Solved: Re: ACL Vlan

Ragounee · ‎12-02-2022

Good morning !

I am a beginner on cisco packet tracer, as part of a project that I have to carry out I am currently blocked at the level of ACLs, to put you in context I have 5 Vlans:

V10 -> 192.168.10.0
V20 -> 192.168.20.0
V30 -> 192.168.30.0
V40 -> 192.168.40.0
V50 -> 192.168.50.0

For example, the V 40 must communicate with everyone but no one must be able to communicate with it, I have tried several access lists I manage to block communication by refusing entry but in return I can no longer communicate with her.

I performed the operations on the router because it is not possible to create an ACL on a switch according to my tests.

I have also attached a screenshot of my setup.

Would you have the solution? Thanks !

MHM Cisco World · ‎12-03-2022

it simple
R2 have IP 10.0.0.100
R3 have IP 20.0.0.100
R1 is default Gateway and it router on a stick
I only apply the ACL with direction OUT in subinterface of 10.0.0.0/24 in R1
the ACL allow only
icmp echo-reply
icmp unreachable

this make R2 can ping R3 and get reply for it ping BUT R3 can not ping R2.

View solution in original post

MichaelMcCoy · ‎12-02-2022

Please post your ACL's.

The idea of a VLAN is to separate traffic at layer 2, so I can make assumptions of your ACLs but it would be easier to assist while seeing the ACLs

Ragounee · ‎12-03-2022

Ok sorry if I did not give enough information,

Example :
Router(config)#access-list 1 deny 192.168.20.0 0.0.0.255
Router(config)#access-list 1 permit any

Router(config)#interface gigabitEthernet 0/0/0.4
Router(config)#ip access-group 1 out

The goal is to prevent vlan 20 from communicating with 40 but that 40 manages to communicate with 20, after applying this ACL response, here are the pings:

Vlan 20 to 40:

C:\>ping 192.168.40.1

Ping 192.168.40.1 with 32 bytes of data:

Response from 192.168.20.254: Destination host unreachable.
Response from 192.168.20.254: Destination host unreachable.

Vlan 40 to 20:

C:\>ping 192.168.20.1

Ping 192.168.20.1 with 32 bytes of data:

The request has timed out.
The request has timed out.

MichaelMcCoy · ‎12-03-2022

Full disclosure, I am not a seasoned Cisco tech. But I think what you are trying to do may be impossible (from a ping aspect, and possibly any protocol not expressly noted in the ACL). With that said, you would need an inbound ACL set:

Router(config)#access-list 2 permit 192.168.40.0 0.0.0.255
Router(config)#access-list 2 permit any (or whatever for this rule)

Router(config)#interface gigabitEthernet 0/0/0.4
Router(config)#ip access-group 2 in

If you are hoping to get a reply back, access-list 1 will block, but technically VLAN 40, should be communicating with VLAN 20.

Keep in mind when you receive the message destination host unreachable that means the packet could not reach the destination. request timed out traffic did not find a path back to source after reaching destination.

So if/when you implement this change and perform a ping from 192.168.40.1 the message should change from destination host unreachable to request timed out

balaji.bandi · ‎12-03-2022

V 40 must communicate with everyone but no one must be able to communicate with it

in your case V40 -> 192.168.40.0 -- V10 /V20/V30/v50 Allowed

V10 /V20/V30/v50 --> V40 -> 192.168.40.0 - Denied ? is this what are you looking for?

interface gigabitEthernet 0/0/0.4 <--- you applied the ACL here what is the config of this interface?

do you have any diagram which you mentioned original post?

how is your VLAN config, is this SVI or Sub interfaces? post that information ? will help to suggest better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ragounee · ‎12-03-2022

It looks like the screenshot was not saved in the post, I'm sorry, I'm a newbie to the forum, I'm trying to put it back in order to share the configuration with you more clearly.

Thanks

MHM Cisco World · ‎12-03-2022

it simple
R2 have IP 10.0.0.100
R3 have IP 20.0.0.100
R1 is default Gateway and it router on a stick
I only apply the ACL with direction OUT in subinterface of 10.0.0.0/24 in R1
the ACL allow only
icmp echo-reply
icmp unreachable

this make R2 can ping R3 and get reply for it ping BUT R3 can not ping R2.

Ragounee · ‎12-03-2022

I tried with your configuration:

Router#show access-lists

Extended IP access list 100

10 permit icmp any host 192.168.40.0 echo-reply

20 permit icmp any host 192.168.40.0 unreachable

30 deny ip any any (16 match(es))

interface g 0/0/0.4

ip access-group 100 out

The other networks can no longer ping my V40 unfortunately it can no longer ping anyone either ...

balaji.bandi · ‎12-03-2022

try :

permit icmp any 192.168.40.0 0.0.0.255 echo-reply

permit icmp any host 192.168.40.0 0.0.0.255 unreachable

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-03-2022

host 192.168.40.0 <<this not right, you need to make it 192.168.40.0 0.0.0.255

There is no host have ip 192.168.40.0

Ragounee · ‎12-05-2022

Thank you very much for your answer thanks to you I managed to achieve what I wanted to finish here is how I configured my ACL on the interface g 0/0/0.4 in OUT:

Extended IP Access List 100
10 permit icmp any 192.168.40.0 0.0.0.255 echo-reply (11 matches)
20 permit icmp any 192.168.40.0 0.0.0.255 unreachable
30 deny ip any any (8 match(es))

Thank you all!!

balaji.bandi · ‎12-05-2022

glad out suggestion able to make you fix your issue, appriciated your input/.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help