Solved: Re: problem with acl permision implicit deny/permit - Page 2

gogi99 · ‎08-22-2023

i configured the 3560x cisco switch. i have next configuration

system mtu routing 1500
ip routing
!
ip dhcp pool Sektor_Podrske
network 192.168.82.0 255.255.255.0
default-router 192.168.82.1
dns-server 192.168.99.20
!
ip dhcp pool Sektor_podrska
!
!
!
!

!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 51,65,71,82
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 51,65,71,82
switchport mode trunk
!
interface GigabitEthernet0/3
switchport access vlan 51
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 51
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 65
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 71
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 82
switchport mode access
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
ip address 192.168.150.10 255.255.255.0
!
interface Vlan51
ip address 192.168.51.1 255.255.255.0
!
interface Vlan65
ip address 192.168.65.1 255.255.255.0
!
interface Vlan71
ip address 192.168.71.1 255.255.255.0
!
interface Vlan82
ip address 192.168.82.1 255.255.255.0
ip access-group Deny_Workstations_To_WiFiPrinterKamera in
!
interface Vlan186
ip address 192.168.0.186 255.255.255.0
!
ip default-gateway 192.168.150.9
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.254
!
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
permit udp any host 255.255.255.255 eq bootps bootpc
permit ip 192.168.82.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.82.0 0.0.0.255 192.168.99.0 0.0.0.255
deny ip any any

i want that my vlan 82 has:

permit for access internet, but deny access to all others vlan: 65,51,71. i tryed that ip access list but i have problems. can you help me. the implicit deny does not works on this configuration, so i set deny ip any any. but when i set this entry, no one from other vlans can access to internet.

Flavio Miranda · ‎08-22-2023

OK, no problem. Well, you need more than one access-list. And the requirements is pretty confuse.

1 - vlan 82 can access to interent and external network 192.168.99.0/24, but not to others vlans, but specific host 192.168.82.5 can access to all vlans

This is ok and can be accomplished with the following ACL applied to vlan 82 "IN"

ip access-list extended vlan82
permit ip host 192.168.82.5 any ==> Satisfy the requirement for host 192.168.82.5 access all vlans and internet
permit ip any 192.168.99.0 0.0.0.255 ==> Satisfy the requirement for vlan 82 access external network 192.168.99.0
deny ip any 192.168.0.0 0.0.255.255 ==> Satisfy the requirement to block vlan 82 from access anything else
permit ip any any ==> Satisfy the requirement to allow vlan 82 to access the internet.

2 - vlan 51 external network 192.168.99.0/24 can access to this vlan but other vlans cannot access to this vlan

Confuse, confuse. But it seems that only network 192.168.99.0/24 can access vlan 51?

If that's the case, you need to apply on ACL on vlan 51 like this

access-list extended permit-99

permit ip 192.168.99.0 0.0.0.255 any

And apply this access list on vlan 51 "in"

3 - vlan 65 just specific host 192.168.82.5 can access to vlan, deny access to all others

The same as above, change change 192.168.99.0 to 192.168.82.5 and apply to vlan 65

4 - vlan 71 can access to internet, and specific user 192.168.82.5 can access to this vlan like external network 192.168.81.0/24

Confuse. But you can use similar logic for the first acl

ip access-list extended vlan71
permit ip host 192.168.82.5 any ==> Satisfy the requirement for host 192.168.82.5 access all vlans 71
permit ip 192.168.99.0 0.0.0.255 any ==> Satisfy the requirement for192.168.81.0/24 access vlan 71
deny ip any 192.168.0.0 0.0.255.255 ==> Satisfy the requirement to block vlan 71 from access anything else
permit ip any any ==> Satisfy the requirement to allow vlan 71 to access the internet.

gogi99 · ‎08-22-2023

my solution is

ip access-list extended Deny_Access_Printer
permit ip 192.168.51.0 0.0.0.255 host 192.168.82.3
permit ip 192.168.51.0 0.0.0.255 192.168.99.0 0.0.0.255
permit ip 192.168.51.0 0.0.0.255 192.168.81.0 0.0.0.255
deny ip 192.168.51.0 0.0.0.255 192.168.65.0 0.0.0.255
deny ip 192.168.51.0 0.0.0.255 192.168.71.0 0.0.0.255
permit ip 192.168.51.0 0.0.0.255 any
deny ip any any
ip access-list extended Deny_Access_WiFi
permit ip 192.168.71.0 0.0.0.255 host 192.168.82.3
permit ip 192.168.71.0 0.0.0.255 192.168.81.0 0.0.0.255
deny ip 192.168.71.0 0.0.0.255 192.168.82.0 0.0.0.255
deny ip 192.168.71.0 0.0.0.255 192.168.65.0 0.0.0.255
deny ip 192.168.71.0 0.0.0.255 192.168.51.0 0.0.0.255
permit ip 192.168.71.0 0.0.0.255 any
deny ip any any
ip access-list extended Deny_Kamera_Access
permit ip 192.168.65.0 0.0.0.255 host 192.168.82.3
permit ip 192.168.65.0 0.0.0.255 192.168.81.0 0.0.0.255
deny ip any any
ip access-list extended Deny_Workstations_To_WiFiPrinterKamera
permit udp any host 255.255.255.255 eq bootps bootpc
permit ip host 192.168.82.3 192.168.51.0 0.0.0.255
permit ip host 192.168.82.3 192.168.65.0 0.0.0.255
permit ip host 192.168.82.3 192.168.71.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.65.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.51.0 0.0.0.255
deny ip 192.168.82.0 0.0.0.255 192.168.71.0 0.0.0.255
permit ip 192.168.82.0 0.0.0.255 any
deny ip any any