That's the file, I did a static routing, I configured a DHCP server, and now I have to control the access-between departments  

Hello,

below is the basic procedure:

# Create an ACL to allow the first department access to the second but not the third

access-list 100 permit ip <first_department_subnet> <wildcard_mask_of_first_department> <second_department_subnet> <wildcard_mask_of_second_department>
access-list 100 deny ip <first_department_subnet> <wildcard_mask_of_first_department> <third_department_subnet> <wildcard_mask_of_third_department>
access-list 100 permit ip any any

# Create an ACL to deny the second department access to any other departments

access-list 101 deny ip <second_department_subnet> <wildcard_mask_of_second_department> any
access-list 101 permit ip any any

# Create an ACL to allow the third department access to all departments

access-list 102 permit ip <third_department_subnet> <wildcard_mask_of_third_department> any
access-list 102 permit ip any any
Replace <first_department_subnet>, <wildcard_mask_of_first_department>, <second_department_subnet>, <wildcard_mask_of_second_department>, <third_department_subnet>, and <wildcard_mask_of_third_department> with the actual subnet information for your departments.

Then, apply these ACLs to the appropriate interfaces using the ip access-group command. For example:

interface <interface_number>
ip access-group 100 in # Apply ACL 100 inbound on the interface for the first department
exit

interface <interface_number>
ip access-group 101 in # Apply ACL 101 inbound on the interface for the second department
exit

interface <interface_number>
ip access-group 102 in # Apply ACL 102 inbound on the interface for the third department
exit

Remember to replace <interface_number> with the actual interface number where the departments are connected. Also, adapt the ACLs based on your network topology and addressing scheme.

Well, yes this is just for tcp traffic

Thank you so much, I'll be back after I will try this!

Hello @Georg Pauwen 
If i am reading this correctly Im quite sure this will not work, the acl on the secondary department will negate the return traffic to the other departments

So I did what you said, but still not working:)) I entered to see the simulation, but for ex when the data come from first department and entered in second, when he left it gives me error, and I got the failed message.

Yes, you are right, so is there any option to solve this? Maybe exist something to permit/deny access between departments, without using ACL

I tried using static routing but that doesn't work either because all 3 routers are connected in line

Hello,

I opened your lab file, but I do not understand your IP addressing. What is the purpose of the IP addresses on the physical LAN interfaces ? You have Vlans 10,20 and 30 on the routers respectively, but they all have a subinterface with an IP address in the x.x.25.0/25 address space ? Send the full instructions of your project...

1. At least 30 computers distributed among 3 departments: the Accounting Department, the Marketing Department and the Programming Department.

2. Start from the ip address 196.240.17.0 and share it in the most optimal way

3. You must use VLANs

4. Communication between departments will be carried out as follows:

a. The Accounting Department has access to the Marketing Department but does not have access to the Programming Department

b. The Marketing Department does not have access to any department

c. The Programming Department has access to all departments

5. The distribution of IPs to computers will be done automatically

So that's a project that I got, and that's all I got for VLANS.I found so many videos where I saw that to create a vlan on a router I should create a subinterface 

Hello
TBH that would be a lot to explain as no two networks will be exactly the same so the connectivity for that network can vary ( static routing, dynamic routing such as eigrp/ospf/isis/bgp etc..

The basic concept in this instance is that the extended access-list (ACL is controlling the access between the lan networks.

• rtr0/sw0 lan can access rtr1/sw1 lan but NOT rtr2/sw2 lan (acl applied inbound on wan interface for rtr0) -- this negates rtr1 lans from initiating tcp/icmp traffic towards rtr0 lan)
  
  ip access-list extended ACL
  permit tcp 196.240.19.0 0.0.0.255 any established
  permit icmp 196.240.19.0 0.0.0.255 any echo-reply
  deny ip 196.240.19.0 0.0.0.255 any
  permit ip any any
  
  
• rtr1/sw1 lan cannot access either rtr0/sw0 or rtr2/sw2  lans
  no acl applied
  
  
• rtr2/sw2 lan can 0 access rtr0/sw0 & rtr1/sw1 lans (acl applied inbound on wan interface for rtr2 -- this negates the other lans from initiating tcp/icmp traffic towards rtr2 lan)
  
  ip access-list extended ACL
  permit tcp 196.240.17.0 0.0.0.255 any established
  permit icmp 196.240.17.0 0.0.0.255 any echo-reply
  deny ip 196.240.17.0 0.0.0.255 any
  permit tcp 196.240.19.0 0.0.0.255 any established
  permit icmp 196.240.19.0 0.0.0.255 any echo-reply
  deny ip 196.240.19.0 0.0.0.255 any
  permit ip any any