Re: Help with Vlan Access-list in small lab environment

ZaXaZ · ‎02-18-2019

Hello.

first of all, I hope this is the right place for my post.

I'm somewhat new in the cisco world I was introduced to Cisco equipment and non-GUI configuration of switches/routers around 6 months ago so I hope you all can bear with a lack in my knowledge and some perhaps "stupid" questions here and there.

At work I was given a lab environment project, where I'm expected to find some of the answers I need my self and googling is not helping me anymore, so where better to turn than here.

How do I allow internet access to some of the VLANs?

I think I have configured the access-list right for VLAN 10, 30 and 50

and this is where I feel I'm getting stuck.

I also need to configure the OSPF and DHCP if I'm not mistaken.

to be clear I'm not looking for copy paste answer. I guess what I'm looking for most of all is guidance, best practice and why something should be done one way and not the other way.

I did take CCNA 1 and 2 in school but due to the lack of time, they did not teach around 80% of the stuff.

buy lack of time I mean we were given 8 work days to do all of the lab work, reading and tests of the CCNA 2

This is what I'm working with, my current configs and requirements of the setup:

The router needs to hand out IP addresses on all networks

The router should be configured with OSPF

all of my work needs to be documented, in a report and a presentation

it's a rather small network.
a 2911router connected to a 3560 PoE-8

I got 5 VLANs other than the management VLAN for the switch
10, 20, 30, 40, 50

10 needs to have access to: 20 and 40

20 needs to have access to: internet, 10, 50 and 40

30 needs to have access to: nothing other than whats in the same VLAN

40 needs to have access to: internet, 10, 50 and 20

50 needs to have access to: 20 and 40

My IP table looks like this

VLAN 10 contains 30 host's 192.168.1.0 /26

VLAN 20 contains 28 host's 192.168.1.64 /27

VLAN 30 contains 19 host's 192.168.1.96 /27

VLAN 40 contains 5 host's 192.168.1.128 /29

VLAN 50 contains 4 host's 192.168.1.136 /29

VLAN 99 192.168.1.44 /30

Switch running conf

Current configuration : 3098 bytes

!

! Last configuration change at 02:58:23 UTC Thu Mar 11 1993

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SW1

!

boot-start-marker

boot-end-marker

!

!

username admin password 0 cisco

aaa new-model

!

aaa session-id common

system mtu routing 1500

ip domain-name ite.14.fmi.dk

!

crypto pki trustpoint TP-self-signed-2449084544

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-2449084544

 revocation-check none

 rsakeypair TP-self-signed-2449084544

!

crypto pki certificate chain TP-self-signed-2449084544

 certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32343439 30383435 3434301E 170D3933 30333031 30303031

  31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343930

  38343534 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BB85 B6F3A4B7 3F32CF06 341ABE44 02D11DAD C325A63D 09620339 30F87892

  B229E6C9 D5B957CE 66B80705 C2541ACC 951654A5 9A1AD25C 0B3DE2F3 2B70C830

  D0A0D0CC BB0ED362 C58DEBB1 B1D1E10A 116AE17D DCD7B6A8 59A57805 34321790

  6F60A8EE 5E8FF669 D75639C5 235A37C7 B0F7ABD5 0BA8A96C BED02C22 CBF2364A

  F6D70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14102B5A CED4CA9C 2CE5919F D8832F5D 2472A591 E3301D06

  03551D0E 04160414 102B5ACE D4CA9C2C E5919FD8 832F5D24 72A591E3 300D0609

  2A864886 F70D0101 05050003 81810020 3020E7B5 7C9A3D39 BE1246CB 5D4F14FB

  BD38D95C 9767363F 759A01D1 9EFBD123 97400541 1FEFAD53 9AAB0B93 1913912F

  4792D344 DEE7193F 1C65552D BA5DFBA8 6706345D 57D0F658 0E69E44B 04328AA0

  F652A1F1 AB803C22 4BCB2D6D 672F869A E8EFF773 87E4C431 85E5CB17 FD73DD7C

  1D7788A0 F8A75269 77A4FE02 046B61

        quit

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0/1

 switchport access vlan 10

 switchport mode access

!

interface FastEthernet0/2

 switchport access vlan 20

 switchport mode access

!

interface FastEthernet0/3

 switchport access vlan 30

 switchport mode access

!

interface FastEthernet0/4

 switchport access vlan 40

 switchport mode access

!

interface FastEthernet0/5

 switchport access vlan 50

 switchport mode access

!

interface FastEthernet0/6

 shutdown

!

interface FastEthernet0/7

 shutdown

!

interface FastEthernet0/8

 shutdown

!

interface GigabitEthernet0/1

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 1,10,20,30,40,50,99

 switchport mode trunk

!

interface Vlan1

 no ip address

!

interface Vlan10

 no ip address

!

interface Vlan99

 ip address 192.168.1.145 255.255.255.248

!

ip http server

ip http secure-server

!

line con 0

 logging synchronous

line vty 0 4

 transport input ssh

line vty 5 15

!

end

Router running conf

Current configuration : 2356 bytes

!

