I need to implement ACL's to control the traffic in my network, but i can't get it to work.
I have a network which consists of SVIs on the L3 switches, where the first IP in that subnet is the IP of the VLAN interface. The layer 3 switch is the core switch, and connected to that are layer 2 switches. And connected to those layer 2 switches are the VLANs mentioned below.
Customer VLANs 950-998, from subnet: 172.31.243.128/26 through: 172.31.255.128/26
Management VLAN: 999, subnet: 172.30.252.0/22
This is what the ACLs SHOULD do:
Deny traffic from any customer VLAN 950-998 to any other customer VLAN 950 - 998.
Deny traffic from any customer VLANs (950-998) to the management VLAN 999.
Permit all other traffic from customer VLANs (950-998) to any other part of the network.
Permit the management network VLAN 999 to access anything in the network.
What i have tried to create in packet tracer, but doesn't seem to work is:
ip access-list extended VLAN950
deny ip 172.31.243.128 0.0.0.63 172.31.243.192 0.0.0.63 <<<< deny VLAN950 to access VLAN951
deny ip 172.31.243.128 0.0.0.63 172.30.252.0 0.0.3.255 <<<<<< deny VLAN950 to access the management VLAN999
permit ip any any <<<< allow anything else.
ip access-list extended VLAN950_Management
permit ip 172.30.252.0 0.0.3.255 172.31.243.128 0.0.0.63 <<<<<< permit Management VLAN999 to access VLAN950
deny ip any any <<<< Deny anything else.
ip address 172.31.243.129 255.255.255.192
ip access-group VLAN950 out
ip access-group VLAN950_Management in
But after i set this up in PT this is what happens:
The PC in VLAN950 can't ping anything in the network (not even it's default gateway and not the 192.168.0.0/24 network)
The management PC in VLAN999 cannot ping the PC in VLAN950 even though it should be allowed.
In the attachements i have added the .pkt file so maybe hopefully someone can help me to build what i need to build.
Thanks in advance!
Here is a picture of the network i have build in PT:
... View more