Solved: Blocking traffic using ACL'S and encountered problems.

Ketan Bheda · ‎10-05-2017

Hello People,

Hope things going well.

Please refer the image in which i have designed a complete infrastructure and things are working fine. In the diagram given I have applied the ACL'S in such a way that Vlans 10,20,30 network of Mumbai should not communicate with Vlans 10,20 network of Delhi. Here i have given full provision for IT department (Vlan 40 in mumbai and Vlan 30 in Delhi) to communicate with each other.

But I have encountered some problem, reacheability from IT department to any other department in a different location is not possible. To clar my self if I try to reach vlan 10 network in delhi from vlan 40 network from Mumbai i get "Request timed out"as a response.

So in turn what I observed is my IT department vlans of the network 192.168.40.* in Mumbai and 10.10.30.* in Delhi cannot communicate with any other Vlan located in different location.

Can anyone please tell me how to resolve this issue.

Mumbai LocationDelhi LocationPing Report from IT vlan 40 to vlan 10 of DelhiPing from valn 30 from Mumbai to vlan 10 of delhi (Suceessfully implemented)

Mark Malone · ‎10-05-2017

Your using EBGP its a transport protocol not a routing protocol by design so it needs either an IGP configured to work with it like opsf eigrp etc or at least static routing in place as the layer 3 transport mechanism

View solution in original post

Ketan Bheda · ‎10-07-2017

Hi Paul,

Thank you for assist.

But the code you have provided have landed me at same issue which I was facing before.

I have succesfully acomplished my task with little modification in objective.

In my infrastrcuture now i have implemented ACL's with the following objective to meet:

1) Here access list is designed in such a way that it will not allow vlan 10,20,30 of Mumbai to communicate with vlan 10,20 of Delhi.

2)All the Vlans of Mumbai can communicate with Vlan 30 of Delhi (also vice versa) and All the Vlans of Delhi can communicate with Vlan 40 of Mumbai (also vice versa).

3)So inshort we can state that IT Vlan (Vlan 40 of Mumbai and Vlan 30 of Delhi) have access to the entire infrastructure.

The below are the configs for the same:

Mumbai Router

MUM-RT01#sh run
Building configuration...

Current configuration : 1452 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MUM-RT01
!
!
!
enable secret 5 $1$mERr$iReMtoOFQEl2wyGEfLcyU/
!
!
!
!
!
!
username ntw1 password 0 support
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0
ip access-group nodelhi in
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.20.100 255.255.255.0
ip access-group nodelhi in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 192.168.30.100 255.255.255.0
ip access-group nodelhi in
!
interface FastEthernet0/0.4
encapsulation dot1Q 40
ip address 192.168.40.100 255.255.255.0
!
interface FastEthernet1/0
ip address 192.1.12.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.1.12.2
!
!
ip access-list extended nodelhi
deny ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255
permit ip any any
!
!
!
!
!
logging 192.168.40.50
line con 0
password cisco
login
!
line aux 0
!
line vty 0 4
login local
!
!
ntp server 192.168.40.50 key 0
!
end

Delhi Router

DELHI-CRT01#sh run
Building configuration...

Current configuration : 1795 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname DELHI-CRT01
!
!
!
enable secret 5 $1$mERr$V9qzj8j7axbG2be9Zsnei/
!
!
ip dhcp excluded-address 10.10.30.101 10.10.30.200
ip dhcp excluded-address 10.10.20.101 10.10.20.200
ip dhcp excluded-address 10.10.10.101 10.10.10.200
!
ip dhcp pool abc
network 10.10.10.0 255.255.255.0
default-router 10.10.10.100
dns-server 10.10.30.40
ip dhcp pool abc2
network 10.10.20.0 255.255.255.0
default-router 10.10.20.100
dns-server 10.10.30.40
ip dhcp pool abc3
network 10.10.30.0 255.255.255.0
default-router 10.10.30.100
dns-server 10.10.30.40
!
!
!
username ntw2 password 0 assist
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 10.10.10.100 255.255.255.0
ip access-group nomumbai in
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 10.10.20.100 255.255.255.0
ip access-group nomumbai in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 10.10.30.100 255.255.255.0
!
interface FastEthernet1/0
ip address 192.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.1.45.4
!
!
ip access-list extended nomumbai
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
deny ip any 192.168.30.0 0.0.0.255
permit ip any any
!
no cdp run
!
!
!
!
!
line con 0
password cisco
login
!
line aux 0
!
line vty 0 4
login local
!
!
!
end

Thnaks for the assist again.

View solution in original post

Mark Malone · ‎10-05-2017

Have you blocked the subnets in the acls you applied , if you remove the acl as a test do the subnets have reachability again ?

if its an acl issue provide the acls you have put in place and exactly where there applied

Ketan Bheda · ‎10-05-2017

Hi Mark,

Thank you for your attention!

