cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1475
Views
1
Helpful
10
Replies

ACL-Cisco

1381-alizare
Level 1
Level 1

Hello, I have a network like this. And I want to establish the access of some users to certain IPs in the network by defining the access list. And I also want to connect people who are in a series of VLAN to the Internet. I use a MikroTik1100 router for the organization's internet and I used a core 3750 switch in layer 2 of my network. I don't want to close layer 3 access in the local network from the router. I want to do layer 3 network with access list in core switch. But even though I wrote ACL, the connection is still not established correctly.

10 Replies 10

@1381-alizare 

Share the show running config from switches. And the information from where to where you want to block the traffic

Current configuration : 4412 bytes
!
! Last configuration change at 08:54:10 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group VLAN_ACCESS in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group VLAN_ACCESS in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end

Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#
Switch#

--------------------
Extended IP access list VLAN_ACCESS
10 permit ip host 192.168.20.253 host 192.168.10.254
20 deny ip any any (25 matches)
Switch(config)#


 

I did not see the command "ip routing" on the switch. Whithout It, there Will be no communication between VLANs. Meaning, you dont need ACL because host on vlan 10 Will not reach host in vlan 20. Unless you are using another device as layer3

 

You applied the ACL VLAN_ACCESS

ip access-group VLAN_ACCESS in

But I dont see this ACL created anywhere

I see the one below

ALLOW_SPECIFIC

Yes, I fixed it now, but it still does not connect
____

Building configuration...

Current configuration : 4524 bytes
!
! Last configuration change at 10:27:07 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group VLAN_ACCESS in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
ip access-list extended VLAN_ACCESS
permit ip host 192.168.20.253 host 192.168.10.254
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!
end
-----

that is true:


Building configuration...

Current configuration : 4533 bytes
!
! Last configuration change at 10:39:35 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
ip access-list extended VLAN_ACCESS
permit ip host 192.168.20.253 host 192.168.10.254
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!

1381-alizare
Level 1
Level 1

this is true:

Building configuration...

Current configuration : 4533 bytes
!
! Last configuration change at 10:39:35 UTC Sun Nov 10 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
enable password 1234
!
username ali privilege 15 password 0 1234
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip access-group ALLOW_SPECIFIC in
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
no switchport
ip address dhcp
negotiation auto
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.1.1
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip access-group ALLOW_SPECIFIC in
ip helper-address 192.168.1.1
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
ip access-list extended ALLOW_SPECIFIC
permit ip host 192.168.20.253 host 192.168.10.254
permit ip host 192.168.10.254 host 192.168.20.253
deny ip any any
ip access-list extended VLAN_ACCESS
permit ip host 192.168.20.253 host 192.168.10.254
deny ip any any
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
!
!

The ACL config looks ok.

You need "ip routing" command. Otherwise, they will be no routing between vlan.

 Can I see the output of

Show version and show license?

you need to check 
show access-list <<- check hit in ACL I see ACL INbound under VLAN SVI 
this I think prevent PC from ping it GW

MHM