cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
305
Views
10
Helpful
6
Replies

Extended Access Lists

austindaz
Level 1
Level 1

Hi There;

I have a switch with 5 vlans (192.168.1-5.X/24), connected to a router which has three interfaces (172.30.1-3.X/24)in addition to the uplink port. If I want the traffic from each of the 5 vlans to be able to talk (ping)to each of the 3 routing interfaces but not to be able to talk (ping) to any of the other vlans - is the best way to do it via extended access lists?

thanks

6 Replies 6

lamav
Level 8
Level 8

Austin:

That is the simplest way to do it, yes.

Victor

Istvan_Rabai
Level 7
Level 7

Hi Austin,

This is a "router on a stick" configuration. In addition to the mentioned access-lists you will need to configure the uplink port of the router for trunking so it can carry all 5 vlans.

Cheers:

Istvan

Hi there;

Would the access list look something like the following "access-list 101 permit tcp 192.168.0.0 0.0.0.255 172.30.0.0 0.0.0.255 eq icmp"

thanks

Hi Austin,

If you want to enable tcp traffic with no specific port numbers, then the acls may be the following:

For vlan 1:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 172.30.0.0 0.0.255.255

This access-list must be applied inbound to the subinterface corresponding to vlan 1.

For vlan 2:

access-list 102 permit tcp 192.168.2.0 0.0.0.255 172.30.0.0 0.0.255.255

This access-list must be applied inbound to the subinterface corresponding to vlan 2.

...etc.

These acls will allow tcp traffic from the appropriate vlans to the 172.30.x.x interfaces.

If you want to allow icmp (ping) traffic, then you should repeat the same lines with "icmp" instead of "tcp".

If you have doubt of how to configure the trunk interface on the router, please send me a response and I will help you.

Cheers:

Istvan

Hi There;

Thanks very much for your assistance.

Can you explain more about the application of the access-group 'in' and 'out.' If I'm pinging from a specific 192 network (vlan1)to any of the 172 interfaces doesn't that mean I would apply the above mentioned access-list 101 'out' on the vlan1 interface?

regards

You have to think from the router perspective towards the networks.

If you are pinging from 192 network to a 172 network, you would place an ACL with 'in' on the interface facing the 192 network. Just picture it, traffic is coming from the 192 network towards the router so you block the incoming packet.

If you wanted to block the pinging after 'routing' takes place, you would place the ACL with 'out' towards the destination (on this case 172 network) under the outgoing interface.

There are times when you need to decide if you want to block before it gets into the router or while it's leaving the router.

HTH,

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco