08-22-2023 02:10 AM
i configured the 3560x cisco switch. i have next configuration
system mtu routing 1500
ip routing
!
ip dhcp pool Sektor_Podrske
network 192.168.82.0 255.255.255.0
default-router 192.168.82.1
dns-server 192.168.99.20
!
ip dhcp pool Sektor_podrska
!
!
!
!
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 51,65,71,82
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 51,65,71,82
switchport mode trunk
!
interface GigabitEthernet0/3
switchport access vlan 51
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 51
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
ip address 192.168.150.10 255.255.255.0
!
interface Vlan51
ip address 192.168.51.1 255.255.255.0
!
interface Vlan65
ip address 192.168.65.1 255.255.255.0
!
interface Vlan71
ip address 192.168.71.1 255.255.255.0
!
interface Vlan82
ip address 192.168.82.1 255.255.255.0
ip access-group Deny_Workstations_To_WiFiPrinterKamera in
!
interface Vlan186
ip address 192.168.0.186 255.255.255.0
!
ip default-gateway 192.168.150.9
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.254
!
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
permit udp any host 255.255.255.255 eq bootps bootpc
permit ip 192.168.82.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.82.0 0.0.0.255 192.168.99.0 0.0.0.255
deny ip any any
i want that my vlan 82 has:
permit for access internet, but deny access to all others vlan: 65,51,71. i tryed that ip access list but i have problems. can you help me. the implicit deny does not works on this configuration, so i set deny ip any any. but when i set this entry, no one from other vlans can access to internet.
Solved! Go to Solution.
08-22-2023 05:21 AM
OK, no problem. Well, you need more than one access-list. And the requirements is pretty confuse.
1 - vlan 82 can access to interent and external network 192.168.99.0/24, but not to others vlans, but specific host 192.168.82.5 can access to all vlans
This is ok and can be accomplished with the following ACL applied to vlan 82 "IN"
ip access-list extended vlan82
permit ip host 192.168.82.5 any ==> Satisfy the requirement for host 192.168.82.5 access all vlans and internet
permit ip any 192.168.99.0 0.0.0.255 ==> Satisfy the requirement for vlan 82 access external network 192.168.99.0
deny ip any 192.168.0.0 0.0.255.255 ==> Satisfy the requirement to block vlan 82 from access anything else
permit ip any any ==> Satisfy the requirement to allow vlan 82 to access the internet.
2 - vlan 51 external network 192.168.99.0/24 can access to this vlan but other vlans cannot access to this vlan
Confuse, confuse. But it seems that only network 192.168.99.0/24 can access vlan 51?
If that's the case, you need to apply on ACL on vlan 51 like this
access-list extended permit-99
permit ip 192.168.99.0 0.0.0.255 any
And apply this access list on vlan 51 "in"
3 - vlan 65 just specific host 192.168.82.5 can access to vlan, deny access to all others
The same as above, change change 192.168.99.0 to 192.168.82.5 and apply to vlan 65
4 - vlan 71 can access to internet, and specific user 192.168.82.5 can access to this vlan like external network 192.168.81.0/24
Confuse. But you can use similar logic for the first acl
ip access-list extended vlan71
permit ip host 192.168.82.5 any ==> Satisfy the requirement for host 192.168.82.5 access all vlans 71
permit ip 192.168.99.0 0.0.0.255  any ==> Satisfy the requirement for192.168.81.0/24  access vlan 71
deny ip any 192.168.0.0 0.0.255.255 ==> Satisfy the requirement to block vlan 71 from access anything else
permit ip any any ==> Satisfy the requirement to allow vlan 71 to access the internet.
08-22-2023 03:12 AM
Hello @gogi99
Try this:
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
permit udp any host 255.255.255.255 eq bootps bootpc
permit ip 192.168.82.0 0.0.0.255 any
deny ip 192.168.82.0 0.0.0.255 192.168.65.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.51.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.71.0 0.0.0.255
deny ip any any
08-22-2023 03:47 AM - edited 08-22-2023 03:47 AM
i cannot access from vlan 82 to vlan 71, but i have problem with this ACL i cannot access to vlan 186, but access rule does not exists on this vlan 186
08-22-2023 04:09 AM
Hi @gogi99
If you want vlan 82 to access the internet only, you need to do this:
!
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
!
interface Vlan82
ip address 192.168.82.1 255.255.255.0
ip access-group Deny_Workstations_To_WiFiPrinterKamera in
08-22-2023 04:25 AM
but i have specific requirement external network 192.168.99.0/24 can access to netowork 192.168.51.0/24 and specific workstation from vlan 82, on address 192.168.82.5 can access every vlan 51,65,71
08-22-2023 04:39 AM
The access list I proposed does not involved network 99 or 51 and workstation 192.168.82.5 is not on vlan 82. The Access List I proposed will deny any network to access vlan 82 and wil allow vlan 82 to acces the internet.
08-22-2023 04:43 AM
can an additional request be included?
08-22-2023 04:33 AM
i tryed with next rule and the rule is working between vlans
Extended IP access list Deny_Workstations_To_WiFiPrinterKamera
10 permit udp any host 255.255.255.255 eq bootps bootpc (2 matches)
30 deny ip 192.168.82.0 0.0.0.255 192.168.65.0 0.0.0.255
40 deny ip 192.168.82.0 0.0.0.255 192.168.51.0 0.0.0.255 (4 matches)
50 deny ip 192.168.82.0 0.0.0.255 192.168.71.0 0.0.0.255 (8 matches)
55 permit ip 192.168.82.0 0.0.0.255 any (4 matches)
60 deny ip any any (26 matches)
but i don't know how i create entries for my requirements above
08-22-2023 04:35 AM
can someone tell me why implicit deny does not works on my switch?
08-22-2023 04:42 AM
The implicit deny is useless if you permit the network before. The access list execute the step in sequence.
You need to have a clear idea on what needs to talk with what. If you descript be clearly, we can help.
08-22-2023 04:46 AM
I used the instructions for access lists where it talks about deny implicit to end of access-list but on my switch this rule does not works. why?
08-22-2023 04:51 AM
It should, of course. All access list have an implicit deny any any at the end, as per cisco docs. But, we need to understand what is not denying and what you want to permit.
08-22-2023 05:00 AM
my requirements:
08-22-2023 05:04 AM
Is it a PacketTracer project? If is, can you share the file here? Zip it first.
08-22-2023 05:05 AM
no, switch configuration
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide