cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2388
Views
6
Helpful
24
Replies

ACCESS-CONTROL LIST

catalinmatei112
Level 1
Level 1

I have 3 departments, each have a router and 10 pc's, and I have to configure access-control list based on the below exercises:

1.first department should have access to second but not to third

2.second department should not have access to any departments

3.third department should have access to all departments.

I did the first exercise, and I don't know how to do the rest. This subject is new for me 

I can share the file if you need, an explanation or something will be useful. Thank you!

16 Accepted Solutions

Accepted Solutions

Hello
sounds like the request is not clear - from an ip perspective this cannot be done with just an access-list as the return traffic from the second department to the third for udp is connection-less  however it can be done with extended ACLs,at a protocol level (tcp) or even maybe with reflective ACLs to include udp where the secondary department will return traffic but not be able to initiate it- So can you confirm if this is just for tcp traffic

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Hello,

my guess is that this is a Packet Tracer project ? Post the (zipped) Packet Tracer project (.pkt) file...

View solution in original post

That's the file, I did a static routing, I configured a DHCP server, and now I have to control the access-between departments  

View solution in original post

Hello,

below is the basic procedure:

# Create an ACL to allow the first department access to the second but not the third

access-list 100 permit ip <first_department_subnet> <wildcard_mask_of_first_department> <second_department_subnet> <wildcard_mask_of_second_department>
access-list 100 deny ip <first_department_subnet> <wildcard_mask_of_first_department> <third_department_subnet> <wildcard_mask_of_third_department>
access-list 100 permit ip any any

# Create an ACL to deny the second department access to any other departments

access-list 101 deny ip <second_department_subnet> <wildcard_mask_of_second_department> any
access-list 101 permit ip any any

# Create an ACL to allow the third department access to all departments

access-list 102 permit ip <third_department_subnet> <wildcard_mask_of_third_department> any
access-list 102 permit ip any any
Replace <first_department_subnet>, <wildcard_mask_of_first_department>, <second_department_subnet>, <wildcard_mask_of_second_department>, <third_department_subnet>, and <wildcard_mask_of_third_department> with the actual subnet information for your departments.

Then, apply these ACLs to the appropriate interfaces using the ip access-group command. For example:

interface <interface_number>
ip access-group 100 in # Apply ACL 100 inbound on the interface for the first department
exit

interface <interface_number>
ip access-group 101 in # Apply ACL 101 inbound on the interface for the second department
exit

interface <interface_number>
ip access-group 102 in # Apply ACL 102 inbound on the interface for the third department
exit

Remember to replace <interface_number> with the actual interface number where the departments are connected. Also, adapt the ACLs based on your network topology and addressing scheme.

View solution in original post

Well, yes this is just for tcp traffic

View solution in original post

Thank you so much, I'll be back after I will try this!

View solution in original post

Hello @Georg Pauwen 
If i am reading this correctly Im quite sure this will not work, the acl on the secondary department will negate the return traffic to the other departments


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

So I did what you said, but still not working:)) I entered to see the simulation, but for ex when the data come from first department and entered in second, when he left it gives me error, and I got the failed message.

View solution in original post

Yes, you are right, so is there any option to solve this? Maybe exist something to permit/deny access between departments, without using ACL

View solution in original post

 

I tried using static routing but that doesn't work either because all 3 routers are connected in line

View solution in original post

Hello,

I opened your lab file, but I do not understand your IP addressing. What is the purpose of the IP addresses on the physical LAN interfaces ? You have Vlans 10,20 and 30 on the routers respectively, but they all have a subinterface with an IP address in the x.x.25.0/25 address space ? Send the full instructions of your project...

View solution in original post

1. At least 30 computers distributed among 3 departments: the Accounting Department, the Marketing Department and the Programming Department.

