Solved: Re: Thanks Alex for your prompt

flying.gagan · ‎01-04-2017

Hello guys,

I am new to cisco and learning CCNA. I am using a Cisco Packet Tracer and trying to find a solution to my own made question. On a single layer 2 switch, I have created two VLANs. I know in order for these two VLANs to communicate to each other, they will require layer 3 switch or a router, I have tried and it is working well. What if I just want only one specific host from VLAN 1 to communicate with one specific host of other VLAN 2, while the remaining hosts in both VLANs not to talk to each other. I hope I was able to put my query clearly. Please ask if I am not able to put things up clearly. Please help. Thanks.

Seb Rupik · ‎01-05-2017

Hi Gagan,

Try the following, ensuring you hosts are using the correct gateway address for the VLAN (10.10.10.254 and 20.20.20.254) :

!
access-list 101 extended permit ip host 10.10.10.2 host 20.20.20.2
access-list 102 extended permit ip host 20.20.20.2 host 10.10.10.2
!
ip routing 
!
int 0/0
  no shut
int 0/0.10
  no shut
  encapsulation dot1q 10
  ip address 10.10.10.254 255.255.255.0
  ip access-group 101 in
int 0/0.20
  no shut
  encapsulation dot1q 20
  ip address 20.20.20.254 255.255.255.0
  ip access-group 102 in
!

cheers,

Seb.

View solution in original post

acampbell · ‎01-05-2017

Hi,

PC in VLAN 10 has an IP add of 10.10.10.2/24
Default gateway 10.10.10.4

PC in VLAN 20 has an IP add of 20.20.20.2/24
Default gateway 20.20.20.4

Each PC must have its default-gateway in the smae subnet/vlan that it belongs to.

I am assuming that the router is the default gateway hence its interfaces
from the info you have given will be using .4 on both the vlan 10 & 20 parts.

!
access-list 101 permit ip host 10.10.10.2 host 20.20.20.2
! BUILDS ACCESS LIST (ACL) TO ALLOW .100s TO SEE EACH OTHER
! THERE IS AN EXPICIT "DENY ALL ELSE" AT THE END OF ACCESS LISTS

!
interface fast0/0.10
description *** MY VLAN 10 ***
Encapsulation dot1q 10
ip address 10.10.10.4 255.255.255.0
ip access-group 101 in
!ONLY .2s CAN NOW SEE EACH OTHER
!
!
!
interface fast0/0.20
description *** MY VLAN 20 ***
Encapsulation dot1q 20
ip address 20.20.20.4 255.255.255.0
!
!

Regards
Alex

Regards, Alex. Please rate useful posts.

View solution in original post

Seb Rupik · ‎01-04-2017

Hi there,

You would typically use an inbound ACL (ip access-group xxxxx in) on the router interfaces to permit specific hosts communicating with devices on other the VLANs and implicitly deny all other traffic.

cheers,

Seb.

flying.gagan · ‎01-05-2017

Thanks Seb for your prompt response. I think you n Alex have both pointed to same right answer, it makes just the right sense to this problem. However, as I mentioned I am a student so struggling to create ACL in this scenario, will give you a little view what I have here.

I am trying "router on a stick". I have got one layer 2 switch. Have got 3 VLANs on this switch with Network addresses as follows:

10.10.10.0/24 - VLAN 10

20.20.20.0/24 - VLAN 20

30.30.30.0/24 - VLAN 30

I want Host 10.10.10.2 to communicate with Host 20.20.20.2.

Then, I have got a trunk connecting from layer 2 switch and a generic router. "No shut" on int fa0/0 of a router. Made two logical interfaces on fa0/0 such as:

fa0/0.10 for VLAN 10 (enabled Encapsulation dot1q 10)

fa0/0.20 for VLAN 20 (enabled Encapsulation dot1q 20)

So, as I understand from what You and Alex said, I made access list on this router at global configuration mode and then sat on those two logical list and mentioned access group there, but its kind of not working out for me. Either I am not making access list right or not mentioning it right way on interfaces. Can you help more on this? I appreciate your help on this.

Gagan

Seb Rupik · ‎01-05-2017

Hi Gagan,

Try the following, ensuring you hosts are using the correct gateway address for the VLAN (10.10.10.254 and 20.20.20.254) :

!
access-list 101 extended permit ip host 10.10.10.2 host 20.20.20.2
access-list 102 extended permit ip host 20.20.20.2 host 10.10.10.2
!
ip routing 
!
int 0/0
  no shut
int 0/0.10
  no shut
  encapsulation dot1q 10
  ip address 10.10.10.254 255.255.255.0
  ip access-group 101 in
int 0/0.20
  no shut
  encapsulation dot1q 20
  ip address 20.20.20.254 255.255.255.0
  ip access-group 102 in
!

cheers,

Seb.

acampbell · ‎01-04-2017

Hi,

So lets keep this simple.