I haven't applied acl's on subnet. To clear myself i would like to share with you my configuration I have done.

MUM-RT01

MUM-RT01#sh run
Building configuration...

Current configuration : 1659 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MUM-RT01
!
!
!
enable secret 5 $1$mERr$iReMtoOFQEl2wyGEfLcyU/
!
!
!
!
!
!
username ntw1 password 0 support
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.20.100 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 192.168.30.100 255.255.255.0
!
interface FastEthernet0/0.4
encapsulation dot1Q 40
ip address 192.168.40.100 255.255.255.0
!
interface FastEthernet0/0.5
encapsulation dot1Q 1 native
no ip address
!
interface FastEthernet1/0
ip address 192.1.12.1 255.255.255.0
ip access-group 1 in
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
!
router bgp 100
bgp log-neighbor-changes
no synchronization
neighbor 192.1.12.2 remote-as 200
network 192.1.12.0
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
network 192.168.40.0
!
ip classless
!
!
access-list 1 deny 10.10.10.0 0.0.0.255
access-list 1 deny 10.10.20.0 0.0.0.255
access-list 1 permit any
!
!
!
!
!
logging 192.168.40.50
line con 0
password cisco
login
!
line aux 0
!
line vty 0 4
login local
!
!
ntp server 192.168.40.50 key 0
!
end

Configuration for Delhi-CRT01 is attached. Kindly find the attachement.

Thank you

Mark Malone · ‎10-05-2017

Your using EBGP its a transport protocol not a routing protocol by design so it needs either an IGP configured to work with it like opsf eigrp etc or at least static routing in place as the layer 3 transport mechanism

Ketan Bheda · ‎10-05-2017

Hi Mark,

Thanks again, but please clear more myself regarding whether I should use BGP in the current topology?

My intention was to make my LAN reach to Internet., in this case it was 4.4.4.4 and 8.8.8.8.

I can achieve that via Bgp now my confusion is where to use BGP and if not bgp what instead of that? I understood it's transport protocol but was not aware about this behaviour of this protocol.

Should I use GRE tunneling? Also in a real scenario does everyone face the problem as I face it?

Mark Malone · ‎10-06-2017

In real world design take a standard network you would use BGP when communicating with the ISP , in its internal LAN network it may use something like eigrp , the eigrp is then redistributed into the BGP off into the ISP, the ISP may then use MPLS to transport your networks accross its ISP network to your other office back into BGP and then back into the local IGP , the old rule of before a BGP route is advertised and added to the routing table, this route must be known via an IGP , its not GRE tunneling its routing you require the networks need to be in an IGP , this is standard design in the real world scenarios

office to office accross an ISP

LAN EIGRP into BGP -( ISP MPLS Network ) - BGP - EIGRP LAN

Ketan Bheda · ‎10-07-2017

Hi Mark,

Thanks for the clarification for the real scenario.

You can check my reply below i have performed certain modification with configs and objectives both.

I have also made changes by removing BGP and implementing static route instead to achieve goals.

Thank you so much.

Ketan Bheda · ‎10-05-2017

Hi Mark,

Thanks again, but please clear more myself regarding whether I should use BGP in the current topology?

My intention was to make my LAN reach to Internet., in this case it was 4.4.4.4 and 8.8.8.8.

I can achieve that via Bgp now my confusion is where to use BGP and if not bgp what instead of that? I understood it's transport protocol but was not aware about this behaviour of this protocol.

Should I use GRE tunneling? Also in a real scenario does everyone face the problem as I face it?

Ketan Bheda · ‎10-05-2017

Hi Mark,

Thank you for your attention!

I haven't applied acl's on subnet. To clear myself i would like to share with you my configuration I have done.

MUM-RT01

MUM-RT01#sh run
Building configuration...

Current configuration : 1659 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MUM-RT01
!
!
!
enable secret 5 $1$mERr$iReMtoOFQEl2wyGEfLcyU/
!
!
!
!
!
!
username ntw1 password 0 support
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.20.100 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 192.168.30.100 255.255.255.0
!
interface FastEthernet0/0.4
encapsulation dot1Q 40
ip address 192.168.40.100 255.255.255.0
!
interface FastEthernet0/0.5
encapsulation dot1Q 1 native
no ip address
!
interface FastEthernet1/0
ip address 192.1.12.1 255.255.255.0
ip access-group 1 in
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
!
router bgp 100
bgp log-neighbor-changes
no synchronization
neighbor 192.1.12.2 remote-as 200
network 192.1.12.0
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
network 192.168.40.0
!
ip classless
!
!
access-list 1 deny 10.10.10.0 0.0.0.255
access-list 1 deny 10.10.20.0 0.0.0.255
access-list 1 permit any
!
!
!
!
!
logging 192.168.40.50
line con 0
password cisco
login
!
line aux 0
!
line vty 0 4
login local
!
!
ntp server 192.168.40.50 key 0
!
end

Configuration for Delhi-CRT01 is attached. Kindly find the attachement.