2. Start from the ip address 196.240.17.0 and share it in the most optimal way

3. You must use VLANs

4. Communication between departments will be carried out as follows:

a. The Accounting Department has access to the Marketing Department but does not have access to the Programming Department

b. The Marketing Department does not have access to any department

c. The Programming Department has access to all departments

5. The distribution of IPs to computers will be done automatically

So that's a project that I got, and that's all I got for VLANS.I found so many videos where I saw that to create a vlan on a router I should create a subinterface 

View solution in original post

Hello


@catalinmatei112 wrote:

1.first department should have access to second but not to third
2.second department should not have access to any departments
3.third department should have access to all departments.

Well, yes this is just for tcp traffic



First of all - Your ip addressing is incorrect , you have the same lan subnet in the different departments attach to 3 separate routers, this is not applicable

Attached is a working PT with amended ip addressing and added dynamic routing instead of static along with a working basic extended access-list that will obtain the result you desire above.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Hello


@catalinmatei112 wrote:
The access between departments still doesn't working, 
I mean,first 2 works properly but third still can't access first two

Humm.. It works for me, I did edit the file when i first uploaded it as i attached the wrong one, can you try and download the PT again from here and test.

the access go as follows:

  • rtr0/sw0 lan can access rtr1/sw1 lan but NOT rtr2/sw2 lan
  • rtr1/sw1 lan cannot access either rtr0/sw0 or rtr2/sw2  lans
  • rtr2/sw2 lan can 0 access rtr0/sw0 & rtr1/sw1 lans

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Hello
TBH that would be a lot to explain as no two networks will be exactly the same so the connectivity for that network can vary ( static routing, dynamic routing such as eigrp/ospf/isis/bgp etc..

The basic concept in this instance is that the extended access-list (ACL is controlling the access between the lan networks.

  • rtr0/sw0 lan can access rtr1/sw1 lan but NOT rtr2/sw2 lan (acl applied inbound on wan interface for rtr0) -- this negates rtr1 lans from initiating tcp/icmp traffic towards rtr0 lan)

    ip access-list extended ACL
    permit tcp 196.240.19.0 0.0.0.255 any established
    permit icmp 196.240.19.0 0.0.0.255 any echo-reply
    deny ip 196.240.19.0 0.0.0.255 any
    permit ip any any

  • rtr1/sw1 lan cannot access either rtr0/sw0 or rtr2/sw2  lans
    no acl applied

  • rtr2/sw2 lan can 0 access rtr0/sw0 & rtr1/sw1 lans (acl applied inbound on wan interface for rtr2 -- this negates the other lans from initiating tcp/icmp traffic towards rtr2 lan)

    ip access-list extended ACL
    permit tcp 196.240.17.0 0.0.0.255 any established
    permit icmp 196.240.17.0 0.0.0.255 any echo-reply
    deny ip 196.240.17.0 0.0.0.255 any
    permit tcp 196.240.19.0 0.0.0.255 any established
    permit icmp 196.240.19.0 0.0.0.255 any echo-reply
    deny ip 196.240.19.0 0.0.0.255 any
    permit ip any any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Hello


@catalinmatei112 wrote:

Hi again,sorry for bothering,I have a question,I used your access-lists and I discovered that when I try to ping an PC from second department to first department,I can do this but I don't want to..so..is there any solution to solve definitively this project?

The acl I supplied was base on your OP but maybe I mis-read the requirements:
Bld1 can reach Bl2 but not Bld 3
Bld2 cannot reach either Bld1/3
Bld3 can reach all Blds

Can you share the PT file you are currently running highlighting the areas requiring connectivity, I had the following:


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

24 Replies 24

Hello
sounds like the request is not clear - from an ip perspective this cannot be done with just an access-list as the return traffic from the second department to the third for udp is connection-less  however it can be done with extended ACLs,at a protocol level (tcp) or even maybe with reflective ACLs to include udp where the secondary department will return traffic but not be able to initiate it- So can you confirm if this is just for tcp traffic

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Well, yes this is just for tcp traffic

Hello,

my guess is that this is a Packet Tracer project ? Post the (zipped) Packet Tracer project (.pkt) file...

