Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
1
Helpful
8
Replies

Help with extended access list

Go to solution
danilo-mugosa04
Level 1
Level 1

‎04-22-2024 02:58 PM

So I've been working on my project and I've implemented vlans nad also router stick.Now I want to block connections between vlans that are not same with extended access list but something does not work..Here are the commands that I've written

ip access-list extended VLAN10-PING

permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20-PING

permit icmp 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

 

Here is the zip file.. Please help 

Labels:
project.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to danilo-mugosa04

‎04-23-2024 02:09 AM - edited ‎04-23-2024 02:10 AM

Hello,

as @Joseph W. Doherty said, you need to apply the access lists (which look almost correct in your first post) to the relevant subinterfaces. So:

ip access-list extended VLAN10-PING

deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group VLAN10-PING in

------------------------------

ip access-list extended VLAN20-PING

deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group VLAN20-PING in

View solution in original post

8 Replies 8

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-22-2024 05:34 PM

Well, for starters, you have the ACL applied on the main interface.  Try applying in on the router's relevant subinterface(s).

Next, at the IP level, same network traffic shouldn't be going to gateway, so your permit ICMP ACEs aren't needed.

Next, if you want to deny all ICMP between VLANs, your ACE can be much simpler.

Lastly, do you really want to block all ICMP, or just ping?

0 Helpful

Go to solution
danilo-mugosa04
Level 1
Level 1
In response to Joseph W. Doherty

‎04-23-2024 01:15 AM

Just ping

 

0 Helpful

Go to solution
danilo-mugosa04
Level 1
Level 1
In response to Joseph W. Doherty

‎04-23-2024 01:44 AM

Is this something that I should do ? 

ip access-list extended DENY-ICMP-BETWEEN-VLANS
deny icmp any any

interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group DENY-ICMP-BETWEEN-VLANS in

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to danilo-mugosa04

‎04-23-2024 02:09 AM - edited ‎04-23-2024 02:10 AM

Hello,

as @Joseph W. Doherty said, you need to apply the access lists (which look almost correct in your first post) to the relevant subinterfaces. So:

ip access-list extended VLAN10-PING

deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group VLAN10-PING in

------------------------------

ip access-list extended VLAN20-PING

deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group VLAN20-PING in

Go to solution
danilo-mugosa04
Level 1
Level 1
In response to Georg Pauwen

‎04-23-2024 03:34 AM

Is this also valid solution ? 

! Define ACLs to deny all ICMP traffic between VLANs
ip access-list extended DENY-ICMP-BETWEEN-VLANS
deny icmp any any

! Apply ACLs on subinterfaces
interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group DENY-ICMP-BETWEEN-VLANS in

interface GigabitEthernet0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group DENY-ICMP-BETWEEN-VLANS in

Because here I dont need to use this  deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 for every single VLAN

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to danilo-mugosa04

‎04-23-2024 04:01 AM

Hello,

this will almost work. Keep in mind that every access list has an implicit 'deny all' at the end. So you need to add 'permit ip any any' at the bottom, otherwise everything will be blocked.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-23-2024 05:31 AM

Almost there!

Between your and @Georg Pauwen replies, if you want to limit this blocking to pings you only now need to limit the ACE to just pings.  So, hint, consider ALL the options on your deny ACE.

Lastly, consider will a single deny ACE, for blocking pings be sufficient?  Hint, this last question, and its correct answer, is important to understanding how to solve this network requirement.

A similar question of ACL usage would be should ACL be used in, out or both?

Hint, last two questions are for understanding, because might there be multiple "correct" answers or is there truly one "right" answer?

Again, above questions might help you much in future ACL issues but are not needed to solve your OP.

0 Helpful

Go to solution
danilo-mugosa04
Level 1
Level 1
In response to Joseph W. Doherty

‎04-23-2024 05:34 AM

I think I solved a problem now I've got the new one with routing can you guys help me with it ? 

https://community.cisco.com/t5/routing/help-with-dynamic-routing/td-p/5076169

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card