cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
1
Helpful
8
Replies

Help with extended access list

danilo-mugosa04
Level 1
Level 1

So I've been working on my project and I've implemented vlans nad also router stick.Now I want to block connections between vlans that are not same with extended access list but something does not work..Here are the commands that I've written

ip access-list extended VLAN10-PING

permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

ip access-list extended VLAN20-PING

permit icmp 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

 

Here is the zip file.. Please help 

1 Accepted Solution

Accepted Solutions

Hello,

as @Joseph W. Doherty said, you need to apply the access lists (which look almost correct in your first post) to the relevant subinterfaces. So:

ip access-list extended VLAN10-PING

deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group VLAN10-PING in

------------------------------

ip access-list extended VLAN20-PING

deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group VLAN20-PING in

View solution in original post

8 Replies 8

Joseph W. Doherty
Hall of Fame
Hall of Fame

Well, for starters, you have the ACL applied on the main interface.  Try applying in on the router's relevant subinterface(s).

Next, at the IP level, same network traffic shouldn't be going to gateway, so your permit ICMP ACEs aren't needed.

Next, if you want to deny all ICMP between VLANs, your ACE can be much simpler.

Lastly, do you really want to block all ICMP, or just ping?

Just ping

 

Is this something that I should do ? 

ip access-list extended DENY-ICMP-BETWEEN-VLANS
deny icmp any any

interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group DENY-ICMP-BETWEEN-VLANS in

Hello,

as @Joseph W. Doherty said, you need to apply the access lists (which look almost correct in your first post) to the relevant subinterfaces. So:

ip access-list extended VLAN10-PING

deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group VLAN10-PING in

------------------------------

ip access-list extended VLAN20-PING

deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group VLAN20-PING in

Is this also valid solution ? 

! Define ACLs to deny all ICMP traffic between VLANs
ip access-list extended DENY-ICMP-BETWEEN-VLANS
deny icmp any any

! Apply ACLs on subinterfaces
interface GigabitEthernet0/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group DENY-ICMP-BETWEEN-VLANS in

interface GigabitEthernet0/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group DENY-ICMP-BETWEEN-VLANS in

Because here I dont need to use this  deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 for every single VLAN

Hello,

this will almost work. Keep in mind that every access list has an implicit 'deny all' at the end. So you need to add 'permit ip any any' at the bottom, otherwise everything will be blocked.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Almost there!

Between your and @Georg Pauwen replies, if you want to limit this blocking to pings you only now need to limit the ACE to just pings.  So, hint, consider ALL the options on your deny ACE.

Lastly, consider will a single deny ACE, for blocking pings be sufficient?  Hint, this last question, and its correct answer, is important to understanding how to solve this network requirement.

A similar question of ACL usage would be should ACL be used in, out or both?

Hint, last two questions are for understanding, because might there be multiple "correct" answers or is there truly one "right" answer?

Again, above questions might help you much in future ACL issues but are not needed to solve your OP.

I think I solved a problem now I've got the new one with routing can you guys help me with it ? 

https://community.cisco.com/t5/routing/help-with-dynamic-routing/td-p/5076169

Review Cisco Networking for a $25 gift card