cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
303
Views
0
Helpful
19
Replies
Beginner

Re: Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?

Here you go :) attached txt
VIP Mentor

Re: Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?

Hello,

 

there is a typo in your access list 101:

 

ip access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.21.0 0.0.0.255
ip access-list 101 permit ip 172.16.21.0 0.0.0.255 172.16.20.0 0.0.0.255
ip access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.22.0 0.0.0.255
ip access-list 101 permit ip 172.16.22.0 0.0.0.255 172.16.20.0 0.0.0.255
ip access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.23.0 0.0.0.255
ip access-list 101 permit ip 172.16.23.0 0.0.0.255 172.16.20.0 0.0.0.255
ip access-list 100 deny ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.255.255
ip access-list 101 permit ip 172.16.20.0 0.0.0.255 any

 

100 needs to be 101...

Highlighted
Cisco Employee

Re: Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?

Hello Hanish,

 

You're not having (by default) any Access Control List (ACL) applied to the VLAN SVIs (Layer 3 VLAN interfaces), so all the VLANs configured on the switch and having a VLAN SVI should be able to communicate with any other VLAN with the same settings on the switch (Inter-VLAN routing). This is something that you can test by running the folllowing commands on the switch:

 

ping 172.16.21.10 source vlan 20

ping 172.16.22.10 source vlan 20

ping 172.16.23.10 source vlan 20

 

Also, you're already having IP routing enabled. So, the only thing that seems to be missing is a default route (required after enabling IP routing):

 

switch# configure terminal

switch(config)# ip route 0.0.0.0 0.0.0.0 <ip_address_default_gateway>

switch(config)# end

switch#wr

 

The <ip_address_default_gateway> should be the IP address of the device (Router, Firewall) that will be routing the traffic to other networks not configured on the switch and to the Internet (in which case that device should be also performing NAT/PAT). That IP address should be within the same segment of the network for VLAN 20, or 21, or 22, or 23.

 

So, more than access-list, what you´re missing is the default route, although that next hop (the default-gateway) might have configured ACLs in which case you will need to add the rules on that device and not on the switch.

 

I hope you find this information useful.

 

Regards,

 

Beginner

Re: Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?

I have tried that as well but the issue here is im using vlan 20 dhcp & internet from a huawei router , but for other vlans the dhcp are given from the 3650 switch , even if im able to give a default route & ip routing  im still unable to ping the other vlans and give them internet access from vlan 20

VIP Advisor

Re: Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?

Hello


@hanish001 wrote:

I have tried that as well but the issue here is im using vlan 20 dhcp & internet from a huawei router , but for other vlans the dhcp are given from the 3650 switch , even if im able to give a default route & ip routing  im still unable to ping the other vlans and give them internet access from vlan 20


Sounds like you have a SVI on the l3 switch for this vlan and on the router

If that is the case what D/G do the vlan 20 users have in their dhcp allocation, the FW or the L3 switch?

Have you specified static routes on your huawei router for return traffic to the L3 vlans on the switch?

You may need to specify the switches L3 svi ip address on vlan 20 in the dhcp scope on the router for the users.

 

Have a access port in vlan 20 between the rtr and the L3 switch plus static route for return path from router to L3 switch

 

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards