01-03-2022
03:05 PM
- last edited on
01-05-2022
11:33 AM
by
Translator
Hello, dear users, have a little problem with my lab. The task is to create three networks using three switches 2960-24TT with next ip addresses:
192.168.3.0/255.255.255.0 (/24);
10.0.1.0/255.0.0.0 (/8);
172.17.1.0/ 255.255.0.0 (16)
192.168.4.0/255.255.255.0 (/24)
then using 3560-24PS and vlans unite these netwoks that PCs in this netwoks could ping each other.
Then I added another switch 2960-24TT with three servers, according to the task, I have to allow access from each network to only one server, so the others networks won`t have access to server that already associated with particular network.
I used extended ACL, created the list of rules and linked it to SVI interface, which is gateaway for servers`s network, and it doesn`t work properly, using simulation mode i discoversed that ICMP requests are sending to the servers, but ICMP replays doesn`t reaching the source PC because of ACL on L3 switch. In the attachment you will find CPT project screenshot of the network and configuration of the L3 switch in the lab. Thank you!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport trunk allowed vlan 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk allowed vlan 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk allowed vlan 4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/5
switchport trunk allowed vlan 5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
mac-address 00e0.f745.dc01
ip address 192.168.3.1 255.255.255.0
!
interface Vlan3
mac-address 00e0.f745.dc02
ip address 10.0.1.1 255.0.0.0
!
interface Vlan4
mac-address 00e0.f745.dc03
ip address 172.17.1.1 255.255.0.0
ip access-group ServNet in
!
interface Vlan5
mac-address 00e0.f745.dc04
ip address 192.168.4.1 255.255.255.0
ip access-group ServNet in
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended ServNet
deny tcp 172.17.0.0 0.0.255.255 host 192.168.4.2
deny tcp 10.0.0.0 0.255.255.255 host 192.168.4.2
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.3
deny tcp 172.17.0.0 0.0.255.255 host 192.168.4.3
deny tcp 192.168.3.0 0.0.0.255 host 192.168.4.4
deny tcp 10.0.0.0 0.255.255.255 host 192.168.4.4
permit tcp any any
Solved! Go to Solution.
01-03-2022 04:06 PM
Hi there,
you should block as close to the source as possible, so place the ACL on the host SVI, not the server SVI. Also you ACL has the source and destination compoments the wrong way around considering the direction it is being configured for. Try the following:
! ip access-list extended ServNetV2 deny ip 192.168.3.0 0.0.0.255 192.168.4.3 deny ip 192.168.3.0 0.0.0.255 192.168.4.4 permit ip any any ! ip access-list extended ServNetV3 deny ip 10.0.0.0 0.255.255.255 192.168.4.2 deny ip 10.0.0.0 0.255.255.255 192.168.4.4 permit ip any any ! ip access-list extended ServNetV4 deny ip 172.17.0.0 0.0.255.255 192.168.4.2 deny ip 172.17.0.0 0.0.255.255 192.168.4.3 permit ip any any ! int vlan2 ip access-group ServNetV2 in int vlan3 ip access-group ServNetV3 in int vlan4 ip access-group ServNetV4 in int vlan5 no ip access-group ServNet in !
cheers,
Seb.
01-03-2022 04:06 PM
Hi there,
you should block as close to the source as possible, so place the ACL on the host SVI, not the server SVI. Also you ACL has the source and destination compoments the wrong way around considering the direction it is being configured for. Try the following:
! ip access-list extended ServNetV2 deny ip 192.168.3.0 0.0.0.255 192.168.4.3 deny ip 192.168.3.0 0.0.0.255 192.168.4.4 permit ip any any ! ip access-list extended ServNetV3 deny ip 10.0.0.0 0.255.255.255 192.168.4.2 deny ip 10.0.0.0 0.255.255.255 192.168.4.4 permit ip any any ! ip access-list extended ServNetV4 deny ip 172.17.0.0 0.0.255.255 192.168.4.2 deny ip 172.17.0.0 0.0.255.255 192.168.4.3 permit ip any any ! int vlan2 ip access-group ServNetV2 in int vlan3 ip access-group ServNetV3 in int vlan4 ip access-group ServNetV4 in int vlan5 no ip access-group ServNet in !
cheers,
Seb.
01-04-2022 10:07 AM
Thanks, it`s works
01-04-2022 03:11 AM - edited 01-04-2022 03:11 AM
Hello
What is your intention with the access-list , what is it you would like to block and allow, could you elaborate on this?
Also that PT file you've attached doesn't work.
01-04-2022 04:21 AM
Hello, thank you, intention of using ACL is to provide the ability of PC`s in networks to communicate only with servers which was associated with theese particular netwoks, so, according to screenshot Network1 should have access to Server0, but doesn`t have access to Server1 and Server2, Network2 should have access to Server1, but doesn`t have access to Server0 and Server2 and Network3 should have access to Server2, but doesn`t have access to Server0 and Server1.
I used to do such ACL in others labs but with routers and subinterfaces, not with L3 switch, I think problem with PT, becouse I understand how ACL works and believe ones I`ve done makes sense according to the task.
I used 8.0.1.0064 version of PT, I`ll try to attach PT file ones again. Also I downloaded one in Google Drive https://drive.google.com/drive/folders/1Nt-c6_F2cZTbSLoOML42kW0Q5lSNL6JI?usp=sharing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide