10-29-2019 09:07 AM
Hello All,
I have little to no experience with ACLs, and have a task I am trying to complete.
I have two networks that I am looking to segment, VLANs 229 and 230. Here is the interface configurations on my router:
interface GigabitEthernet0/0/0.229
encapsulation dot1Q 229
ip address 10.163.116.1 255.255.254.0
ip helper-address 10.0.80.25
ip helper-address 10.18.80.22
!
interface GigabitEthernet0/0/0.230
encapsulation dot1Q 230
ip address 10.163.118.1 255.255.254.0
ip helper-address 10.0.80.25
ip helper-address 10.18.80.22
The goal with these interfaces is as follows:
- VLAN 229 and 230 Subnets need to be able to talk to eachother
- Both subnets need to be able to talk to each ip helper
- Both subnets need to be able to talk with 10.163.115.224/23
- Deny traffic from all other local 10.x subnets
- Allow internet access for the VLAN 229 and VLAN 230 subnets
This is the first Cisco ACL I've created. I applied it inbound to both the 229 and 230 interfaces:
ip access-list extended VLAN229_VLAN230_ACL
permit ip 10.163.116.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 10.163.116.0 0.0.1.255 host 10.0.80.25
permit ip 10.163.116.0 0.0.1.255 host 10.18.80.22
permit ip 10.163.118.0 0.0.1.255 host 10.0.80.25
permit ip 10.163.118.0 0.0.1.255 host 10.18.80.22
permit ip host 10.18.80.22 10.163.116.0 0.0.1.255
permit ip host 10.18.80.22 10.163.118.0 0.0.1.255
permit ip host 10.0.80.25 10.163.116.0 0.0.1.255
permit ip host 10.0.80.25 10.163.118.0 0.0.1.255
permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.115.224 0.0.0.15
permit ip 10.163.116.0 0.0.1.255 10.163.115.224 0.0.0.15
permit ip 10.163.115.224 0.0.0.15 10.163.116.0 0.0.1.255
permit ip 10.163.115.224 0.0.0.15 10.163.118.0 0.0.1.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.163.116.0 0.0.1.255 any
permit ip 10.163.118.0 0.0.1.255 any
After applying these ACLs, I put myself on the wireless network, which is 10.18.30.0/24 , and was able to ping everything on the 10.163.118 and the 10.163.116 subnets. Any insight as to why, or how I can change this ACL to complete the task at hand?
10-29-2019 09:30 AM
High level
you need to have an end
ip access-list extended VLAN229_VLAN230_ACL
----
---
ip deny any any to take effect.
VLAN229_VLAN230_ACL <-- I have not seen your config applied in your interface?
10-29-2019 10:51 AM
Hello,
Thanks for the help! I was under the impression that Cisco ACLs had an implicit deny at the end , is that not correct?
Also it is removed from the interface at the moment, as it wasn't working as intended during maintenance period.
10-29-2019 01:48 PM
10-29-2019 01:51 PM
10-30-2019 01:41 AM
Yes, there is implicitly deny at the end, another side I have not to see the ACL applied on the interface as per the original post.
if that change already did or amended as per other post suggestions, if still not working, can you post latest config to review?
10-30-2019 05:56 AM
Hello.
I had stated in a previous post, the ACL isn't applied at the moment because it didn't work during my testing period, and this is for a production environment. Thanks for your help !
10-29-2019 09:36 AM
Hello guys,
I will suggest to you use a VACL - VLAN MAPPING. I created a script to you.
Looks below;
ip access-list extended VLAN229_VLAN230_ACL
remark BETWEEN_VLANS_229_230
permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
remark BETWEEN_VLAN_ITSELF
permit ip 10.163.116.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.118.0 0.0.1.255
remark BETWEEN_VLANS_TO_.155.224/23
permit ip 10.163.115.224 0.0.0.15 10.163.116.0 0.0.1.255
permit ip 10.163.115.224 0.0.0.15 10.163.118.0 0.0.1.255
permit ip 10.163.116.0 0.0.1.255 10.163.115.224 0.0.0.15
permit ip 10.163.118.0 0.0.1.255 10.163.115.224 0.0.0.15
ip access-list extended DENY_10.0.0/8
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
vlan access-map PERMIT_VLAN229_VLAN230_ACL 10
match ip address VLAN229_VLAN230_ACL
action forward
vlan access-map PERMIT_VLAN229_VLAN230_ACL 20
match ip address DENY_10.0.0/8
action drop
vlan access-map PERMIT_VLAN229_VLAN230_ACL 30
action forward
vlan filter PERMIT_VLAN229_VLAN230_ACL vlan-list 229,230
10-30-2019 05:54 AM
10-30-2019 09:45 AM
10-31-2019 11:17 AM
Unfortunately I only am able to test this on Sunday's, as these networks are for automated production systems that run 24/6 . I will provide an update then, sorry for the delay!
10-29-2019 09:52 AM - edited 10-29-2019 11:20 AM
HI @dc12132
You could try with two ACLs, one for each vlan interface
for SVI 229:
access-list 129 permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
access-list 129 permit ip 10.163.116.0 0.0.1.255 host 10.0.80.25
access-list 129 permit ip 10.163.116.0 0.0.1.255 host 10.18.80.22
access-list 129 permit ip 10.163.116.0 0.0.1.255 10.163.115.224 0.0.1.255
access-list 129 deny ip 10.163.116.0 0.0.1.255 10.0.0.0 0.255.255.255
access-list 129 permit any any
interface vlan 229
ip access-list 129 in
for SVI 230:
access-list 130 permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
access-list 130 permit ip 10.163.118.0 0.0.1.255 host 10.0.80.25
access-list 130 permit ip 10.163.118.0 0.0.1.255 host 10.18.80.22
access-list 130 permit ip 10.163.118.0 0.0.1.255 10.163.115.224 0.0.1.255
access-list 130 deny ip 10.163.118.0 0.0.1.255 10.0.0.0 0.255.255.255
access-list 130 permit any any
interface vlan 230
ip access-list 130 in
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide