Re: Best ACL config to use for full access on all vlans to access internet and other protocols from ... - Page 2

hanish001 · ‎09-09-2018

Switch#show run
Building configuration...

Current configuration : 6508 bytes
!
! Last configuration change at 07:38:02 UTC Sun Sep 9 2018
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3650-48ts
ip routing
!
ip device tracking
!
ip dhcp pool VT-Staff
network 172.16.21.0 255.255.255.0
default-router 172.16.21.10
!
ip dhcp pool Access-Control
network 172.16.22.0 255.255.255.0
default-router 172.16.22.10
!
ip dhcp pool Test
network 172.16.23.0 255.255.255.0
default-router 172.16.23.10
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-2279950618
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2279950618
revocation-check none
rsakeypair TP-self-signed-2279950618
!
!
crypto pki certificate chain TP-self-signed-2279950618
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323739 39353036 3138301E 170D3138 30393039 30353239
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373939
35303631 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B3DF 343ED1F9 2AF91483 68A62A94 945A0DFD 2D81F645 89F41F49 72FEE0EF
5F5C0B69 8B4612D7 60BFAE78 F85A57DB 8A0F4CC0 AC0F689D 985DB565 923BE00E
542B4831 A62B4FBA 7DEADD1E 6B2C55E5 7D7D9487 15B3B8C9 EFB24DE1 F543FEB3
EE5B2B57 BEAA4395 29A49374 964BB7AB 2C144E08 82F70834 9C9323AE F06BC847
E3D90203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06537769 74636830 1F060355 1D230418 30168014 FF07AFAE
9B3F6BC4 85BA9406 8086F67A 39D1503F 301D0603 551D0E04 160414FF 07AFAE9B
3F6BC485 BA940680 86F67A39 D1503F30 0D06092A 864886F7 0D010104 05000381
810012E9 AC8A2B4E F89E4BBE A31DD95B 16029356 8D554522 1364DE7E 979C7839
1BE1E038 6AB1C694 FCA3E35A 07F7C3C7 D917C21B 14409815 379659A1 FD81E1DE
86FA36AD 46A1DC95 CBF16533 46EB132B C05C2C22 C4E5FA0B 3223E518 D6B8FC71
7A25E7AA 1B485EEE 469E63E2 1B875CF9 88116B6E 17015F66 5C1BC63E 70D9F4C9 F0EC
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
vlan 20
name VT-Servers
!
vlan 21
name VT-Staff
!
vlan 22
name Access-Control
!
vlan 23
name Test
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport trunk native vlan 20
switchport trunk allowed vlan 21-23
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
switchport access vlan 20
switchport trunk allowed vlan 21-23
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.8.10 255.255.255.0
!
interface Vlan21
ip address 172.16.21.10 255.255.255.0
!
interface Vlan22
ip address 172.16.22.10 255.255.255.0
!
interface Vlan23
ip address 172.16.23.10 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end

hanish001 · ‎09-11-2018

Here you go :) attached txt

Georg Pauwen · ‎09-11-2018

Hello,

there is a typo in your access list 101:

ip access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.21.0 0.0.0.255
ip access-list 101 permit ip 172.16.21.0 0.0.0.255 172.16.20.0 0.0.0.255
ip access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.22.0 0.0.0.255
ip access-list 101 permit ip 172.16.22.0 0.0.0.255 172.16.20.0 0.0.0.255
ip access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.23.0 0.0.0.255
ip access-list 101 permit ip 172.16.23.0 0.0.0.255 172.16.20.0 0.0.0.255
ip access-list 100 deny ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.255.255
ip access-list 101 permit ip 172.16.20.0 0.0.0.255 any

100 needs to be 101...

andresfr · ‎09-09-2018

Hello Hanish,

You're not having (by default) any Access Control List (ACL) applied to the VLAN SVIs (Layer 3 VLAN interfaces), so all the VLANs configured on the switch and having a VLAN SVI should be able to communicate with any other VLAN with the same settings on the switch (Inter-VLAN routing). This is something that you can test by running the folllowing commands on the switch:

ping 172.16.21.10 source vlan 20

ping 172.16.22.10 source vlan 20

ping 172.16.23.10 source vlan 20

Also, you're already having IP routing enabled. So, the only thing that seems to be missing is a default route (required after enabling IP routing):

switch# configure terminal

switch(config)# ip route 0.0.0.0 0.0.0.0 <ip_address_default_gateway>

switch(config)# end

switch#wr

The <ip_address_default_gateway> should be the IP address of the device (Router, Firewall) that will be routing the traffic to other networks not configured on the switch and to the Internet (in which case that device should be also performing NAT/PAT). That IP address should be within the same segment of the network for VLAN 20, or 21, or 22, or 23.

So, more than access-list, what you´re missing is the default route, although that next hop (the default-gateway) might have configured ACLs in which case you will need to add the rules on that device and not on the switch.

I hope you find this information useful.

Regards,

hanish001 · ‎09-09-2018

I have tried that as well but the issue here is im using vlan 20 dhcp & internet from a huawei router , but for other vlans the dhcp are given from the 3650 switch , even if im able to give a default route & ip routing im still unable to ping the other vlans and give them internet access from vlan 20

paul driver · ‎09-11-2018

Hello

@hanish001 wrote:

I have tried that as well but the issue here is im using vlan 20 dhcp & internet from a huawei router , but for other vlans the dhcp are given from the 3650 switch , even if im able to give a default route & ip routing im still unable to ping the other vlans and give them internet access from vlan 20

Sounds like you have a SVI on the l3 switch for this vlan and on the router

If that is the case what D/G do the vlan 20 users have in their dhcp allocation, the FW or the L3 switch?

Have you specified static routes on your huawei router for return traffic to the L3 vlans on the switch?

You may need to specify the switches L3 svi ip address on vlan 20 in the dhcp scope on the router for the users.

Have a access port in vlan 20 between the rtr and the L3 switch plus static route for return path from router to L3 switch

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?