11-10-2024 01:34 AM
Hello, I have a network like this. And I want to establish the access of some users to certain IPs in the network by defining the access list. And I also want to connect people who are in a series of VLAN to the Internet. I use a MikroTik1100 router for the organization's internet and I used a core 3750 switch in layer 2 of my network. I don't want to close layer 3 access in the local network from the router. I want to do layer 3 network with access list in core switch. But even though I wrote ACL, the connection is still not established correctly.
11-10-2024 01:41 AM
Share the show running config from switches. And the information from where to where you want to block the traffic
11-10-2024 01:45 AM
Current configuration : 4412 bytes
!
! Last configuration change at 08:54:10 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group VLAN_ACCESS in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group VLAN_ACCESS in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
--------------------
Extended IP access list VLAN_ACCESS
10 permit ip host 192.168.20.253 host 192.168.10.254
20 deny ip any any (25 matches)
Switch(config)#
11-10-2024 01:48 AM
11-10-2024 02:05 AM
I did not see the command "ip routing" on the switch. Whithout It, there Will be no communication between VLANs. Meaning, you dont need ACL because host on vlan 10 Will not reach host in vlan 20. Unless you are using another device as layer3
11-10-2024 01:56 AM
You applied the ACL VLAN_ACCESS
ip access-group VLAN_ACCESS in
But I dont see this ACL created anywhere
I see the one below
ALLOW_SPECIFIC
11-10-2024 02:41 AM
Yes, I fixed it now, but it still does not connect
____
Building configuration...
Current configuration : 4524 bytes
!
! Last configuration change at 10:27:07 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
ip access-list extended VLAN_ACCESS
permit ip host 192.168.20.253 host 192.168.10.254
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end
-----
11-10-2024 02:45 AM
that is true:
Building configuration...
Current configuration : 4533 bytes
!
! Last configuration change at 10:39:35 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
ip access-list extended VLAN_ACCESS
permit ip host 192.168.20.253 host 192.168.10.254
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
11-10-2024 02:44 AM
this is true:
Building configuration...
Current configuration : 4533 bytes
!
! Last configuration change at 10:39:35 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
ip access-list extended VLAN_ACCESS
permit ip host 192.168.20.253 host 192.168.10.254
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
11-10-2024 03:48 AM
The ACL config looks ok.
You need "ip routing" command. Otherwise, they will be no routing between vlan.
Can I see the output of
Show version and show license?
11-10-2024 05:01 AM
you need to check
show access-list <<- check hit in ACL I see ACL INbound under VLAN SVI
this I think prevent PC from ping it GW
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide