Solved: Hello.I assume you need to

Trung Minh · ‎03-31-2015

Hello experts,

I has several Vlans eg: Vlan125,vlan126,vlan127, while only Vlan127 has ACLs name "INTERNAL_DENY_ACL" and applied with "in" interface

Now, I used almost ip address at Vlan127(no more ip address), so I created a new vlan128 and also applied ACLs from Vlan127(INTERNAL_DENY_ACL) to Vlan128 as below:

interface Vlan127
ip address 10.126.127.2 255.255.255.0
ip access-group MES_TO_INTERNAL_DENY_ACL in
standby 127 ip 10.126.127.1
standby 127 priority 105
standby 127 preempt
!
interface Vlan128
ip address 10.126.128.2 255.255.255.0
ip access-group MES_TO_INTERNAL_DENY_ACL in
standby 128 ip 10.126.128.1
standby 128 priority 105
standby 128 preempt

After all, PCs in Vlan127 can ping PCs Vlan128 and revert but can not implement remote desktop, find sharing folder... while other Vlans are fine.

Do i need create an ACL for these Vlan, how it look like?

Any suggestion is appreciated,

Best regards,

Vasilii Mikhailovskii · ‎04-07-2015

Hello.

I assume you need to allow access from VLANs to your Domain controllers (on all ports, or the list could be found on https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx).

View solution in original post

Vasilii Mikhailovskii · ‎04-01-2015

Hello.

I assume we need ACL configuration to help you here.

Trung Minh · ‎04-03-2015

Any one can help please?

Regards,

Vasilii Mikhailovskii · ‎04-04-2015

Hello.

We could help, but you need to provide the ACL first (like, "show access-list MES_TO_INTERNAL_DENY_ACL").