VLAN 1 - 192.168.1.0 255.255.255.0 Router is .1 and host is .100
VLAN 2 - 192.168.2.0 255.255.255.0 Router is .1 and host is .100

Only these 2 (.100s) are allowed to talk to each other

!
access-list 101 permit ip host 192.168.1.100 host 192.168.2.100
! BUILDS ACCESS LIST (ACL) TO ALLOW .100s TO SEE EACH OTHER
! THERE IS AN EXPICIT "DENY ALL ELSE" AT THE END OF ACCESS LISTS

!
interface vlan 1
description *** MY VLAN 1 ***
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
!ONLY .100s CAN NOW SEE EACH OTHER
!
!
interface vlan 2
description *** MY VLAN 2 ***
ip address 192.168.2.1 255.255.255.0
!

Adjust to suit your addressing scheme and give it a try.

Regards
Alex

Regards, Alex. Please rate useful posts.

flying.gagan · ‎01-05-2017

Thanks Alex for your prompt response. I think you n Seb have both pointed to same right answer, it just makes the right sense to this problem. However, as I mentioned I am a student so struggling to create ACL in this scenario, will give you a little view what I have here.

I am trying "router on a stick". I have got one layer 2 switch. Have got 3 VLANs on this switch with Network addresses as follows:

10.10.10.0/24 - VLAN 10

20.20.20.0/24 - VLAN 20

30.30.30.0/24 - VLAN 30

I want Host 10.10.10.2 to communicate with Host 20.20.20.2.

Then, I have got a trunk connecting from layer 2 switch and a generic router. "No shut" on int fa0/0 of a router. Made two logical interfaces on fa0/0 such as:

fa0/0.10 for VLAN 10 (enabled Encapsulation dot1q 10)

fa0/0.20 for VLAN 20 (enabled Encapsulation dot1q 20)

So, as I understand from what You and Seb said, I made access list on this router at global configuration mode and then sat on those two logical list and mentioned access group there, but its kind of not working out for me. Either I am not making access list right or not mentioning it right way on interfaces. When I tried pinging host 20.20.20.2 from 10.10.10.2, it gave me an error "Destination host unreachable", with gateway address of 10.10.10.4 which belongs to VLAN 10. Can you help more on this? Also if you can tell how to remove the access list I created, when I am trying Clear access-lists command, it doesnt give me an error but keeps showing up same list when i do show. I appreciate your help on this.

Gagan

acampbell · ‎01-05-2017

Hi,

PC in VLAN 10 has an IP add of 10.10.10.2/24
Default gateway 10.10.10.4

PC in VLAN 20 has an IP add of 20.20.20.2/24
Default gateway 20.20.20.4

Each PC must have its default-gateway in the smae subnet/vlan that it belongs to.

I am assuming that the router is the default gateway hence its interfaces
from the info you have given will be using .4 on both the vlan 10 & 20 parts.

!
access-list 101 permit ip host 10.10.10.2 host 20.20.20.2
! BUILDS ACCESS LIST (ACL) TO ALLOW .100s TO SEE EACH OTHER
! THERE IS AN EXPICIT "DENY ALL ELSE" AT THE END OF ACCESS LISTS

!
interface fast0/0.10
description *** MY VLAN 10 ***
Encapsulation dot1q 10
ip address 10.10.10.4 255.255.255.0
ip access-group 101 in
!ONLY .2s CAN NOW SEE EACH OTHER
!
!
!
interface fast0/0.20
description *** MY VLAN 20 ***
Encapsulation dot1q 20
ip address 20.20.20.4 255.255.255.0
!
!

Regards
Alex

Regards, Alex. Please rate useful posts.

flying.gagan · ‎01-05-2017

Hi Alex, great help !! Its working now. I found what I was doing wrong. Can you clarify two points for me:

One, another guy Seb on this forum suggested to make an access list as you can see below, however, its a different way of doing it, can you tell whats the difference. Worked for me though.

access-list 101 extended permit ip host 10.10.10.2 host 20.20.20.2
access-list 102 extended permit ip host 20.20.20.2 host 10.10.10.2

second, whats the significance of number "101", cant i use 1, 2 or 3 ?

Thanks so much man!

amer@netsoftit.ae · ‎02-28-2020

Hi team,

I need help in configuration of VACL,

I need to allow server vlan and client vlan to comunicate.

The server vlan is having 192.168.192.1 255.255.255.254 subnet and clients are in 192.168.192.130 255.255.255.192 subnet, we are using cisco C9300L switch. I have created few vlans and enabled ip routing, presently all vlans are communicating. I have tp restrict communication between few vlans and allow client vlan should communicate with server vlan.

flying.gagan · ‎01-05-2017

Thanks Seb, it worked !!! I am happy :)

Can you clarify two things here:

One, what is the significance of "101" there, I assumed it can be any generic number of user choice, however I see that lot of people using this number when i googled it.

Second, why 10.10.10.2 is prefixed and later 20.20.20.2 prefixed below, what are we trying to tell to the interface? Plus, CLI didnt let me use "extended" work below so I omit it and it worked for me. Thank you so much.

access-list 101 extended permit ip host 10.10.10.2 host 20.20.20.2
access-list 102 extended permit ip host 20.20.20.2 host 10.10.10.2

Seb Rupik · ‎01-05-2017

Extended ACLs use the access list number range 100-199 and 2000-2699 .

As for the ACL itself, the first host IP is the source address, and the second IP is the destination. That is why the ACLs are different depending on which router sub-interface it is applied to.

cheers,

Seb.

How only two specific hosts from two different VLANs can communicate