Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
20
Helpful
11
Replies

Access List

Go to solution
rzt.roet53
Level 1
Level 1

‎04-23-2022 08:53 PM

Hi Friends,

I need help regarding Access List,

I have a switch where I have created VLANS and an access list.
I have to create 4 VLANs : 

1. Vlan 1 - Default. (N/W: 192.168.200.0/28)
2. Vlan 2 - Production (N/W: 192.168.206.16/28)

3. Vlan 3 - VOIP (N/W: 192.168.206.48/28)

4 Vlan 4 - Staff (N/W: 192.168.206.80/28)

 

In Vlan 1, I have connected the Router and Hyper-V Host.

In Vlan 2, I have connected the Printer.

 

I have requirements:
Vlan 2, VLAN 3, and VLAN 4 cannot access VLAN 1 and each other but they need to access to DHCP server, DNS server from Vlan1 and need access to the internet.

Vlan 2 and VLAN 3 need to access the Printer from Vlan 2.

Thank you

 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to Jon Marshall

‎04-24-2022 03:41 AM

Hello Jon

Lol -  I was waiting for a response from someone on that, Yes mate exactly, for TS purposes, reachability to the rtrs wan interface, understand its not really applicable but I tend to append it.

 

TBH I've not tested the above acl this time , Ive not able to, but it should work, Happy for any further input though, always good to have feedback.and learn.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Go to solution
paul driver
VIP
VIP
In response to rzt.roet53

‎04-27-2022 12:53 AM

Hello

That is a different scenario, However it possible to accomplish it a few ways but sticking will an access-list you could amend the vlan 1 acl.so it allows only tcp traffic initiated from vlan 1 to the other vlans but denies traffic initiated from those other vlans, Note though just using acls it will not effect udp.

 

ip access-list extended Vlan1
permit udp any eq 67 any 
permit udp any any eq 68
permit udp any eq 53 any 
permit tcp any eq 53 any
permit icmp any any 
permit ip any host 192.168.200.X (default-gateway of wan router)
permit tcp 192.168.206.16 0.0.0.15 any established
deny tcp 192.168.206.16 0.0.0.15 any
permit tcp 192.168.206.48 0.0.0.15 any established
deny tcp 192.168.206.48 0.0.0.15 any
permit tcp 192.168.206.80 0.0.0.15 any established
deny tcp 192.168.206.80 0.0.0.15 any
permit ip any any

 int  vlan1

no ip access-group Vlan1 in
ip access-group Vlan1 out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

11 Replies 11

Go to solution
Georg Pauwen
VIP
VIP

‎04-24-2022 12:08 AM - edited ‎04-24-2022 12:22 AM

Hello,

 

the DHCP and the DNS server are in Vlan 1 ? And what Vlan is the Internet connected to ? And what about intra-Vlan traffic ? Are hosts from e.g. Vlan 2 supposed to be able to access other hosts in Vlan 2, or just the Vlan 2 printer ?

0 Helpful

Go to solution
rzt.roet53
Level 1
Level 1
In response to Georg Pauwen

‎04-24-2022 03:27 AM

Yes, DHCP and the DNS severe is in VLAN 1

Thank you

0 Helpful

Go to solution
rzt.roet53
Level 1
Level 1
In response to Georg Pauwen

‎04-24-2022 03:28 AM

Yes, DHCP and DNS server are in vlan 1.
Internet is connected to vlan 1
Other hosts from other vlan just need access to VLAN 2 PRINTER only.

Thank you

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎04-24-2022 02:46 AM

That´s a Packet Tracer activity? attach the zipped pkt and make it easier to help you.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-24-2022 03:03 AM - edited ‎04-24-2022 11:58 PM

