01-20-2024 07:43 PM - edited 01-20-2024 07:44 PM
Below, i am attaaching a problem i have been trying to solve for a bit but haven't been able to completely resolve. In the network, the only thing that remains to be configured is the ACL(standard) that allows IT to ping all users in LAN site as well as have access on the WAN site. If i apply ACL to block the access to WAN site, allowing only IT department at LAN router - it does not fulfill the condition that IT should also be able to ping all the users from other two departments.
Please help
01-21-2024 09:10 AM
Sorry, but it's unclear, at least to me, what exactly is trying to be achieved.
The PT file notes:
IT users must have accessibility to ping all users in the LAN,
as well as allowed toaccess WAN.
- Use ACL (standard) to solve the above routing.
So is IT only to be allowed to ping the two other VLANs? (Normally, by default, IT VLAN should should be able to meet those goals.)
Restrictions aren't noted for what the other VLANs are allowed to do.
Unclear how ACLs are to be used for "routing", unless "routing" is meant to convey being able to reach a destination?
01-21-2024 11:52 AM
Yes, the IT (vlan 20) should be able to ping all other VLANs, as well as the WAN site. So basically, VLAN 20 should be able to access VLAN 10 and 30, but they should not be able to access it back.
Also, once I try applying ACL to block the FC (vlan 10) and HR (vlan is 30) from accessing WAN site servers (while allowing IT) - the ping starts going 'request timed out' when i try pinging other two vlans from IT (vlan 20).
01-21-2024 12:58 PM
Seems like you could do this but with an extended ACL, not a Standard ACL. Reason being is you are trying to introduce source AND destination IPs along with the ICMP protocol...something only an Extended ACL can match on. Otherwise you'd be blocking all traffic no just ICMP. Is this an assignment requirement?
01-21-2024 01:14 PM
Ah, I was going to ask the same question, i.e. can we use extended ACLs?
I also wanted to ask, so the only off local network access allowed for VLANs 10 and 30 would be ping replies to VLAN 20?
Like David, at first glance, cannot see how to do this without using extended ACLs. With extended ACLs, should be easy to accomplish.
01-22-2024 02:47 PM
Yes, extended ACL can be used.
Yes, the only network access for vlan 20 and 30 is ping replies to vlan 20. They can not access other vlans or the WAN site of the network with servers.
01-22-2024 04:29 PM
In that case, possibly all you need is an ACL applied on ingress on VLANs 10 and 30 gateway subinterfaced using one ACE permitting ICMP replies to VLAN 20's network.
Do you know how to do that?
01-22-2024 07:20 PM
I do understand this in principle now that you say it. But i am fairly new to the packet tracer, could you please guide through?
01-23-2024 02:14 AM
In this case, PT should be configured just like the real devices like you're using in PT.
I assume this is some kind of learning exercise? If so, I would like to help you figure out how to do this without just providing the answer. If that's okay, tell me how you think the "principle" might be done or what's the stumbling block.
You have the info, such as one extended ACL, needing only a single ACE, permitting ICMP ping replies, replying to the VLAN 20 network, applied for ingress on both VLANs 10 and 30 subinterfaces.
So, totally lost, or don't understand a particular ACL concept or concepts?
01-23-2024 10:10 AM - edited 01-23-2024 06:04 PM
1. Yes, this is a learning exercise. Actually, the real question is on much lager scale, but uses same principles. I am just trying to learn how to solve these in principal.
2. Not completely lost, but i don't have exact idea either as such - i have use standard ACLs but using extended one is a first time for me. They have asked us to apply two variations of it at least. I am supposing one ACL blocks all Vlans from accessing the WAN side, except VLAN 20. But the traffic confirmation between vlan 10 and 30 is confusing for me.
3. Also, they mention 'At LAN site, all departments are using separate network
segments’,
In the light of the above statement, is the current configuration fine? Or
should the networks differ for eg. instead of 192.168.1.1/29 FC (sub-int
gig0/0/1.10) and 192.168.1.9/29 for IT (sub-int gig0/0/1.20), should it be
192.168.2.1/29 for the IT (sub-int gig0/0/1.20?
Edit: I tried doing the extended acl implementation on my own, to no success sadly.
01-23-2024 02:43 PM
At the moment, Cisco's forums isn't, at least for me, working normally, so unable to provide the reply, at this time, I intended.
01-24-2024 08:52 AM
Ah, forum working again, for me. . .
Extended ACLs aren't hugely different from standard ACLs, they just provide some additional (and very worthwhile) parameters.
Remember what we want to do with the ACL, block all outbound, from VLANs 10 or 30, except for ping replies. Also, keep in mind, an ACL is going to be a major component to our solution.
If we look at PT ACL help first we can use access-list number to denote standard or extended (we can also used named ACLs, but I'll use numbered for this discussion):
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
If we look at the standard options:
Router(config)#access-list 1 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
Router(config)#access-list 1 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
Router(config)#access-list 1 permit any ?
<cr>
We're lacking parameters for dealing with source or destination of packets and/or kind of traffic.
But the extended ACL seems to offer all the options we need.
So, what should the ACE look like?
Router(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
Router(config)#access-list 100 permit ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Router(config)#access-list 100 permit icmp ?
A.B.C.D Source address
any Any source host
host A single source host
Router(config)#access-list 100 permit icmp any ?
A.B.C.D Destination address
any Any destination host
host A single destination host
Router(config)#access-list 100 permit icmp any any ?
<0-256> type-num
echo Echo (ping)
echo-reply Echo reply
host-unreachable Host unreachable
net-unreachable Net unreachable
port-unreachable Port unreachable
protocol-unreachable Protocol unreachable
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>
What do you think this ACE should be?
Again, look at the above and remember we want the source to be VLANs 10 or 30, the destination to be VLAN 20 and allow ping responses. We also need to insure all other traffic is blocked (two ACEs required?).
One you have the necessary ACL, you need to decide where and how it should be deployed. Of course, thinking about where and how the ACL should be deployed, might impact the structure of the ACL. Your thoughts?
01-25-2024 12:01 PM
I did try applying the Extended ACL over and over and i was able to block the access to WAN site but the inter VLAN conditions, i just could not match however much i tried. Could you please help and apply it for me? I literally cant wait to see what i am missing now. For your ease i am attaching the actual project i need to do it on. I have mentioned all the conditions needed to be met. I haven't been able to crack the inter-vlan implementation of the extended ACL.
01-21-2024 01:21 PM
01-21-2024 09:11 AM - edited 01-21-2024 09:26 AM
Hello,
You attached your packet capture but not any Packet Tracer file or configs so we can see what it is that isnt working. Can you please provide more information such as a diagram and configs.
EDIT: For some reason the file shows as a Wireshark invalid file. I opened it with PT and it opened fine. Agree with Joseph on unclear directions.
-David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide