cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2319
Views
0
Helpful
4
Replies

Doesn`t works extended ACL in my lab: Cisco Packet Tracer

Hello, dear users, have a little problem with my lab. The task is to create three networks using three switches 2960-24TT with next ip addresses:
192.168.3.0/255.255.255.0 (/24);
10.0.1.0/255.0.0.0 (/8);
172.17.1.0/ 255.255.0.0 (16)
192.168.4.0/255.255.255.0 (/24)Screenshot 2022-01-04 002451.png


then using 3560-24PS and vlans unite these netwoks that PCs in this netwoks could ping each other.


Then I added another switch 2960-24TT with three servers, according to the task, I have to allow access from each network to only one server, so the others networks won`t have access to server that already associated with particular network.


I used extended ACL, created the list of rules and linked it to SVI interface, which is gateaway for servers`s network, and it doesn`t work properly, using simulation mode i discoversed that ICMP requests are sending to the servers, but ICMP replays doesn`t reaching the source PC because of ACL on L3 switch. In the attachment you will find CPT project screenshot of the network and configuration of the L3 switch in the lab. Thank you!

interface FastEthernet0/1
!
interface FastEthernet0/2
switchport trunk allowed vlan 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk allowed vlan 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk allowed vlan 4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
switchport trunk allowed vlan 5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
mac-address 00e0.f745.dc01
ip address 192.168.3.1 255.255.255.0
!
interface Vlan3
mac-address 00e0.f745.dc02
ip address 10.0.1.1 255.0.0.0
!
interface Vlan4
mac-address 00e0.f745.dc03
ip address 172.17.1.1 255.255.0.0
ip access-group ServNet in
!
interface Vlan5
mac-address 00e0.f745.dc04
ip address 192.168.4.1 255.255.255.0
ip access-group ServNet in
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended ServNet
deny tcp 172.17.0.0 0.0.255.255 host 192.168.4.2
deny tcp 10.0.0.0 0.255.255.255 host 192.168.4.2
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.3
deny tcp 172.17.0.0 0.0.255.255 host 192.168.4.3
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.4
deny tcp 10.0.0.0 0.255.255.255 host 192.168.4.4
permit tcp any any

 

1 Accepted Solution

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

you should block as close to the source as possible, so place the ACL on the host SVI, not the server SVI. Also you ACL has the source and destination compoments the wrong way around considering the direction it is being configured for. Try the following:

!
ip access-list extended ServNetV2
  deny ip 192.168.3.0 0.0.0.255 192.168.4.3
  deny ip 192.168.3.0 0.0.0.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV3
  deny ip 10.0.0.0 0.255.255.255 192.168.4.2
  deny ip 10.0.0.0 0.255.255.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV4
  deny ip 172.17.0.0 0.0.255.255 192.168.4.2
  deny ip 172.17.0.0 0.0.255.255 192.168.4.3
  permit ip any any
!
int vlan2
  ip access-group ServNetV2 in
int vlan3
  ip access-group ServNetV3 in
int vlan4
  ip access-group ServNetV4 in
int vlan5
  no ip access-group ServNet in
!

cheers,

Seb.

 

View solution in original post

4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

you should block as close to the source as possible, so place the ACL on the host SVI, not the server SVI. Also you ACL has the source and destination compoments the wrong way around considering the direction it is being configured for. Try the following:

!
ip access-list extended ServNetV2
  deny ip 192.168.3.0 0.0.0.255 192.168.4.3
  deny ip 192.168.3.0 0.0.0.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV3
  deny ip 10.0.0.0 0.255.255.255 192.168.4.2
  deny ip 10.0.0.0 0.255.255.255 192.168.4.4
  permit ip any any
!
ip access-list extended ServNetV4
  deny ip 172.17.0.0 0.0.255.255 192.168.4.2
  deny ip 172.17.0.0 0.0.255.255 192.168.4.3
  permit ip any any
!
int vlan2
  ip access-group ServNetV2 in
int vlan3
  ip access-group ServNetV3 in
int vlan4
  ip access-group ServNetV4 in
int vlan5
  no ip access-group ServNet in
!

cheers,

Seb.

 

Thanks, it`s works

 

Hello
What is your intention with the access-list , what is it you would like to block and allow, could you elaborate on this?
Also that PT file you've attached doesn't work.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello, thank you, intention of using ACL is to provide the ability of PC`s in networks to communicate only with servers which was associated with theese particular netwoks, so, according to screenshot Network1 should have access to Server0, but doesn`t have access to Server1 and Server2, Network2 should have access to Server1, but doesn`t have access to Server0 and Server2 and Network3 should have access to Server2, but doesn`t have access to Server0 and Server1.

I used to do such ACL in others labs but with routers and subinterfaces, not with L3 switch, I think problem with PT, becouse I understand how ACL works and believe ones I`ve done makes sense according to the task.

I used 8.0.1.0064 version of PT, I`ll try to attach PT file ones again. Also I downloaded one in Google Drive https://drive.google.com/drive/folders/1Nt-c6_F2cZTbSLoOML42kW0Q5lSNL6JI?usp=sharing