Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
1
Helpful
4
Replies

ACLs have a weird behaviour - Cisco Packet Tracer

Go to solution
FAB1150
Level 1
Level 1

‎07-18-2023 09:42 AM

I'm completely new to ACLs, so I apologize if the solution is obvious.

I attached the packet tracer project, I'm trying to set up some ACLs on the core switches to manage inter-VLAN routing and VLAN access to the "WAN".

For now I have applied the following ACLs:

 

ip access-list extended UFFICI
 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255

 200 permit udp 192.168.1.0 0.0.0.255 3.3.3.2 0.0.0.0 eq 67
 210 permit udp 192.168.2.0 0.0.0.255 3.3.3.2 0.0.0.0 eq 67
 220 permit udp 192.168.3.0 0.0.0.255 3.3.3.2 0.0.0.0 eq 67
 230 permit udp 192.168.4.0 0.0.0.255 3.3.3.2 0.0.0.0 eq 67

 310 permit tcp 192.168.1.0 0.0.0.255 100.0.0.10 0.0.0.0 eq 443
 320 permit tcp 192.168.3.0 0.0.0.255 100.0.0.10 0.0.0.0 eq 443
 330 permit tcp 192.168.4.0 0.0.0.255 100.0.0.10 0.0.0.0 eq 443

 400 permit udp 192.168.1.0 0.0.0.255 100.0.0.50 0.0.0.0 eq 69
 410 permit udp 192.168.1.0 0.0.0.255 100.0.0.50 0.0.0.0 eq 69
 420 permit udp 192.168.1.0 0.0.0.255 100.0.0.50 0.0.0.0 eq 69
 430 permit udp 192.168.1.0 0.0.0.255 100.0.0.50 0.0.0.0 eq 69

 500 permit ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.15.255
 
 1000 deny ip any any

exit
interface vlan 101
 ip access-group UFFICI out
interface vlan 102
 ip access-group UFFICI out
interface vlan 103
 ip access-group UFFICI out
interface vlan 104
 ip access-group UFFICI out

 

The exercise is:

  • VLANs 101, 102, 103 have to be able to access all the VLANs in their "zone" (1xx) but not the others. VLAN 104 can access all the other VLANs
  • VLANs 101, 103, 104 have to be able to reache the web server (100.0.0.10) in HTTPs, not HTTP, and the TFTP server (100.0.0.50)
  • VLAN 102 can access the TFTP server but not the web server
  • all VLANs in zone 1 (id 1xx) can access the DHCP server

I'm not sure if I'm doing something wrong or if it's Packet Tracer, but I'm not getting the expected behavior at all- computers can't reach the HTTPs server but (sometimes) can reach the DHCP server, vlan 104 can't reach the other zones, and sometimes the VLANs in zone 1 can't see each other. What am I not getting?

 

thanks for the help!

Labels:
Base_Topology.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin L
VIP
VIP

‎07-19-2023 03:39 PM - last edited on ‎07-21-2023 12:39 AM by Community Manager

It is great that u use

Rapid-pvst

but use also

portfast default

command so that PCs get IPs before switch port times out.

PC in vlan 101 zone 1 can ping PC in vlan 104 zone 1

HTTPS traffic from

PC 192.168.1.22 in zone 1 to web server 100.0.0.10

is blocked by ACL on switch CO2 and CO1 Note return traffic may be load balance here ?.  I would add/edit  line to ACL UFFICI on both L3 switches with :  

98 permit tcp host 100.0.0.10 eq 443 192.168.1.0 0.0.0.255

to allow HTTPS traffic back to vlan 101 PC.

IN general I am against using ACL on L3 switching.  Per ACL Rules of Extended ACL placement (as close to source as possible), I would suggest using router and not l3 switch.

 

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎07-18-2023 10:17 AM

what is VLAN SVI IP ?

0 Helpful

Go to solution
FAB1150
Level 1
Level 1
In response to MHM Cisco World

‎07-18-2023 11:58 PM

IPs are:

192.168.0.0/16
	192.168.0.0/20   -> Zona 1 (.0.x - .15.x)
		VLAN 101: 192.168.1.0/24	Direzione 	(DHCP on the server)
		VLAN 102: 192.168.2.0/24	Ingegneria 	(DHCP on the server)
		VLAN 103: 192.168.3.0/24	Marketing 	(DHCP on the server)
		VLAN 104: 192.168.4.0/24	IT 		(DHCP on the server)
	192.168.16.0/20  -> Zona 2 (.16.x - .31.x)
		VLAN 201: 192.168.16.0/24	MUtensili
		VLAN 202: 192.168.17.0/24	ComputerLN 	(DHCP on the server)
	192.168.32.0/20 -> Zona 3 (.32.x - .47.x)
		VLAN 301: 192.168.32.0/24	ComputerMGZ 	(DHCP on the server)
	192.168.48.0/20 -> services (.48.x - .63.x)
		VLAN 401: 192.168.48.0/24	VOCE		(local DHCP)
		VLAN 402: 192.168.49.0/24	WiFi		(DHCP on the server)
		VLAN 403: 192.168.50.0/24	Videosorveglianza
	192.168.255.0/29 -> Router to core switches
		192.168.255.0/30 -> PTPCO1
			192.168.255.1	ROUTER 	gi0/1/0
			192.168.255.2	CO1	gi1/1/3
		192.168.255.4/30 -> PTPCO2
			192.168.255.5	ROUTER	gi0/1/1
			192.168.255.6	CO2	gi1/1/3

WAN:
- Web server: 100.0.0.10
- TFTP server: 100.0.0.50
- DHCP server: 3.3.3.2
0 Helpful

Go to solution
Martin L
VIP
VIP

‎07-19-2023 03:39 PM - last edited on ‎07-21-2023 12:39 AM by Community Manager

It is great that u use

Rapid-pvst

but use also

portfast default

command so that PCs get IPs before switch port times out.

PC in vlan 101 zone 1 can ping PC in vlan 104 zone 1

HTTPS traffic from

PC 192.168.1.22 in zone 1 to web server 100.0.0.10

is blocked by ACL on switch CO2 and CO1 Note return traffic may be load balance here ?.  I would add/edit  line to ACL UFFICI on both L3 switches with :  

98 permit tcp host 100.0.0.10 eq 443 192.168.1.0 0.0.0.255

to allow HTTPS traffic back to vlan 101 PC.

IN general I am against using ACL on L3 switching.  Per ACL Rules of Extended ACL placement (as close to source as possible), I would suggest using router and not l3 switch.

 

Regards, ML
**Please Rate All Helpful Responses **

Go to solution
FAB1150
Level 1
Level 1
In response to Martin L

‎07-20-2023 12:37 AM

thanks for the advice! I think I'm starting to get it

0 Helpful
Customers Also Viewed These Support Documents