cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3484
Views
2
Helpful
16
Replies

problem with acl permision implicit deny/permit

gogi99
Level 1
Level 1

i configured the 3560x cisco switch. i have next configuration


system mtu routing 1500
ip routing
!
ip dhcp pool Sektor_Podrske
network 192.168.82.0 255.255.255.0
default-router 192.168.82.1
dns-server 192.168.99.20
!
ip dhcp pool Sektor_podrska
!
!
!
!

!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 51,65,71,82
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 51,65,71,82
switchport mode trunk
!
interface GigabitEthernet0/3
switchport access vlan 51
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 51
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
ip address 192.168.150.10 255.255.255.0
!
interface Vlan51
ip address 192.168.51.1 255.255.255.0
!
interface Vlan65
ip address 192.168.65.1 255.255.255.0
!
interface Vlan71
ip address 192.168.71.1 255.255.255.0
!
interface Vlan82
ip address 192.168.82.1 255.255.255.0
ip access-group Deny_Workstations_To_WiFiPrinterKamera in
!
interface Vlan186
ip address 192.168.0.186 255.255.255.0
!
ip default-gateway 192.168.150.9
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.254
!
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
permit udp any host 255.255.255.255 eq bootps bootpc
permit ip 192.168.82.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.82.0 0.0.0.255 192.168.99.0 0.0.0.255
deny ip any any

i want that my vlan 82 has:

permit for access internet, but deny access to all others vlan: 65,51,71. i tryed that ip access list but i have problems. can you help me. the implicit deny does not works on this configuration, so i set deny ip any any. but when i set this entry, no one from other vlans can access to internet.

1 Accepted Solution

Accepted Solutions

OK, no problem. Well, you need more than one access-list.   And the requirements is pretty confuse. 

1 - vlan 82 can access to interent and external network 192.168.99.0/24, but not to others vlans, but specific host 192.168.82.5 can access to all vlans

This is ok and can be accomplished with the following ACL applied to vlan 82 "IN"

ip access-list extended vlan82
permit ip host 192.168.82.5 any ==> Satisfy the requirement for host 192.168.82.5 access all vlans and internet
permit ip any 192.168.99.0 0.0.0.255 ==> Satisfy the requirement for vlan 82 access external network 192.168.99.0
deny ip any 192.168.0.0 0.0.255.255 ==> Satisfy the requirement to block vlan 82 from access anything else
permit ip any any ==> Satisfy the requirement to allow vlan 82 to access the internet.

2 - vlan 51 external network 192.168.99.0/24 can access to this vlan but other vlans cannot access to this vlan

Confuse, confuse. But it seems that only network 192.168.99.0/24 can access vlan 51? 

If that's the case, you need to apply on ACL on vlan 51 like this

access-list extended permit-99

 permit ip 192.168.99.0 0.0.0.255 any 

And apply this access list on vlan 51 "in"

 

3 - vlan 65 just specific host 192.168.82.5 can access to vlan, deny access to all others

The same as above, change change 192.168.99.0 to 192.168.82.5 and apply to vlan 65

4 - vlan 71 can access to internet, and specific user 192.168.82.5 can access to this vlan like external network 192.168.81.0/24

Confuse. But you can use similar logic for the first acl

ip access-list extended vlan71
permit ip host 192.168.82.5 any ==> Satisfy the requirement for host 192.168.82.5 access all vlans 71
permit ip 192.168.99.0 0.0.0.255  any ==> Satisfy the requirement for192.168.81.0/24  access vlan 71
deny ip any 192.168.0.0 0.0.255.255 ==> Satisfy the requirement to block vlan 71 from access anything else
permit ip any any ==> Satisfy the requirement to allow vlan 71 to access the internet.

View solution in original post

16 Replies 16

M02@rt37
VIP
VIP

Hello @gogi99 

Try this:

ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
permit udp any host 255.255.255.255 eq bootps bootpc
permit ip 192.168.82.0 0.0.0.255 any
deny ip 192.168.82.0 0.0.0.255 192.168.65.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.51.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.71.0 0.0.0.255
deny ip any any

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

gogi99
Level 1
Level 1

i cannot access from vlan 82 to vlan 71, but i have problem with this ACL i cannot access to vlan 186, but access rule does not exists on this vlan 186

Hi @gogi99 

If you want vlan 82 to access the internet only, you need to do this:

!
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera

deny ip any 192.168.0.0 0.0.255.255
permit ip any any

 

!
interface Vlan82
ip address 192.168.82.1 255.255.255.0

ip access-group Deny_Workstations_To_WiFiPrinterKamera in

 

gogi99
Level 1
Level 1

but i have specific requirement external network 192.168.99.0/24 can access to netowork 192.168.51.0/24 and specific workstation from vlan 82, on address 192.168.82.5 can access every vlan 51,65,71

The access list I proposed does not involved network 99 or 51 and workstation 192.168.82.5 is not on vlan 82. The Access List I proposed will deny any network to access vlan 82 and wil allow vlan 82 to acces the internet.  

can an additional request be included?

gogi99
Level 1
Level 1

i tryed with next rule and the rule is working between vlans

Extended IP access list Deny_Workstations_To_WiFiPrinterKamera
10 permit udp any host 255.255.255.255 eq bootps bootpc (2 matches)
30 deny ip 192.168.82.0 0.0.0.255 192.168.65.0 0.0.0.255
40 deny ip 192.168.82.0 0.0.0.255 192.168.51.0 0.0.0.255 (4 matches)
50 deny ip 192.168.82.0 0.0.0.255 192.168.71.0 0.0.0.255 (8 matches)
55 permit ip 192.168.82.0 0.0.0.255 any (4 matches)
60 deny ip any any (26 matches)

but i don't know how i create entries for my requirements above

gogi99
Level 1
Level 1

can someone tell me why implicit deny does not works on my switch?

 The implicit deny is useless if you permit the network before. The access list execute the step in sequence. 

You need to have a clear idea on what needs to talk with what.  If you descript be clearly, we can help. 

 

I used the instructions for access lists where it talks about deny implicit to end of access-list but on my switch this rule does not works. why?

 It should, of course. All access list have an implicit deny any any at the end, as per cisco docs. But, we need to understand what is not denying and what you want to permit. 

gogi99
Level 1
Level 1

my requirements:

  • vlan 82 can access to interent and external network 192.168.99.0/24, but not to others vlans, but specific host 192.168.82.5 can access to all vlans
  • vlan 51 external network 192.168.99.0/24 can access to this vlan but other vlans cannot access to this vlan
  • vlan 65 just specific host 192.168.82.5 can access to vlan, deny access to all others
  • vlan 71 can access to internet, and specific user 192.168.82.5 can access to this vlan like external network 192.168.81.0/24

Is it a PacketTracer project?   If is, can you share the file here?  Zip it first. 

gogi99
Level 1
Level 1

no, switch configuration