03-23-2022 12:19 AM
Hi Team
I need block VLANs from 4-9 & 60-69 to communicate each other, But i need them to communicate with (IT, Printer and Servers)
VLAN 4: 192.168.4.0/24
VLAN 6: 192.168.6.0/24
VLAN 9: 192.168.9.0/24
VLAN 60: 192.168.60.0/24
VLAN 65: 192.168.65.0/24
VLAN 69: 192.168.69.0/24
VLAN IT: 192.168.177.0/24
VLAN Printer: 192.168.70.0/24
Servers:
VLAN 20: 10.10.20.0/24
VLAN 109: 192.168.109.240/28
VLAN 136: 172.22.136.0/24
VLAN 98: 172.98.10.224/29
------------------------------------------
I create extended access-list name 100
deny ip 192.168.0.0 0.0.15.255 192.168.0.0 0.0.15.255
deny ip 192.168.0.0 0.0.127.255 192.168.0.0 0.0.127.255
permit ip any any
and applied it for interface vlan 4:
ip access-group 100 in
---------------------
I can't ping vlan 4-9 and 60-69.(good)
but i can't ping printer and Server vlan 109
can any one help me?
03-23-2022 12:22 AM
03-23-2022 01:16 AM - edited 03-23-2022 01:17 AM
deny ip 192.168.0.0 0.0.127.255 192.168.0.0 0.0.127.255
since your ACL is wider deny /17 (which has VLAN printers and 109), maybe you need to go /24 or reduce the lower level up to 192.168.69.X network to deny.
03-23-2022 01:31 AM
Hello,
the problem is:
192.168.0.0 0.0.127.255
includes the entire host range:
191.168.0.1 - 191.168.127.254
You need the access list below. Subnets 192.168.65.0/24 and 192.168.69.0/24 cannot be included in the summarized range and need to have a separate entry.
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any
03-23-2022 01:40 AM
Hello
Example:
ip access-list extended vlan4
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
deny ip any 192.168.60.0 0.0.0.255
deny ip any 192.168.65.0 0.0.0.255
deny ip any 192.168.69.0 0.0.0.255
permit ip any any
ip access-list extended vlan6
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
deny ip any 192.168.60.0 0.0.0.255
deny ip any 192.168.65.0 0.0.0.255
deny ip any 192.168.69.0 0.0.0.255
permit ip any any
int vlan 4
ip access-group vlan4 IN
int vlan 6
ip access-group vlan6 IN
etc...
03-24-2022 02:59 AM
hi @paul driver
thank you brother for quick replying.
is there way to summarized because it will be big configuration for each VLAN in need to stop communication ?
03-23-2022 06:58 AM
Thank you all for replying.
is there any way to summarize range vlan ip's to make access list simple and short?
03-23-2022 07:08 AM
Hello
Unfortunately not with the subnets you’ve provided
03-23-2022 07:10 AM
Hello,
you cannot summarize more than this:
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any
You cannot summarize 65 and 69, a /21 mask would go up to 71. So the above is the best you can do.
03-23-2022 07:22 AM - edited 03-23-2022 07:22 AM
Hello @Georg Pauwen
@Georg Pauwen wrote:
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255 < this ace denys every thing between 192.168.0.0 -192.168.63.254
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255 < this ace denys every thing between 192.168.0.0 -192.168.63.254 and 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255 < this ace denys every thing between 192.168.0.0 -192.168.63.254 and 192.168.69.0 0.0.0.255
access-list 100 permit ip any any
You cannot even summerise that , you will include at leaet 50 + /24 subnets in those aggregates no in use plus based on that acl I would envisiage connectivity will break
03-23-2022 07:27 AM
@paul driver Better ask OP. The access list is based on the information given. The subnets included mentioned by you do not exist, so 'blocking' them should not be a problem.
03-23-2022 11:49 AM
Hello
@Georg Pauwen either way your acl wont work as it block all communication which DOES include the OPs active subnets
03-23-2022 12:34 PM
@paul driver What test network are you applying this on ? Can you post your config and your test results ?
Here are my results. I am pinging from host 192.168.4.2.
Vlan 4 cannot communicate with VLAN 6,VLAN 9,VLAN 60,VLAN 65,VLAN 69
Vlan 4 can communicate with VLAN IT: 192.168.177.0/24,VLAN Printer: 192.168.70.0/24, VLAN 20,VLAN 109,VLAN 136,VLAN 98
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.65.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.63.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any
!
interface GigabitEthernet0/0/0
ip address 192.168.4.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
C:\>ping 192.168.6.1
Pinging 192.168.6.1 with 32 bytes of data:
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Ping statistics for 192.168.6.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.9.1
Pinging 192.168.9.1 with 32 bytes of data:
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Ping statistics for 192.168.9.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.60.1
Pinging 192.168.60.1 with 32 bytes of data:
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Ping statistics for 192.168.60.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.65.1
Pinging 192.168.65.1 with 32 bytes of data:
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Ping statistics for 192.168.65.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.69.1
Pinging 192.168.69.1 with 32 bytes of data:
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Reply from 192.168.4.1: Destination host unreachable.
Ping statistics for 192.168.69.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 172.98.10.1
Pinging 172.98.10.1 with 32 bytes of data:
Reply from 172.98.10.1: bytes=32 time<1ms TTL=255
Reply from 172.98.10.1: bytes=32 time<1ms TTL=255
Reply from 172.98.10.1: bytes=32 time<1ms TTL=255
Reply from 172.98.10.1: bytes=32 time=4ms TTL=255
Ping statistics for 172.98.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 1ms
C:\>ping 10.10.20.1
Pinging 10.10.20.1 with 32 bytes of data:
Reply from 10.10.20.1: bytes=32 time=6ms TTL=255
Reply from 10.10.20.1: bytes=32 time<1ms TTL=255
Reply from 10.10.20.1: bytes=32 time<1ms TTL=255
Reply from 10.10.20.1: bytes=32 time<1ms TTL=255
Ping statistics for 10.10.20.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 1ms
C:\>ping 192.168.70.1
Pinging 192.168.70.1 with 32 bytes of data:
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Reply from 192.168.70.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.70.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 192.168.109.1
Pinging 192.168.109.1 with 32 bytes of data:
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Reply from 192.168.109.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.109.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 172.22.136.1
Pinging 172.22.136.1 with 32 bytes of data:
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Reply from 172.22.136.1: bytes=32 time<1ms TTL=255
Ping statistics for 172.22.136.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 192.168.177.1
Pinging 192.168.177.1 with 32 bytes of data:
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Reply from 192.168.177.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.177.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
03-23-2022 02:30 PM
Hello
The op states:
I need block VLANs from 4-9 & 60-69 to communicate each other
@Georg Pauwen
I’m not sure you are understanding what i am trying to state, Your summarisation encompasses a vast range of addressing which isn’t being used or not shown, That kind of summarisation over such a large ip range isn’t feasible especially when we don’t know the environment, The OP is asking a question about using an smaller acls but to provide such an example when we don’t know the exact circumstances isn’t viable, it would be then best to be as specific as possible
If that acl you posted was applied to a production network and the network indeed had subnets within that aggregate then it would fail…..drastically
Maybe im am too cautious in my approach but I tend to think in real senarios and of the overall picture the OP is trying to show.
03-24-2022 02:56 AM
my environment includes VLANs 4-9 and 60-69 and other VLANs, so when i tried your configuration it's block VLANs 2,3 10 and above.
my scenario and packet tracer image it's simple and summarized.
thank you again brother
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide