Options

ACL sample

olihcolihc Member Posts: 2 ■□□□□□□□□□
in CCNA & CCENT
Hi guys,


Need your help in configuring this ACL.



VLAN 10 can access all VLAN
VLAN 20 can access VLAN 10
VLAN 30 can access VLAN 10

all other VLAN cannot access any VLAN just internet.
· Share on FacebookShare on Twitter

Comments

  • Options
    TheNewITGuyTheNewITGuy Member Posts: 169 ■■■■□□□□□□
    Well given the subnets are say:

    VLAN 10: 192.168.10.0/24
    VLAN 20: 192.168.20.0/24
    VLAN 30: 192.168.30.0/24

    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 100 deny ip <other vlan> 192.168.0.0 0.0.7.255
    access-list 100 permit ip <other vlan> any
    access-list 100 deny ip any any
    · Share on FacebookShare on Twitter
  • Options
    ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    olihc wrote: »
    Hi guys,


    Need your help in configuring this ACL.



    VLAN 10 can access all VLAN
    VLAN 20 can access VLAN 10
    VLAN 30 can access VLAN 10

    all other VLAN cannot access any VLAN just internet.
    You should at least show what you've tried up to this point before you ask strangers on the internet to do your homework.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
    · Share on FacebookShare on Twitter
  • Options
    theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    Assuming that all the VLANs are trunked to a single router that performs Inter-VLAN Routing.

    Router(config)#ip access-list extended VLACL
    Router(config-nacl)#permit ip <VLAN 10 Subnet ID> <VLAN 10 Wildcard Mask> any
    Router(config-nacl)#permit ip <VLAN 20 Subnet ID> <VLAN 20 Wildcard Mask> <VLAN 10 Subnet ID> <VLAN 10 Wildcard Mask>
    Router(config-nacl)#permit ip <VLAN 30 Subnet ID> <VLAN 30 Wildcard Mask> <VLAN 10 Subnet ID> <VLAN 10 Wildcard Mask>
    Router(config-nacl)#exit
    Router(config)#int Fa0/0.10
    Router(config-subif)#ip access-group VLACL in
    Router(config-subif)#int Fa0/0.20
    Router(config-subif)#ip access-group VLACL in
    Router(config-subif)#int Fa0/0.30
    Router(config-subif)#ip access-group VLACL in

    Additionaly, if VLAN 20 and VLAN 30 are contiguous, you might be able to summarize them into a single entry by simply adjusting the wildcard mask. Now, if someone here who knows could answer this question, could he put the ACL on the physical interface [to apply to all subinterfaces] or would he have to apply it to each of the three subinterfaces?
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
    · Share on FacebookShare on Twitter
  • Options
    TheNewITGuyTheNewITGuy Member Posts: 169 ■■■■□□□□□□
    you forgot the access to the internet.
    · Share on FacebookShare on Twitter
  • Options
    olihcolihc Member Posts: 2 ■□□□□□□□□□
    haven't tried anything because it's now in production, the only time I can try this is on weekends.


    Zartanasaurus wrote: »
    You should at least show what you've tried up to this point before you ask strangers on the internet to do your homework.
    · Share on FacebookShare on Twitter
  • Options
    theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    TheNewITGuy wrote: »
    you forgot the access to the internet.

    Didn't even notice that.

    Router(config-nacl)#deny ip <OTHER VLANS SUBNET ID> <OTHER VLANS WILDCARD MASK> <ALL VLANS SUBNET ID> <ALL VLANS WILDCARD MASK>
    Router(config-nacl)#permit ip <OTHER VLANS SUBNET ID> <OTHER VLANS WILDCARD MASK> any
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
    · Share on FacebookShare on Twitter
Sign In or Register to comment.