02-15-2018 11:15 AM - edited 03-08-2019 01:52 PM
hi there,
hope u all are doing good
have a query about ACL extended i m getting zero response of applying ACL in my network kindly correct my steps if there is any mistake happened
i have settled different network with sub-netting
this is my running-config
{
Current configuration : 2036 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname central#router
!
!
!
!
!
ip dhcp pool VLAN10
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
ip dhcp pool VLAN11
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
ip dhcp pool VLAN12
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
ip dhcp pool VLAN14servers
network 10.0.3.0 255.255.255.248
default-router 10.0.3.1
ip dhcp pool VLAN-APs
network 10.1.0.0 255.255.0.0
default-router 10.1.0.1
ip dhcp pool VLAN#13
network 10.0.4.0 255.255.255.0
default-router 10.0.4.1
ip dhcp pool WAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/0/0.11
encapsulation dot1Q 11
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0/0.12
encapsulation dot1Q 12
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/0/0.13
encapsulation dot1Q 13
ip address 10.0.4.1 255.255.255.0
!
interface GigabitEthernet0/0/0.14
encapsulation dot1Q 14
ip address 10.0.3.1 255.255.255.248
!
interface GigabitEthernet0/0/0.16
encapsulation dot1Q 16
ip address 10.1.0.1 255.255.0.0
!
interface GigabitEthernet0/0/1
ip address 192.168.10.1 255.255.255.0
duplex full
speed 100
!
interface Vlan1
no ip address
shutdown
!
router ospf 2
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 2
network 10.0.1.0 0.0.0.255 area 2
network 10.0.2.0 0.0.0.255 area 2
network 10.0.4.0 0.0.0.255 area 2
network 192.168.10.0 0.0.0.255 area 2
network 10.1.0.0 0.0.255.255 area 2
network 10.0.3.0 0.0.0.7 area 2
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
}
i want to apply this ACL
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 permit ip any any
but when i apply this all, 10.0.1.0 network lost the connectivity with 192.168.10.0 network
i want to block connectivty of all networks not between each other but between 10.0.1.0 and all and only allow connectivity between 10.0.1.0 and 192.168.10.0
kindly correct me where i m making mistake
Thanku
Regards:
HAMZA SHAHID
Solved! Go to Solution.
02-15-2018 11:28 AM
ACL's go in order.
The reason it won't go anywhere is the first line blocks everything coming from 10.0.1.0/16 going anywhere.
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 permit ip any any
Try this
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip any any
Mike
02-16-2018 05:02 AM
So let’s start with you DHCP pools.
Network is 10.0.0.0 255.255.255.0 ---- looks good except you just posted this.
10.0.0.0 mask = 255.0.0.0 ---- these do not match up.
The first one is this range, 10.0.0.0 to 10.0.0.255
The other one you posted is this range, 10.0.0.0 to 10.255.255.255
My guess is you want the one defined in you DHCP pools and matches up to the sub-interface for VLAN 10
Now the next one it the one you want to deny.
Network is 10.0.1.0 255.255.255.0 ---- looks good except you just posted this.
10.0.1.0 mask = 255.0.0.0 ---- these do not match up.
The first one is this range, 10.0.1.0 to 10.0.1.255
The other one you posted is this range, 10.0.0.0 to 10.255.255.255
My guess is you want the one defined in you DHCP pools.
This is also the one you said you wanted to deny traffic form this to all other except 192.168.10.0
The wildcard mask I missed was the ones that were 0.0.255.255 they should have been 0.0.0.255
You had this….
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 permit ip any any
It should have been this…..
access-list 100 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip any any
Note the wildcard changes.
10.0.0.0 mask=255.0.0.0 ------ this should be 10.0.0.0 mask=255.255.255.0
10.0.1.0 mask=255.0.0. 0 ------ this should be 10.0.1.0 mask=255.255.255.0
10.0.2.0 mask=255.0.0. 0 ------ this should be 10.0.2.0 mask=255.255.255.0
10.0.4.0 mask=255.0.0. 0 ------ this should be 10.0.4.0 mask=255.255.255.0
10.0.3.0 mask=255.255.255.248 ------ This should be fine
10.1.0.0 mask=255.255.0. 0 ------- This should be fine
Hope this helps
02-15-2018 11:28 AM
ACL's go in order.