Thank you

paul driver · ‎10-06-2017

Hello
You need first to make sure these networks are reachable to/from each site, then you can apply a extended acl so it looks at the source and destination traffic to each sub interace of each vlan

Mumbai
ip access-list extended no-Delhi
deny ip any 10.10.10.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 any
deny ip any 20.20.20.0 0.0.0.255
deny ip 20.20.20.0 0.0.0.255 any
deny ip any 30.30.30.0 0.0.0.255
deny ip 30.30.30.0 0.0.0.255 any
permit ip any any

ip access-list extended Delhi-vl30
deny ip any 10.10.10.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 any
deny ip any 20.20.20.0 0.0.0.255
deny ip 20.20.20.0 0.0.0.255 any
permit ip any any

int fa0/0.1 to fa0/0/3
access-group no-Delhi in
access-group no-Delhi out

int fa0/0.4
access-group Delhi-vl30 in
access-group Delhi-vl30 out

Ammend to the above for Delhi as applicable

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ketan Bheda · ‎10-07-2017

Hi Paul,

Thank you for assist.

But the code you have provided have landed me at same issue which I was facing before.

I have succesfully acomplished my task with little modification in objective.

In my infrastrcuture now i have implemented ACL's with the following objective to meet:

1) Here access list is designed in such a way that it will not allow vlan 10,20,30 of Mumbai to communicate with vlan 10,20 of Delhi.

2)All the Vlans of Mumbai can communicate with Vlan 30 of Delhi (also vice versa) and All the Vlans of Delhi can communicate with Vlan 40 of Mumbai (also vice versa).

3)So inshort we can state that IT Vlan (Vlan 40 of Mumbai and Vlan 30 of Delhi) have access to the entire infrastructure.

The below are the configs for the same:

Mumbai Router

MUM-RT01#sh run
Building configuration...

Current configuration : 1452 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname MUM-RT01
!
!
!
enable secret 5 $1$mERr$iReMtoOFQEl2wyGEfLcyU/
!
!
!
!
!
!
username ntw1 password 0 support
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0
ip access-group nodelhi in
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.20.100 255.255.255.0
ip access-group nodelhi in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 192.168.30.100 255.255.255.0
ip access-group nodelhi in
!
interface FastEthernet0/0.4
encapsulation dot1Q 40
ip address 192.168.40.100 255.255.255.0
!
interface FastEthernet1/0
ip address 192.1.12.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.1.12.2
!
!
ip access-list extended nodelhi
deny ip any 10.10.10.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255
permit ip any any
!
!
!
!
!
logging 192.168.40.50
line con 0
password cisco
login
!
line aux 0
!
line vty 0 4
login local
!
!
ntp server 192.168.40.50 key 0
!
end

Delhi Router

DELHI-CRT01#sh run
Building configuration...

Current configuration : 1795 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname DELHI-CRT01
!
!
!
enable secret 5 $1$mERr$V9qzj8j7axbG2be9Zsnei/
!
!
ip dhcp excluded-address 10.10.30.101 10.10.30.200
ip dhcp excluded-address 10.10.20.101 10.10.20.200
ip dhcp excluded-address 10.10.10.101 10.10.10.200
!
ip dhcp pool abc
network 10.10.10.0 255.255.255.0
default-router 10.10.10.100
dns-server 10.10.30.40
ip dhcp pool abc2
network 10.10.20.0 255.255.255.0
default-router 10.10.20.100
dns-server 10.10.30.40
ip dhcp pool abc3
network 10.10.30.0 255.255.255.0
default-router 10.10.30.100
dns-server 10.10.30.40
!
!
!
username ntw2 password 0 assist
!
!
!
!
!
ip ssh version 2
ip domain-name abc.com
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 10.10.10.100 255.255.255.0
ip access-group nomumbai in
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 10.10.20.100 255.255.255.0
ip access-group nomumbai in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 10.10.30.100 255.255.255.0
!
interface FastEthernet1/0
ip address 192.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.1.45.4
!
!
ip access-list extended nomumbai
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
deny ip any 192.168.30.0 0.0.0.255
permit ip any any
!
no cdp run
!
!
!
!
!
line con 0
password cisco
login
!
line aux 0
!
line vty 0 4
login local
!
!
!
end

Thnaks for the assist again.