Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
0
Helpful
6
Replies

Inter Vlan routing ACL question

Wilson Kwok
Level 1
Level 1

‎01-27-2012 09:31 AM - edited ‎03-07-2019 04:35 AM

Hello,

I'm using PT 532 to test inter vlan routing, the testing diagram included LAN, DMZ and WAN.

ip routing enabled on Cisco 3560 L3 switch, so PCs on different Vlan can ping each other. I want apply ACL on Vlan 5 (test) interface that can access to Vlan1 (this Vlan has DHCP server that assign IP to all Vlan), DMZ and WAN, but can't access to other Vlan, and DMZ and WAN cannot access to Vlan 5.

Please download the PT .pkt file.

Please help.

Thanks !

Labels:
121416-school4.pkt.zip
0 Helpful
6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

‎01-27-2012 02:48 PM

Hi,

If you want vlan 5 to talk to vlan 1, DMZ and WAN only then you can deploy something like this:

In this case vlan 5 subnet is 192.168.5.0/24 and the other vlans (the once you don't want vlan 5 to talk to) are 192.168.6.0/24 (vlan 6) and 192.168.7.0/24 (vlan 7)

vlan 5 = 192.168.5.0/24

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 111 permit ip 192.168.200.0 0.0.0.255 any

int vlan 5

ip access-group 111 out

HTH

0 Helpful

Wilson Kwok
Level 1
Level 1
In response to Reza Sharifi

‎01-27-2012 09:26 PM

Hello,

Sorry, I haven't test your ACL on my lab, I don't understand of blow ACL:

access-list 111 permit ip 192.168.200.0 0.0.0.255 any

My lab didn't have 192.168.200.0 subnet, could you explain?

Thank for the help !

0 Helpful

Wilson Kwok
Level 1
Level 1
In response to Reza Sharifi

‎01-29-2012 01:00 AM

Hello,

My lab information:

Vlan 1 = 192.168.14.0/24

Vlan 5 = 192.168.15.0/24

Vlan 60 = 192.168.6.0/24

Vlan 70 = 192.168.7.0/24

So I changed your ACL as below:

access-list 111 deny ip 192.168.15.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 111 deny ip 192.168.15.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 111 permit ip 192.168.15.0 0.0.0.255 any

int vlan 5

ip access-group 111 out

This ACL didnt work, even I apply swithport mode access on DHCP server fa0/4 port that conencted to L3 switch.

Vlan 5 can't ping to Vlan1 and WAN PC 203.186.0.32, even the School firewall fa0/0 10.0.0.1/30.

Thank for help !

0 Helpful

Wilson Kwok
Level 1
Level 1
In response to Reza Sharifi

‎01-29-2012 09:11 AM

Completed, it is ip access-group 111 in on vlan5 int.

Now, testing School firwall ACLs ~

Thanks !

0 Helpful

ebarticel
Level 4
Level 4

‎01-27-2012 09:29 PM

The problem you have with you trunk ports configuration.

On the switch you should have only Fa0/1 which conects to router and Fa0/4 which connects to DHCP server as access ports assigned to their respective vlans, the rest should be trunk ports assigned to the native vlan.

If you do that you should be able to follow Reza's advice to configure and apply the ACLs.

You have all the ACLs you need on the switch just choose the right one and apply it to right interface and should work.

Please mark the questions as answered, that way people know that it has been answered and can help other people with unanswered questions.

Eugen

0 Helpful

Wilson Kwok
Level 1
Level 1
In response to ebarticel

‎01-27-2012 10:15 PM

sorry I dont understand but will try it later thx

2012-1-28 下午1:30 於 "ebarticel"

寫道:

**

Home <> Re: Inter Vlan

routing ACL question created by eugen barticel<>in

LAN, Switching and Routing - View the full discussion<>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card