just control vlan 10 users by applying a IN acl and this is the way to go with extended ones.


    This is good
    Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 30
    Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 99
    Router(config)#access 110 permit ip any any <<Allow users from VLAN 10 to access the rest of the VLANs
    Router(config)#int fa0/0.10
    Router(config-subif)#ip access-group 110 in

    You have to create an ACL 130 and apply it under fa0/0.30 interface IN and an ACL 199 under fa0/0.99 IN
    · Share on FacebookShare on Twitter
  • Options
    CompUBugCompUBug Member Posts: 46 ■■□□□□□□□□
    tomaifauchai wrote: »
    You're mixing up things now, if you apply an access list to the IN direction, you can't block vlan 30 or vlan 99 from entering subinterface 10, because it's considered OUT

    You can just control vlan 10 users by applying a IN acl and this is the way to go with extended ones.


    This is good
    Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 30
    Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 99
    Router(config)#access 110 permit ip any any <<Allow users from VLAN 10 to access the rest of the VLANs
    Router(config)#int fa0/0.10
    Router(config-subif)#ip access-group 110 in

    You have to create an ACL 130 and apply it under fa0/0.30 interface IN and an ACL 199 under fa0/0.99 IN

    So ACL 130..
    access 130 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255

    and likewise for 199???

    Im very confused here.
    · Share on FacebookShare on Twitter
  • Options
    tomaifauchaitomaifauchai Member Posts: 301 ■■■□□□□□□□
    Actually, you don't have to create an ACL only to permit a network, because by default it is permitted !
    You just have to create an ACL to deny something, and you add an implicit permit at the end.

    (Depend on the case, but this apply to your case)
    · Share on FacebookShare on Twitter
  • Options
    Chris_Chris_ Member Posts: 326
    Unless I'm mis-understanding your requirements then something like this should achieve it.

    ip access-list extended VLAN10
    10 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
    20 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255
    30 deny icmp 10.10.20.0 0.0.0.255 10.1.40.0 0.0.0.255 echo
    40 permit ip any any
    <<<<applied INbound to the fa0/0.10 interface>>>>>>>>>>>

    ip access-list extended VLAN20
    10 deny ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255
    20 deny ip 10.10.20.0 0.0.0.255 10.10.99.0 0.0.0.255
    30 deny icmp 10.10.20.0 0.0.0.255 10.10.40.0 0.0.0.255 echo
    40 permit ip any any
    <<<<applied INbound to the fa0/0.20 interface>>>>>>>>>>>
    Going all out for Voice. Don't worry Data; I'll never forget you
    :study: CVoice [X] CIPT 1 [ ] CIPT 2 [ ] CAPPS [ ] TVOICE [ ]
    · Share on FacebookShare on Twitter
  • Options
    Chris_Chris_ Member Posts: 326
    scrap that!!!!!!
    just noticed you said you wanted vlans 1 and 2 to be denied from talking to 3,4,and 99 >>possible with the access lists above

    Vlans 3,4 and 99 to be able to talk to each other >> this is default

    but at the end said you wanted 3,4 and 99 to be able to communicate with 1 and 2. this isn't possible as vlans 1 and 2 won't be able to reply to 3,4 and 99 due to the access list we've applied.

    This is probably where you need to use access-lists to a more granular level to block and permit by traffic type i.e. port number or defined protocol. this would allow/block the flows of traffic between specific applications across these vlans, instead of complete ip blocking.

    Also if traffic was initiated by vlan 3,4 or 99 to vlans 1 & 2 you could maybe play with the 'established' keyword to allow these sessions - but this won't work with UDP or ICMP.

    can someone tell me if i'm completely off the mark here!
    Going all out for Voice. Don't worry Data; I'll never forget you
    :study: CVoice [X] CIPT 1 [ ] CIPT 2 [ ] CAPPS [ ] TVOICE [ ]
    · Share on FacebookShare on Twitter
Sign In or Register to comment.