The reason it won't go anywhere is the first line blocks everything coming from 10.0.1.0/16 going anywhere.
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 permit ip any any
Try this
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip any any
Mike
02-15-2018 09:51 PM
thanku for ur early reply dear this helped me.
but how this order worked i mean i learned that the order of ACL will be like this deny deny deny all deny networks and then permit networks will come next to deny
02-15-2018 11:31 AM - edited 02-15-2018 11:38 AM
Not sure exactly what you want to do but to allow traffic from 10.0.1.0/24 to 192.168.10.0/24 you need to swap the first two lines of your acl around.
Also your wildcard mask for 10.0.1.0/24 should be 0.0.0.255.
Jon
02-15-2018 11:33 AM
Missed the wildcard mask error....
Mike
02-15-2018 10:03 PM
thanks for reply jhon
burleyman's solution helped me and now my network is working fine
i want to ask another question here which is that i want u to check my sub-netting i m going to mention here all networks with default and sub-netted mask can u please verify that did i make any mistake in this
10.0.0.0 mask=255.0.0.0
10.0.1.0 mask=255.0.0.0
10.0.2.0 mask=255.0.0.0
10.0.4.0 mask=255.0.0.0
10.0.3.0 mask=255.255.255.248
10.1.0.0 mask=255.255.0.0
Thanku
Regards:
HAMZA SHAHID
02-16-2018 05:02 AM
So let’s start with you DHCP pools.
Network is 10.0.0.0 255.255.255.0 ---- looks good except you just posted this.
10.0.0.0 mask = 255.0.0.0 ---- these do not match up.
The first one is this range, 10.0.0.0 to 10.0.0.255
The other one you posted is this range, 10.0.0.0 to 10.255.255.255
My guess is you want the one defined in you DHCP pools and matches up to the sub-interface for VLAN 10
Now the next one it the one you want to deny.
Network is 10.0.1.0 255.255.255.0 ---- looks good except you just posted this.
10.0.1.0 mask = 255.0.0.0 ---- these do not match up.
The first one is this range, 10.0.1.0 to 10.0.1.255
The other one you posted is this range, 10.0.0.0 to 10.255.255.255
My guess is you want the one defined in you DHCP pools.
This is also the one you said you wanted to deny traffic form this to all other except 192.168.10.0
The wildcard mask I missed was the ones that were 0.0.255.255 they should have been 0.0.0.255
You had this….
access-list 100 deny ip 10.0.1.0 0.0.255.255 any
access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 100 permit ip any any
It should have been this…..
access-list 100 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip any any
Note the wildcard changes.
10.0.0.0 mask=255.0.0.0 ------ this should be 10.0.0.0 mask=255.255.255.0
10.0.1.0 mask=255.0.0. 0 ------ this should be 10.0.1.0 mask=255.255.255.0
10.0.2.0 mask=255.0.0. 0 ------ this should be 10.0.2.0 mask=255.255.255.0
10.0.4.0 mask=255.0.0. 0 ------ this should be 10.0.4.0 mask=255.255.255.0
10.0.3.0 mask=255.255.255.248 ------ This should be fine
10.1.0.0 mask=255.255.0. 0 ------- This should be fine
Hope this helps
02-17-2018 11:51 AM - edited 02-17-2018 11:56 AM
thanku for reply dear
yes dear it was my writing mistake i was just lost in ACL and didn't focus really on writing IP's and their subnet, where u are saying in the post that "these don't match up"yes that's my mistake!! apology for that
yes the thing that i want is now working fine and good with your help
let me explain u the scenario more deeply
initially i wanted to use one dHCP pool for all different vlans but cause of different vlans this was not happening each vlan needed different DHCP or u can say i did not know that how to divert all different vlans traffic to one dHCP pool so i thought going with sub-netting with different DHCP pools will help me.
This question might come in ur mind that y didn't i go with only one vlan if i needed only one DHCP Pool for some reason i couldn't do this i had to make diffferent vlans because of considering company's different departments.
if there is a way to use one DHCP Pool for all different Vlans kindly let me know it will help me to learn more
hope u understand that all
i will post another qurey very soon and i hope u will be there to help me
Thanks.
Regards:
HAMZA SHAHID
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: