Solved: Re: ACL keep blocking all network

hamzashahid · ‎02-15-2018

hi there,

hope u all are doing good

have a query about ACL extended i m getting zero response of applying ACL in my network kindly correct my steps if there is any mistake happened

i have settled different network with sub-netting

this is my running-config

{

Current configuration : 2036 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname central#router

!

ip dhcp pool VLAN10

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

ip dhcp pool VLAN11

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

ip dhcp pool VLAN12

network 10.0.2.0 255.255.255.0

default-router 10.0.2.1

ip dhcp pool VLAN14servers

network 10.0.3.0 255.255.255.248

default-router 10.0.3.1

ip dhcp pool VLAN-APs

network 10.1.0.0 255.255.0.0

default-router 10.1.0.1

ip dhcp pool VLAN#13

network 10.0.4.0 255.255.255.0

default-router 10.0.4.1

ip dhcp pool WAN

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

!

no ip cef

no ipv6 cef

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

no ip address

duplex full

speed 1000

!

interface GigabitEthernet0/0/0.10

encapsulation dot1Q 10

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/0/0.11

encapsulation dot1Q 11

ip address 10.0.1.1 255.255.255.0

!

interface GigabitEthernet0/0/0.12

encapsulation dot1Q 12

ip address 10.0.2.1 255.255.255.0

!

interface GigabitEthernet0/0/0.13

encapsulation dot1Q 13

ip address 10.0.4.1 255.255.255.0

!

interface GigabitEthernet0/0/0.14

encapsulation dot1Q 14

ip address 10.0.3.1 255.255.255.248

!

interface GigabitEthernet0/0/0.16

encapsulation dot1Q 16

ip address 10.1.0.1 255.255.0.0

!

interface GigabitEthernet0/0/1

ip address 192.168.10.1 255.255.255.0

duplex full

speed 100

!

interface Vlan1

no ip address

shutdown

!

router ospf 2

log-adjacency-changes

network 10.0.0.0 0.0.0.255 area 2

network 10.0.1.0 0.0.0.255 area 2

network 10.0.2.0 0.0.0.255 area 2

network 10.0.4.0 0.0.0.255 area 2

network 192.168.10.0 0.0.0.255 area 2

network 10.1.0.0 0.0.255.255 area 2

network 10.0.3.0 0.0.0.7 area 2

!

ip classless

!

ip flow-export version 9

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

}

i want to apply this ACL

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

but when i apply this all, 10.0.1.0 network lost the connectivity with 192.168.10.0 network

i want to block connectivty of all networks not between each other but between 10.0.1.0 and all and only allow connectivity between 10.0.1.0 and 192.168.10.0

kindly correct me where i m making mistake

Thanku

Regards:

HAMZA SHAHID

burleyman · ‎02-15-2018

ACL's go in order.

The reason it won't go anywhere is the first line blocks everything coming from 10.0.1.0/16 going anywhere.

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

Try this

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip any any

Mike

View solution in original post

burleyman · ‎02-16-2018

So let’s start with you DHCP pools.

Network is 10.0.0.0 255.255.255.0 ---- looks good except you just posted this.

10.0.0.0 mask = 255.0.0.0 ---- these do not match up.

The first one is this range, 10.0.0.0 to 10.0.0.255

The other one you posted is this range, 10.0.0.0 to 10.255.255.255

My guess is you want the one defined in you DHCP pools and matches up to the sub-interface for VLAN 10

Now the next one it the one you want to deny.

Network is 10.0.1.0 255.255.255.0 ---- looks good except you just posted this.

10.0.1.0 mask = 255.0.0.0 ---- these do not match up.

The first one is this range, 10.0.1.0 to 10.0.1.255

The other one you posted is this range, 10.0.0.0 to 10.255.255.255

My guess is you want the one defined in you DHCP pools.

This is also the one you said you wanted to deny traffic form this to all other except 192.168.10.0

The wildcard mask I missed was the ones that were 0.0.255.255 they should have been 0.0.0.255

You had this….

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

It should have been this…..

access-list 100 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 10.0.1.0 0.0.0.255 any

access-list 100 permit ip any any

Note the wildcard changes.

10.0.0.0 mask=255.0.0.0 ------ this should be 10.0.0.0 mask=255.255.255.0

10.0.1.0 mask=255.0.0. 0 ------ this should be 10.0.1.0 mask=255.255.255.0

10.0.2.0 mask=255.0.0. 0 ------ this should be 10.0.2.0 mask=255.255.255.0

10.0.4.0 mask=255.0.0. 0 ------ this should be 10.0.4.0 mask=255.255.255.0

10.0.3.0 mask=255.255.255.248 ------ This should be fine

10.1.0.0 mask=255.255.0. 0 ------- This should be fine

Hope this helps

View solution in original post

burleyman · ‎02-15-2018

ACL's go in order.