That's the file, I did a static routing, I configured a DHCP server, and now I have to control the access-between departments  

Hello,

below is the basic procedure:

# Create an ACL to allow the first department access to the second but not the third

access-list 100 permit ip <first_department_subnet> <wildcard_mask_of_first_department> <second_department_subnet> <wildcard_mask_of_second_department>
access-list 100 deny ip <first_department_subnet> <wildcard_mask_of_first_department> <third_department_subnet> <wildcard_mask_of_third_department>
access-list 100 permit ip any any

# Create an ACL to deny the second department access to any other departments

access-list 101 deny ip <second_department_subnet> <wildcard_mask_of_second_department> any
access-list 101 permit ip any any

# Create an ACL to allow the third department access to all departments

access-list 102 permit ip <third_department_subnet> <wildcard_mask_of_third_department> any
access-list 102 permit ip any any
Replace <first_department_subnet>, <wildcard_mask_of_first_department>, <second_department_subnet>, <wildcard_mask_of_second_department>, <third_department_subnet>, and <wildcard_mask_of_third_department> with the actual subnet information for your departments.

Then, apply these ACLs to the appropriate interfaces using the ip access-group command. For example:

interface <interface_number>
ip access-group 100 in # Apply ACL 100 inbound on the interface for the first department
exit

interface <interface_number>
ip access-group 101 in # Apply ACL 101 inbound on the interface for the second department
exit

interface <interface_number>
ip access-group 102 in # Apply ACL 102 inbound on the interface for the third department
exit

Remember to replace <interface_number> with the actual interface number where the departments are connected. Also, adapt the ACLs based on your network topology and addressing scheme.

Thank you so much, I'll be back after I will try this!

Hello @Georg Pauwen 
If i am reading this correctly Im quite sure this will not work, the acl on the secondary department will negate the return traffic to the other departments


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Yes, you are right, so is there any option to solve this? Maybe exist something to permit/deny access between departments, without using ACL

 

I tried using static routing but that doesn't work either because all 3 routers are connected in line

So I did what you said, but still not working:)) I entered to see the simulation, but for ex when the data come from first department and entered in second, when he left it gives me error, and I got the failed message.

Hello,

I opened your lab file, but I do not understand your IP addressing. What is the purpose of the IP addresses on the physical LAN interfaces ? You have Vlans 10,20 and 30 on the routers respectively, but they all have a subinterface with an IP address in the x.x.25.0/25 address space ? Send the full instructions of your project...

1. At least 30 computers distributed among 3 departments: the Accounting Department, the Marketing Department and the Programming Department.

2. Start from the ip address 196.240.17.0 and share it in the most optimal way

3. You must use VLANs

4. Communication between departments will be carried out as follows:

a. The Accounting Department has access to the Marketing Department but does not have access to the Programming Department

b. The Marketing Department does not have access to any department

c. The Programming Department has access to all departments

5. The distribution of IPs to computers will be done automatically

So that's a project that I got, and that's all I got for VLANS.I found so many videos where I saw that to create a vlan on a router I should create a subinterface 

Hello


@catalinmatei112 wrote:

1.first department should have access to second but not to third
2.second department should not have access to any departments
3.third department should have access to all departments.

Well, yes this is just for tcp traffic



First of all - Your ip addressing is incorrect , you have the same lan subnet in the different departments attach to 3 separate routers, this is not applicable

Attached is a working PT with amended ip addressing and added dynamic routing instead of static along with a working basic extended access-list that will obtain the result you desire above.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

So, I opened your file, and I have a question: The access between departments still doesn't working, what can I do to solve it?..I'm sorry if I'm asking but I'm kinda new,and I started like 3 days ago

Review Cisco Networking for a $25 gift card