! Last configuration change at 10:49:24 UTC Fri Feb 15 2019

!

version 15.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

cts logging verbose

!

license udi pid CISCO2911/K9 sn FCZ155370CT

!

redundancy

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 no ip address

 duplex auto

 speed auto

!

interface GigabitEthernet0/0.10

 encapsulation dot1Q 10

 ip address 192.168.1.62 255.255.255.192

 ip access-group 10 out

!

interface GigabitEthernet0/0.20

 encapsulation dot1Q 20

 ip address 192.168.1.94 255.255.255.224

!

interface GigabitEthernet0/0.30

 encapsulation dot1Q 30

 ip address 192.168.1.126 255.255.255.224

!

interface GigabitEthernet0/0.40

 encapsulation dot1Q 40

 ip address 192.168.1.134 255.255.255.248

!

interface GigabitEthernet0/0.50

 encapsulation dot1Q 50

 ip address 192.168.1.142 255.255.255.248

!

interface GigabitEthernet0/0.99

 encapsulation dot1Q 99

 ip address 192.168.1.146 255.255.255.252

!

interface GigabitEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet0/2

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet0/1/0

 no ip address

 shutdown

!

interface GigabitEthernet0/1/1

 no ip address

 shutdown

!

interface GigabitEthernet0/1/2

 no ip address

 shutdown

!

interface GigabitEthernet0/1/3

 no ip address

 shutdown

!

interface GigabitEthernet0/2/0

 no ip address

 shutdown

!

interface GigabitEthernet0/2/1

 no ip address

 shutdown

!

interface GigabitEthernet0/2/2

 no ip address

 shutdown

!

interface GigabitEthernet0/2/3

 no ip address

 shutdown

!

interface Vlan1

 no ip address

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

access-list 10 permit 192.168.1.128 0.0.0.7

access-list 10 permit 192.168.1.64 0.0.0.31

!

control-plane

!

 vstack

!

line con 0

 logging synchronous

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 login

 transport input none

!

scheduler allocate 20000 1000

!

end

balaji.bandi · ‎02-18-2019

Ok looks good description :

here is my comments :

1. Your Management Vlan 99 you have mentioned

VLAN 99 192.168.1.44 /30 ( i belive this 144/30)

But config looks different ?

So basic testing, Do you have connectity for now bettween all VLAN by now. If yes then you need to move to next level to build ACL 1 by one as per task.

10 needs to have access to: 20 and 40

20 needs to have access to: internet, 10, 50 and 40

30 needs to have access to: nothing other than whats in the same VLAN

40 needs to have access to: internet, 10, 50 and 20

50 needs to have access to: 20 and 40

2. You have only 1 ACL applied to VLAN 10 ? Where is the rest of the ACL, build one and test and let us know what is not working so we can suggest you after reviweing your config.

3. The router should be configured with OSPF

You have only 2 device what is the scope of OSPF here ? Since all the L3 VLAN in the router ?

Or do you have any other device network, show us the topology.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ZaXaZ · ‎02-19-2019

1:
The Vlan IP is a typo and should be 192.168.1.144 /30 like u said.

for now, all I got to test with is 2 "clients" one I placed in VLAN 10 and the other one in 20 they are able to ping back and forth.

2:

for now, I got 1 ACL almost done, I'm unsure how I open the DHCP so that it would be able to pull an IP from the router, right now I got the 2 "clients" configured with static IP's

3:

OSPF is a part of the task I was set. normally there would be 2 ppl in training where I work, but this time its just me alone. I guess the idea would be that the 2 networks should be connected at the end of the project.

I guess if the task was to be used in a real-world scenario there would be more hardware in my topology, but the added image is how it looks atm aside for the 2 "clients" that I can move around to test the config.

Should my next step be to continue with the ACL or should I get the DHCP done first, I imagen it would make for some more easy testing when I don't have to set the IPmanuallyly every time i move network?