Hello

Try the following:

ip access-list extended Vlan1
permit udp any eq 67 any 
permit udp any any eq 68
permit udp any eq 53 any 
permit tcp any eq 53 any
permit icmp any any 
permit ip host 192.168.200.X (default-gateway of wan router) any
deny ip any 192.168.206.16 0.0.0.15
deny ip any 192.168.206.48 0.0.0.15
deny ip any 192.168.206.80 0.0.0.15
permit ip any any

int vlan 1 
ip access-group Vlan1 IN 

ip access-list extended Vlan2
permit udp any host 192.168.200.X eq 67 < dhcp server)
permit udp any host 192.168.200.X eq 53 < dns server)
permit tcp any host 192.168.200.X eq 53 < dns server)
permit ip host <vlan 2 printer) 192.168.206.48 0.0.0.15
permit ip any host 192.168.200.X (default-gateway of wan router)
deny ip any 192.168.200.0 0.0.0.15
deny ip any 192.168.206.48 0.0.0.15
deny ip any 192.168.206.80 0.0.0.15
permit ip any any

int vlan 2 
ip access-group Vlan 2 IN 

ip access-list extended Vlan3
permit udp any host 192.168.200.X eq 67 < dhcp server)
permit udp any host 192.168.200.X eq 53 < dns server)
permit tcp any host 192.168.200.X eq 53 < dns server)
permit ip any host xxx <vlan 2 printer)
permit ip any host 192.168.200.X (default-gateway of wan router)
deny ip any 192.168.200.0 0.0.0.15 
deny ip any 192.168.206.16 0.0.0.15
deny ip any 192.168.206.80 0.0.0.15
permit ip any any

int vlan 3 
ip access-group Vlan 3 IN 

ip access-list extended Vlan4
permit udp any host 192.168.200.X eq 67 < dhcp server)
permit udp any host 192.168.200.X eq 53 < dns server)
permit tcp any host 192.168.200.X eq 53 < dns server)
permit ip any host 192.168.200.X (default-gateway of wan router)
deny ip any 192.168.200.0 0.0.0.15
deny ip any 192.168.206.16 0.0.0.15
deny ip any 192.168.206.48 0.0.0.15
permit ip any any

int vlan 4 
ip access-group Vlan 4 IN

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to paul driver

‎04-24-2022 03:14 AM

 

Paul

 

Just out of interest why does each acl have a line permitting IP to the default gateway of the WAN router ? 

 

Is this just for troubleshooting ie. ping etc.

 

Jon

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Jon Marshall

‎04-24-2022 03:41 AM

Hello Jon

Lol -  I was waiting for a response from someone on that, Yes mate exactly, for TS purposes, reachability to the rtrs wan interface, understand its not really applicable but I tend to append it.

 

TBH I've not tested the above acl this time , Ive not able to, but it should work, Happy for any further input though, always good to have feedback.and learn.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
rzt.roet53
Level 1
Level 1
In response to paul driver

‎04-26-2022 11:30 PM

Thank you Paul for your answer.
It solved a lot of issues with my switch configuration.

But, I cannot access to other VLANS from VLAN1 (Default VLAN)

 

So the only issue I am having is:

I want to access to VLAN2, VLAN3 and VLAN4 from VLAN1, BUT I don't want VLAN2, VLAN3 and VLAN 4  to access to VLAN1.
Thank you

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to rzt.roet53

‎04-27-2022 12:53 AM

Hello

That is a different scenario, However it possible to accomplish it a few ways but sticking will an access-list you could amend the vlan 1 acl.so it allows only tcp traffic initiated from vlan 1 to the other vlans but denies traffic initiated from those other vlans, Note though just using acls it will not effect udp.

 

ip access-list extended Vlan1
permit udp any eq 67 any 
permit udp any any eq 68
permit udp any eq 53 any 
permit tcp any eq 53 any
permit icmp any any 
permit ip any host 192.168.200.X (default-gateway of wan router)
permit tcp 192.168.206.16 0.0.0.15 any established
deny tcp 192.168.206.16 0.0.0.15 any
permit tcp 192.168.206.48 0.0.0.15 any established
deny tcp 192.168.206.48 0.0.0.15 any
permit tcp 192.168.206.80 0.0.0.15 any established
deny tcp 192.168.206.80 0.0.0.15 any
permit ip any any

 int  vlan1

no ip access-group Vlan1 in
ip access-group Vlan1 out


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
rzt.roet53
Level 1
Level 1
In response to paul driver

‎04-27-2022 04:09 PM

Thank you Paul,
It is what I was expecting.
Thank you for solution.

Really appreciate for your help.

0 Helpful

Go to solution
rzt.roet53
Level 1
Level 1
In response to paul driver

‎04-27-2022 04:11 PM

Thank you Paul

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card