cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1656
Views
0
Helpful
19
Replies

Best ACL config to use for full access on all vlans to access internet and other protocols from vlan 20 which is using internet & dhcp from huawei router (3650 switch) ?

hanish001
Level 1
Level 1

Switch#show run
Building configuration...

Current configuration : 6508 bytes
!
! Last configuration change at 07:38:02 UTC Sun Sep 9 2018
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3650-48ts
ip routing
!
ip device tracking
!
ip dhcp pool VT-Staff
network 172.16.21.0 255.255.255.0
default-router 172.16.21.10
!
ip dhcp pool Access-Control
network 172.16.22.0 255.255.255.0
default-router 172.16.22.10
!
ip dhcp pool Test
network 172.16.23.0 255.255.255.0
default-router 172.16.23.10
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-2279950618
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2279950618
revocation-check none
rsakeypair TP-self-signed-2279950618
!
!
crypto pki certificate chain TP-self-signed-2279950618
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323739 39353036 3138301E 170D3138 30393039 30353239
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373939
35303631 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B3DF 343ED1F9 2AF91483 68A62A94 945A0DFD 2D81F645 89F41F49 72FEE0EF
5F5C0B69 8B4612D7 60BFAE78 F85A57DB 8A0F4CC0 AC0F689D 985DB565 923BE00E
542B4831 A62B4FBA 7DEADD1E 6B2C55E5 7D7D9487 15B3B8C9 EFB24DE1 F543FEB3
EE5B2B57 BEAA4395 29A49374 964BB7AB 2C144E08 82F70834 9C9323AE F06BC847
E3D90203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06537769 74636830 1F060355 1D230418 30168014 FF07AFAE
9B3F6BC4 85BA9406 8086F67A 39D1503F 301D0603 551D0E04 160414FF 07AFAE9B
3F6BC485 BA940680 86F67A39 D1503F30 0D06092A 864886F7 0D010104 05000381
810012E9 AC8A2B4E F89E4BBE A31DD95B 16029356 8D554522 1364DE7E 979C7839
1BE1E038 6AB1C694 FCA3E35A 07F7C3C7 D917C21B 14409815 379659A1 FD81E1DE
86FA36AD 46A1DC95 CBF16533 46EB132B C05C2C22 C4E5FA0B 3223E518 D6B8FC71
7A25E7AA 1B485EEE 469E63E2 1B875CF9 88116B6E 17015F66 5C1BC63E 70D9F4C9 F0EC
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
vlan 20
name VT-Servers
!
vlan 21
name VT-Staff
!
vlan 22
name Access-Control
!
vlan 23
name Test
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport trunk native vlan 20
switchport trunk allowed vlan 21-23
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
switchport access vlan 20
switchport trunk allowed vlan 21-23
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 21
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 22
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 23
switchport mode access
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.8.10 255.255.255.0
!
interface Vlan21
ip address 172.16.21.10 255.255.255.0
!
interface Vlan22
ip address 172.16.22.10 255.255.255.0
!
interface Vlan23
ip address 172.16.23.10 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end

19 Replies 19

Hello,

 

what do you want to accomplish ? VLAN 20 to access all other VLANs and the Internet ? What about the other VLANs ? What do they need to access ?

yes I wanted vlan 20 to access all other vlans 

vlan 21 to have internet acces from vlan 20 & access full features from vlan 20 

thats about it 

 

Hello,

 

--> yes I wanted vlan 20 to access all other vlans

vlan 21 to have internet acces from vlan 20 & access full features from vlan 20

thats about it

 

It is unclear what you mean by that. You have 4 Vlans. The info we need is: what access does each Vlan need. Below is an example:

 

Vlan 20

Access to: Internet/Vlan 21/22/23

 

Vlan 21

Access to: Internet/Vlan 20

 

Vlan 22

Access to: Internet/Vlan 20/23

 

Vlan 23

Access to: Internet/Vlan 21/22

 

Yes thats exactly what i require.

but bit unsure on the acl config to use.

WHAT do you require ? I just gave an example, which I doubt matches what you require. Fill in which Vlan needs to access which other Vlan...

Vlan 20

Access to: Internet/Vlan 21/22/23

 

Vlan 21

Access to: Internet/Vlan 20

 

Vlan 22

Access to: Internet/Vlan 20/23

 

 

 

Vlan 23

Access to: Internet/Vlan 20/22

 

Here you go this is the what exactly i want to achieve .

Hello,

 

the below should work. IP addresses used probably don't reflect your own, so adjust them accordingly:

 

Vlan 20 192.168.20.0/24
Vlan 21 192.168.21.0/24
Vlan 22 192.168.22.0/24
Vlan 23 192.168.23.0/24
!
ip access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list 101 permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
ip access-list 101 permit ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list 101 permit ip 192.168.23.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list 101 permit ip 192.168.20.0 0.0.0.255 any
!
ip access-list 102 permit ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
ip access-list 102 deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list 102 permit ip 192.168.21.0 0.0.0.255 any
!
ip access-list 103 permit ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
ip access-list 103 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list 103 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255
ip access-list 103 deny ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list 103 permit ip 192.168.22.0 0.0.0.255 any
!
ip access-list 104 permit ip 192.168.23.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list 104 permit ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list 104 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255
ip access-list 104 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255
ip access-list 104 deny ip 192.168.23.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list 104 permit ip 192.168.23.0 0.0.0.255 any
!
interface Vlan20
ip address 192.168.20.1
ip access-group 101 in
!
interface Vlan21
ip address 192.168.21.1
ip access-group 102 in
!
interface Vlan22
ip address 192.168.22.1
ip access-group 103 in
!
interface Vlan23
ip address 192.168.23.1
ip access-group 104 in

Hello

Vlan 21
Access to: Internet/Vlan 20

ip access-list extended allowvlan20
deny   ip 22.22.22.0 0.0.0.255 any
deny   ip 23.23.23.0 0.0.0.255 any
permit ip any any

int vlan 21
Ip access-group allowvlan20 out




Vlan 22
Access to: Internet/Vlan 20/23
ip access-list extended allowvlan20-23
deny   ip 21.21.21.0 0.0.0.255 any
permit ip any any


int vlan 22
Ip access-group allowvlan20-23 out



Vlan 23
Access to: Internet/Vlan 20/22

ip access-list extended allowvlan20-22
deny   ip 21.21.21.0 0.0.0.255 any
permit ip any any

int vlan 23
Ip access-group allowvlan20-22 out


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Nope did not go through

for example :  i still cant ping my vlan 20 from vlan 21 / vlan 21 to vlan 20 

diabled firewall on the pcs to ping as well cant ping 

Nor did i get any internet on my vlan 21 from vlan 20 

Did you try this approach?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yes i did still faced the same issue

Hello
Well then suggest remove ALL acls from all SVIs and make sure you can successfully reach each vlan from each other then apply your acls

 

Also noticed you have different native vlans applied to certain trunks so do these native vlans match either side of the trunks they attach to? 

 

You have vtp transparent applied, so have you made sure you have all your L2 vlans in each switch

 

And as suggested by @andresfr you don't have any default route applied for off site traffic


Lastly make sure ip routing is disabled on all other switches other than your L3 switch 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Nope did not go through

for example :  i still cant ping my vlan 20 from vlan 21 / vlan 21 to vlan 20 

diabled firewall on the pcs to ping as well cant ping 

Nor did i get any internet on my vlan 21 from vlan 20 

 

Hello,

 

post the full config of the switch with the access lists configured and applied. The order of entry matters...

Review Cisco Networking for a $25 gift card