Georg Pauwen · ‎02-18-2019

Hello,

you need to add the access lists marked in bold to your router configuration. The NAT statements are also needed (in the configuration I assumed interface GigabitEthernet0/1 to be the interface connected to your ISP, if you use another interface, change the configuration accordingly):

Current configuration : 2356 bytes
! Last configuration change at 10:49:24 UTC Fri Feb 15 2019
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO2911/K9 sn FCZ155370CT
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.62 255.255.255.192
ip access-group 101 in
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.1.94 255.255.255.224
ip nat inside
ip access-group 102 in
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.1.126 255.255.255.224
ip access-group 103 in
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.1.134 255.255.255.248
ip nat inside
ip access-group 104 in
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.1.142 255.255.255.248
ip access-group 105 in
!
interface GigabitEthernet0/0.99
encapsulation dot1Q 99
ip address 192.168.1.146 255.255.255.252
!
interface GigabitEthernet0/1
description Link to ISP
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
!
interface GigabitEthernet0/1/1
no ip address
shutdown
!
interface GigabitEthernet0/1/2
no ip address
shutdown
!
interface GigabitEthernet0/1/3
no ip address
shutdown
!
interface GigabitEthernet0/2/0
no ip address
shutdown
!
interface GigabitEthernet0/2/1
no ip address
shutdown
!
interface GigabitEthernet0/2/2
no ip address
shutdown
!
interface GigabitEthernet0/2/3
no ip address
shutdown
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!

access-list 1 permit 192.168.1.64 0.0.0.31

access-list 1 permit 192.168.1.128 0.0.0.7

!
access-list 10 permit 192.168.1.128 0.0.0.7
access-list 10 permit 192.168.1.64 0.0.0.31
!
access-list 101 permit ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.31
access-list 101 permit ip 192.168.1.64 0.0.0.31 192.168.1.0 0.0.0.63
access-list 101 permit ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.7
access-list 101 permit ip 192.168.1.128 0.0.0.7 192.168.1.0 0.0.0.63
!
access-list 102 permit ip 192.168.1.64 0.0.0.31 192.168.1.0 0.0.0.63
access-list 102 permit ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.31
access-list 102 permit ip 192.168.1.64 0.0.0.31 192.168.1.128 0.0.0.7
access-list 102 permit ip 192.168.1.128 0.0.0.7 192.168.1.64 0.0.0.31
access-list 102 permit ip 192.168.1.64 0.0.0.31 192.168.1.136 0.0.0.7
access-list 102 permit ip 192.168.1.136 0.0.0.7 192.168.1.64 0.0.0.31
access-list 102 deny ip 192.168.1.64 0.0.0.31 192.168.1.96 0.0.0.31
access-list 102 deny ip 192.168.1.96 0.0.0.31 192.168.1.64 0.0.0.31
access-list 102 permit ip 192.168.1.64 0.0.0.31 any
access-list 102 permit ip any 192.168.1.64 0.0.0.31
!
access-list 103 deny ip any any
!
access-list 104 permit ip 192.168.1.128 0.0.0.7 192.168.1.0 0.0.0.63
access-list 104 permit ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.7
access-list 104 permit ip 192.168.1.128 0.0.0.7 192.168.1.64 0.0.0.31
access-list 104 permit ip 192.168.1.64 0.0.0.31 192.168.1.128 0.0.0.7
access-list 104 permit ip 192.168.1.128 0.0.0.7 192.168.1.136 0.0.0.7
access-list 104 permit ip 192.168.1.136 0.0.0.7 192.168.1.128 0.0.0.7
access-list 104 deny ip 192.168.1.128 0.0.0.7 192.168.1.96 0.0.0.31
access-list 104 deny ip 192.168.1.96 0.0.0.31 192.168.1.128 0.0.0.7
access-list 104 permit ip 192.168.1.128 0.0.0.7 any
access-list 104 permit ip any 192.168.1.128 0.0.0.7
!
access-list 105 permit ip 192.168.1.136 0.0.0.7 192.168.1.64 0.0.0.31
access-list 105 permit ip 192.168.1.64 0.0.0.31 192.168.1.136 0.0.0.7
access-list 105 permit ip 192.168.1.136 0.0.0.7 192.168.1.128 0.0.0.7
access-list 105 permit ip 192.168.1.128 0.0.0.7 192.168.1.136 0.0.0.7
!
control-plane
!
vstack
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

ZaXaZ · ‎02-19-2019

I will be getting a 3G HWIC module for the router when/if we get one in stock before I'm done with my lab project.

but I guess that won't change a lot of the settings? I assume it will just be listed with the interfaces?

All the access list that you made make sense to me except for this 2 first once, why are they necessary?

access-list 1 permit 192.168.1.64 0.0.0.31

access-list 1 permit 192.168.1.128 0.0.0.7

Georg Pauwen · ‎02-19-2019

Hello,

access list 1 is for Internet access. It belongs to the NAT statement:

ip nat inside source list 1 interface GigabitEthernet0/1 overload
!

access-list 1 permit 192.168.1.64 0.0.0.31

access-list 1 permit 192.168.1.128 0.0.0.7

ZaXaZ · ‎02-19-2019

Right okay, make sense.