The reason it won't go anywhere is the first line blocks everything coming from 10.0.1.0/16 going anywhere.

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

Try this

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip any any

Mike

hamzashahid · ‎02-15-2018

thanku for ur early reply dear this helped me.

but how this order worked i mean i learned that the order of ACL will be like this deny deny deny all deny networks and then permit networks will come next to deny

Jon Marshall · ‎02-15-2018

Not sure exactly what you want to do but to allow traffic from 10.0.1.0/24 to 192.168.10.0/24 you need to swap the first two lines of your acl around.

Also your wildcard mask for 10.0.1.0/24 should be 0.0.0.255.

Jon

burleyman · ‎02-15-2018

Missed the wildcard mask error....

Mike

hamzashahid · ‎02-15-2018

thanks for reply jhon

burleyman's solution helped me and now my network is working fine

i want to ask another question here which is that i want u to check my sub-netting i m going to mention here all networks with default and sub-netted mask can u please verify that did i make any mistake in this

10.0.0.0 mask=255.0.0.0

10.0.1.0 mask=255.0.0.0

10.0.2.0 mask=255.0.0.0

10.0.4.0 mask=255.0.0.0

10.0.3.0 mask=255.255.255.248

10.1.0.0 mask=255.255.0.0

Thanku

Regards:

HAMZA SHAHID

burleyman · ‎02-16-2018

So let’s start with you DHCP pools.

Network is 10.0.0.0 255.255.255.0 ---- looks good except you just posted this.

10.0.0.0 mask = 255.0.0.0 ---- these do not match up.

The first one is this range, 10.0.0.0 to 10.0.0.255

The other one you posted is this range, 10.0.0.0 to 10.255.255.255

My guess is you want the one defined in you DHCP pools and matches up to the sub-interface for VLAN 10

Now the next one it the one you want to deny.

Network is 10.0.1.0 255.255.255.0 ---- looks good except you just posted this.

10.0.1.0 mask = 255.0.0.0 ---- these do not match up.

The first one is this range, 10.0.1.0 to 10.0.1.255

The other one you posted is this range, 10.0.0.0 to 10.255.255.255

My guess is you want the one defined in you DHCP pools.

This is also the one you said you wanted to deny traffic form this to all other except 192.168.10.0

The wildcard mask I missed was the ones that were 0.0.255.255 they should have been 0.0.0.255

You had this….

access-list 100 deny ip 10.0.1.0 0.0.255.255 any

access-list 100 permit ip 10.0.1.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

It should have been this…..

access-list 100 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 10.0.1.0 0.0.0.255 any

access-list 100 permit ip any any

Note the wildcard changes.

10.0.0.0 mask=255.0.0.0 ------ this should be 10.0.0.0 mask=255.255.255.0

10.0.1.0 mask=255.0.0. 0 ------ this should be 10.0.1.0 mask=255.255.255.0

10.0.2.0 mask=255.0.0. 0 ------ this should be 10.0.2.0 mask=255.255.255.0

10.0.4.0 mask=255.0.0. 0 ------ this should be 10.0.4.0 mask=255.255.255.0

10.0.3.0 mask=255.255.255.248 ------ This should be fine

10.1.0.0 mask=255.255.0. 0 ------- This should be fine

Hope this helps

hamzashahid · ‎02-17-2018

thanku for reply dear

yes dear it was my writing mistake i was just lost in ACL and didn't focus really on writing IP's and their subnet, where u are saying in the post that "these don't match up"yes that's my mistake!! apology for that

yes the thing that i want is now working fine and good with your help

let me explain u the scenario more deeply

initially i wanted to use one dHCP pool for all different vlans but cause of different vlans this was not happening each vlan needed different DHCP or u can say i did not know that how to divert all different vlans traffic to one dHCP pool so i thought going with sub-netting with different DHCP pools will help me.

This question might come in ur mind that y didn't i go with only one vlan if i needed only one DHCP Pool for some reason i couldn't do this i had to make diffferent vlans because of considering company's different departments.

if there is a way to use one DHCP Pool for all different Vlans kindly let me know it will help me to learn more

hope u understand that all

i will post another qurey very soon and i hope u will be there to help me

Thanks.

Regards:

HAMZA SHAHID