Trung Minh · ‎04-06-2015

Hello expert,

Here is my ACLs and used for range IP address: 10.126.127.x

Extended IP access list MES_TO_INTERNAL_DENY_ACL
    10 permit icmp any any
    20 permit tcp any eq telnet any
    30 permit ip host 10.126.127.11 any
    40 permit ip host 10.126.127.4 any
    50 permit ip host 10.126.127.5 any
    60 permit ip host 10.126.127.6 any
    70 permit ip host 10.126.127.7 any
    80 permit ip host 10.126.127.8 any
    90 permit ip host 10.126.127.9 any
    100 permit ip host 10.126.127.10 any
    110 permit ip host 10.126.127.241 any
    120 permit ip host 10.126.127.242 any
    130 permit tcp host 10.126.127.11 eq www any
    140 permit tcp host 10.126.127.34 eq 3389 any
    150 permit tcp host 10.126.127.32 eq 3389 any
    160 permit tcp host 10.126.127.33 eq 3389 any
    170 permit tcp host 10.126.127.35 eq 3389 any
    180 permit tcp host 10.126.127.36 eq 3389 any
    190 permit tcp host 10.126.127.48 eq 3389 any
    400 permit tcp host 10.126.127.54 eq 3389 any
    410 permit tcp host 10.126.127.37 eq 3389 any
    420 permit tcp host 10.126.127.38 eq 3389 any
    430 permit tcp host 10.126.127.39 eq 3389 any
    440 permit tcp host 10.126.127.40 eq 3389 any
    450 permit tcp host 10.126.127.41 eq 3389 any
    530 permit tcp host 10.126.127.42 eq 3389 any
    540 permit tcp host 10.126.127.73 eq 3389 any
    550 permit tcp host 10.126.127.51 eq 3389 any
    560 permit tcp host 10.126.127.43 eq 3389 any
    570 permit tcp host 10.126.127.53 eq 3389 any
    580 permit tcp host 10.126.127.55 eq 3389 any
    590 permit tcp host 10.126.127.56 eq 3389 any
    600 permit tcp host 10.126.127.57 eq 3389 any
    610 permit tcp host 10.126.127.58 eq 3389 any
    620 permit tcp host 10.126.127.59 eq 3389 any
    630 permit tcp host 10.126.127.60 eq 3389 any
    640 permit tcp host 10.126.127.62 eq 3389 any
    650 permit tcp host 10.126.127.49 eq 3389 any
    660 permit tcp host 10.126.127.61 eq 3389 any
    670 permit tcp host 10.126.127.66 eq 3389 any
    680 permit tcp host 10.126.127.67 eq 3389 any
    690 permit tcp host 10.126.127.79 eq 3389 any
    699 permit tcp host 10.126.127.87 eq 3389 any
    700 permit tcp host 10.126.127.111 eq 3389 any
    710 permit tcp host 10.126.127.112 eq 3389 any
    720 permit tcp host 10.126.127.113 eq 3389 any
    730 permit tcp host 10.126.127.114 eq 3389 any
    740 permit tcp host 10.126.127.115 eq 3389 any
    750 permit tcp host 10.126.127.131 eq 3389 any
    760 permit tcp host 10.126.127.139 eq 3389 any
    770 permit tcp host 10.126.127.154 eq 3389 any
    780 permit tcp host 10.126.127.89 eq 3389 any
    781 permit tcp host 10.126.127.183 eq 3389 any
    782 permit tcp host 10.126.127.191 eq 3389 any
    783 permit tcp host 10.126.127.192 eq 3389 any
    784 permit tcp host 10.126.127.195 eq 3389 any
    785 permit tcp host 10.126.127.196 eq 3389 any
    786 permit tcp host 10.126.127.197 eq 3389 any
    787 permit tcp host 10.126.127.199 eq 3389 any
    820 permit tcp host 10.126.127.50 eq 3389 any
    870 permit tcp host 10.126.127.31 eq 3389 any
    880 permit tcp host 10.126.127.11 eq 3389 any
    890 permit tcp host 10.126.127.20 eq 3389 any
    900 permit tcp any host 10.126.127.20 eq www
    910 permit tcp host 10.126.127.20 eq www any
    920 permit tcp host 10.126.127.21 eq www any
    930 permit tcp host 10.126.127.21 eq 1433 any
    940 permit tcp host 10.126.127.22 eq 3389 any
    950 permit tcp host 10.126.127.22 eq 1433 any
    960 permit tcp host 10.126.127.23 eq 3389 any
    970 permit tcp host 10.126.127.23 eq 1433 any
    980 permit tcp host 10.126.127.24 eq 3389 any
    990 permit tcp host 10.126.127.24 eq 1433 any
    1000 permit tcp host 10.126.127.11 eq 1433 any
    1010 permit tcp host 10.126.127.12 eq 1433 any
    1020 permit tcp host 10.126.127.12 eq 3389 any
    1040 permit tcp host 10.126.127.21 eq 3389 any
    1050 permit tcp host 10.126.127.111 eq 1433 any
    1340 deny ip any 10.126.122.0 0.0.0.255
    1350 deny ip any 10.126.123.0 0.0.0.255
    1360 deny ip any 10.126.124.0 0.0.0.255
    1370 deny ip any 10.126.125.0 0.0.0.255
    1380 deny ip any 10.126.126.0 0.0.0.255
    1390 deny ip any 10.0.0.0 0.255.255.255
    1400 permit ip any any

Any help is appreciated,

Best regards,

Vasilii Mikhailovskii · ‎04-06-2015

Hello.

If you want to allow unrestricted access between VLANs 127 and 128, configure following:

ip access-list ext MES_TO_INTERNAL_DENY_ACL
14 permit ip 10.126.127.0 0.0.0.255 10.26.128.0 0.0.0.255
16 permit ip 10.126.128.0 0.0.0.255 10.26.127.0 0.0.0.255

Trung Minh · ‎04-06-2015

Hello,

As above ACLs, i already created number ACL: 1315 permit ip any 10.126.128.0 0.0.0.255.

But why is it not working? Could you please tell me why?

I just added ACL num 14,16 as you re commended but still not working.

I tried ping, tracert are fine but finding files sharing between 2 VLans is not ok(please refer to attached file for clearly).

Best regards,

Vasilii Mikhailovskii · ‎04-06-2015

Hello.

Do you have Active Directory? - it might be an issue with DC communication. Please provide "See details" information from the error box.

If you do not have AD, please capture the traffic on both devices (with Wireshark) and attach it here.

Trung Minh · ‎04-07-2015

Hello,

I also use AD but AD server at IP address range: 10.126.122.x(Vlan122).

When i open the error box, it is error code:0x80070035.

It seem to related error of Windows, but i already turn off all firewall on both of machine.

Any help is appreciated,

Regards,

Vasilii Mikhailovskii · ‎04-07-2015

Hello.

I assume you need to allow access from VLANs to your Domain controllers (on all ports, or the list could be found on https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx).

Trung Minh · ‎04-14-2015

Hello,

This case solved

Thanks community.

Trung Minh · ‎04-07-2015

One more thing, i did not find any packet match with ACL number 14 and 16.

Any other suggestion please let me know.

Connection between Vlans issue