Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2448
Views
0
Helpful
4
Replies

Doesn`t works extended ACL in my lab: Cisco Packet Tracer

Go to solution
battlechicken228
Level 1
Level 1

‎01-03-2022 03:05 PM - last edited on ‎01-05-2022 11:33 AM by Community Manager

Hello, dear users, have a little problem with my lab. The task is to create three networks using three switches 2960-24TT with next ip addresses:
192.168.3.0/255.255.255.0 (/24);
10.0.1.0/255.0.0.0 (/8);
172.17.1.0/ 255.255.0.0 (16)
192.168.4.0/255.255.255.0 (/24)Screenshot 2022-01-04 002451.png


then using 3560-24PS and vlans unite these netwoks that PCs in this netwoks could ping each other.


Then I added another switch 2960-24TT with three servers, according to the task, I have to allow access from each network to only one server, so the others networks won`t have access to server that already associated with particular network.


I used extended ACL, created the list of rules and linked it to SVI interface, which is gateaway for servers`s network, and it doesn`t work properly, using simulation mode i discoversed that ICMP requests are sending to the servers, but ICMP replays doesn`t reaching the source PC because of ACL on L3 switch. In the attachment you will find CPT project screenshot of the network and configuration of the L3 switch in the lab. Thank you!

interface FastEthernet0/1
!
interface FastEthernet0/2
switchport trunk allowed vlan 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk allowed vlan 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk allowed vlan 4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
switchport trunk allowed vlan 5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
mac-address 00e0.f745.dc01
ip address 192.168.3.1 255.255.255.0
!
interface Vlan3
mac-address 00e0.f745.dc02
ip address 10.0.1.1 255.0.0.0
!
interface Vlan4
mac-address 00e0.f745.dc03
ip address 172.17.1.1 255.255.0.0
ip access-group ServNet in
!
interface Vlan5
mac-address 00e0.f745.dc04
ip address 192.168.4.1 255.255.255.0
ip access-group ServNet in
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended ServNet
deny tcp 172.17.0.0 0.0.255.255 host 192.168.4.2
deny tcp 10.0.0.0 0.255.255.255 host 192.168.4.2
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.3
deny tcp 172.17.0.0 0.0.255.255 host 192.168.4.3
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.4
deny tcp 10.0.0.0 0.255.255.255 host 192.168.4.4
permit tcp any any

 

Labels:
LAB3.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-03-2022 04:06 PM

Hi there,

you should block as close to the source as possible, so place the ACL on the host SVI, not the server SVI. Also you ACL has the source and destination compoments the wrong way around considering the direction it is being configured for. Try the following:

!
ip access-list extended ServNetV2
  deny ip 192.168.3.0 0.0.0.255 192.168.4.3
  deny ip 192.168.3.0 0.0.0.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV3
  deny ip 10.0.0.0 0.255.255.255 192.168.4.2
  deny ip 10.0.0.0 0.255.255.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV4
  deny ip 172.17.0.0 0.0.255.255 192.168.4.2
  deny ip 172.17.0.0 0.0.255.255 192.168.4.3
  permit ip any any
!
int vlan2
  ip access-group ServNetV2 in
int vlan3
  ip access-group ServNetV3 in
int vlan4
  ip access-group ServNetV4 in
int vlan5
  no ip access-group ServNet in
!

cheers,

Seb.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-03-2022 04:06 PM

Hi there,

you should block as close to the source as possible, so place the ACL on the host SVI, not the server SVI. Also you ACL has the source and destination compoments the wrong way around considering the direction it is being configured for. Try the following:

!
ip access-list extended ServNetV2
  deny ip 192.168.3.0 0.0.0.255 192.168.4.3
  deny ip 192.168.3.0 0.0.0.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV3
  deny ip 10.0.0.0 0.255.255.255 192.168.4.2
  deny ip 10.0.0.0 0.255.255.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV4
  deny ip 172.17.0.0 0.0.255.255 192.168.4.2
  deny ip 172.17.0.0 0.0.255.255 192.168.4.3
  permit ip any any
!
int vlan2
  ip access-group ServNetV2 in
int vlan3
  ip access-group ServNetV3 in
int vlan4
  ip access-group ServNetV4 in
int vlan5
  no ip access-group ServNet in
!

cheers,

Seb.

 

0 Helpful

Go to solution
battlechicken228
Level 1
Level 1
In response to Seb Rupik

‎01-04-2022 10:07 AM

Thanks, it`s works

 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-04-2022 03:11 AM - edited ‎01-04-2022 03:11 AM

Hello
What is your intention with the access-list , what is it you would like to block and allow, could you elaborate on this?
Also that PT file you've attached doesn't work.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
battlechicken228
Level 1
Level 1
In response to paul driver

‎01-04-2022 04:21 AM

Hello, thank you, intention of using ACL is to provide the ability of PC`s in networks to communicate only with servers which was associated with theese particular netwoks, so, according to screenshot Network1 should have access to Server0, but doesn`t have access to Server1 and Server2, Network2 should have access to Server1, but doesn`t have access to Server0 and Server2 and Network3 should have access to Server2, but doesn`t have access to Server0 and Server1.

I used to do such ACL in others labs but with routers and subinterfaces, not with L3 switch, I think problem with PT, becouse I understand how ACL works and believe ones I`ve done makes sense according to the task.

I used 8.0.1.0064 version of PT, I`ll try to attach PT file ones again. Also I downloaded one in Google Drive https://drive.google.com/drive/folders/1Nt-c6_F2cZTbSLoOML42kW0Q5lSNL6JI?usp=sharing

LAB3.zip
0 Helpful
Customers Also Viewed These Support Documents