I just got the 4G module
This is the interface that got added: interface Cellular0/0/0

So now I have to edit the config u gave me and remove GigabitEthernet0/1 and add Cellular0/0/0?

the config from the router looks like this:

interface Cellular0/0/0
no ip address
encapsulation slip
dialer in-band
dialer string lte

Is it correct that i need to change it like this:

interface Cellular0/0/0
description Link to ISP
ip address dhcp
encapsulation slip
dialer in-band
dialer string lte

and this

ip nat inside source list 1 interface Cellular0/0/0 overload
!
ip route 0.0.0.0 0.0.0.0 interface Cellular0/0/0 dhcp

Georg Pauwen · ‎02-19-2019

Hello,

config looks good...what platform (which router) is this on ? You might need a chat script and some additional configuration...

ZaXaZ · ‎02-19-2019

The router is a 2911 like this one.

I connected the 4G module to EHWIC0 1-3 is empty and my switch 3560 PoE-8 is connected to the one numbered 5 Ge0/0

Now my running config looks like this:

Current configuration : 4557 bytes
!
! Last configuration change at 13:08:22 UTC Tue Feb 19 2019
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
cts logging verbose
!
license udi pid CISCO2911/K9 sn FCZ155370CT
!
redundancy
!
controller Cellular 0/0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.62 255.255.255.192
 ip access-group 101 in
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.1.94 255.255.255.224
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.1.126 255.255.255.224
 ip access-group 103 in
!
interface GigabitEthernet0/0.40
 encapsulation dot1Q 40
 ip address 192.168.1.134 255.255.255.248
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.50
 encapsulation dot1Q 50
 ip address 192.168.1.142 255.255.255.248
 ip access-group 105 in
!
interface GigabitEthernet0/0.99
 encapsulation dot1Q 99
 ip address 192.168.1.146 255.255.255.252
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Cellular0/0/0
 description Link to ISP
 no ip address
 encapsulation slip
 dialer in-band
 dialer string lte
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
access-list 1 permit 192.168.1.64 0.0.0.31
access-list 1 permit 192.168.1.128 0.0.0.7
access-list 10 permit 192.168.1.128 0.0.0.7
access-list 10 permit 192.168.1.64 0.0.0.31
access-list 101 permit ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.31
access-list 101 permit ip 192.168.1.64 0.0.0.31 192.168.1.0 0.0.0.63
access-list 101 permit ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.7
access-list 101 permit ip 192.168.1.128 0.0.0.7 192.168.1.0 0.0.0.63
access-list 102 permit ip 192.168.1.64 0.0.0.31 192.168.1.0 0.0.0.63
access-list 102 permit ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.31
access-list 102 permit ip 192.168.1.64 0.0.0.31 192.168.1.128 0.0.0.7
access-list 102 permit ip 192.168.1.128 0.0.0.7 192.168.1.64 0.0.0.31
access-list 102 permit ip 192.168.1.64 0.0.0.31 192.168.1.136 0.0.0.7
access-list 102 permit ip 192.168.1.136 0.0.0.7 192.168.1.64 0.0.0.31
access-list 102 deny ip 192.168.1.64 0.0.0.31 192.168.1.96 0.0.0.31
access-list 102 deny ip 192.168.1.96 0.0.0.31 192.168.1.64 0.0.0.31
access-list 102 permit ip 192.168.1.64 0.0.0.31 any
access-list 102 permit ip any 192.168.1.64 0.0.0.31
access-list 103 deny ip any any
access-list 104 permit ip 192.168.1.128 0.0.0.7 192.168.1.0 0.0.0.63
access-list 104 permit ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.7
access-list 104 permit ip 192.168.1.128 0.0.0.7 192.168.1.64 0.0.0.31
access-list 104 permit ip 192.168.1.64 0.0.0.31 192.168.1.128 0.0.0.7
access-list 104 permit ip 192.168.1.128 0.0.0.7 192.168.1.136 0.0.0.7
access-list 104 permit ip 192.168.1.136 0.0.0.7 192.168.1.128 0.0.0.7
access-list 104 deny ip 192.168.1.128 0.0.0.7 192.168.1.96 0.0.0.31
access-list 104 deny ip 192.168.1.96 0.0.0.31 192.168.1.128 0.0.0.7
access-list 104 permit ip 192.168.1.128 0.0.0.7 any
access-list 104 permit ip any 192.168.1.128 0.0.0.7
access-list 105 permit ip 192.168.1.136 0.0.0.7 192.168.1.64 0.0.0.31
access-list 105 permit ip 192.168.1.64 0.0.0.31 192.168.1.136 0.0.0.7
access-list 105 permit ip 192.168.1.136 0.0.0.7 192.168.1.128 0.0.0.7
access-list 105 permit ip 192.168.1.128 0.0.0.7 192.168.1.136 0.0.0.7
!
control-plane
!
 vstack
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 script dialer lte
 no exec
line vty 0 4
 login
 transport input none
!
scheduler allocate 20000 1000
!
end

If I'm not mistaken the last part I need is to:

config the DHCP pools
setup OSPF
add gateway of last resort as the cell 0/0/0?