Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
1
Replies

ACL Packet Tracer Question

Go to solution
oneofthose
Beginner
Beginner

‎04-07-2015 04:28 PM - edited ‎03-11-2019 10:44 PM

Currently practicing configuring ACLS on packet tracer and I am having trouble doing so. My scenario is that i have 3 vlans  VLAN 10 sales Vlan 20 management Vlan 30 admin. I want to only permit vlan 30 to only have the access to the server and to deny vlan 10 and 20 access.

access-list 100 access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.10.2 0.0.0.0

access-list 100 access-list 100 deny ip any192.168.10.2 0.0.0.0

int fa0/0.30

ip access-group 100 in

When i do this it denies vlan 30 from pinging anything and vlan 10 and 20 can still ping radius server.

Hope anyone can help. Thanks

 

Labels:
Preview file
44 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ryancisco01
Beginner
Beginner

‎04-07-2015 06:49 PM

First point, you don't have an access list on vlan 10 and 20. So therefore all traffic will be allowed through on those vlans. You have applied to your access list to sub interface 30, meaning sub interface 10 and 20 traffic is not inspected.

 

As for vlan 30, access-list looks a bit jumbled but it should work. This is what i would do:

 

access-list 100 permit ip 192.168.0.0 0.0.0.31 host 192.168.10.2 log

access-list 100 deny ip any any log

 

Remember there is an implicit deny any at the bottom so any deny at the bottom is not needed, but in this case I have put it there with log keyword, so after you try your traffic do show access-list 100. and see what line has hit count increasing, that will indicate which rule the traffic is matching.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ryancisco01
Beginner
Beginner

‎04-07-2015 06:49 PM

First point, you don't have an access list on vlan 10 and 20. So therefore all traffic will be allowed through on those vlans. You have applied to your access list to sub interface 30, meaning sub interface 10 and 20 traffic is not inspected.

 

As for vlan 30, access-list looks a bit jumbled but it should work. This is what i would do:

 

access-list 100 permit ip 192.168.0.0 0.0.0.31 host 192.168.10.2 log

access-list 100 deny ip any any log

 

Remember there is an implicit deny any at the bottom so any deny at the bottom is not needed, but in this case I have put it there with log keyword, so after you try your traffic do show access-list 100. and see what line has hit count increasing, that will indicate which rule the traffic is matching.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents