VLAN ACL not working -urgent

Answered Question
Nov 15th, 2008
User Badges:

Hi,

please find the VLAN details given below..


VLAN: teamA-VLAN12, teamB-VLAN11, teamC-VLAN13, teamD-VLAN20, teamE-VLAN21


VLAN11=10.138.74.192/26

VLAN12=10.138.75.0/25

VLAN13=10.138.75.128/26

VLAN17=10.138.77.0/24 (server)

VLAN20=10.138.75.192/27

VLAN21=10.138.75.224/27


ACL for teamA


team A should get access of 10.138.77.9,10.138.77.90-10.138.77.101,10.138.77.47-10.138.77.61 and 10.138.76.0-10.138.76.255

team A should not get access of VLAN11, VLAN13 and VLAN 20.


Please find the ACL comnfiguration which I have done..


access-list 112 permit ip 10.138.75.0 0.0.0.126 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.77.90 0.0.0.11

access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.77.47 0.0.0.14

access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.76.0 0.0.0.255

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.74.192 0.0.0.62

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.75.128 0.0.0.62

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.75.192 0.0.0.30

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.77.0 0.0.0.255

access-list 112 permit ip any any


interface Vlan12

ip access-group 112 in


** but after applying the above ACL, team A unable to access 10.138.77.90-10.138.77.101 and 10.138.77.47-10.138.77.61 range.some other access also blocked.


please help to resolve this issue.



Regards,

som

Correct Answer by vaisharm about 8 years 8 months ago

Som,


I have broken down your question into sub-parts below. As Giuseppe had pointed out, this ACL is different from what you have posted.


a) Team A should get access to 10.138.77.9


access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

!- permits host 10.138.77.9



b) Allow access to 10.138.77.90 - 101


access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

!- permits IP address range 10.138.77.88-95, need to deny 88-89


access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

!- denies IP address range 10.138.77.88-89



c) Allow access to 10.138.77.47 - 61


access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

!- permits IP address 10.138.77.47 only


access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

!- permits IP address range 10.138.75.48-63, need to deny 62-63


access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

!- denies access to IP address range 10.138.77.62-63


d) Allow access to 10.138.76.0 - 10.138.76.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255



e) Deny access to VLAN11, VLAN13 and VLAN 20.


access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

!- denies VLAN 11

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

!- denies VLAN 13

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

!- denies VLAN 20


f) if you want to deny access to the server then specify the server IP address.

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x



======


access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x



You had permit ip any any in the end. With this you would enable access to all destinations which you have not denied here. Effectively, the permit statements above would not be required if you use permit ip any any in the end. That line should be dropped.


HTH,

~Vaibhav


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Giuseppe Larosa Sat, 11/15/2008 - 04:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Som,

for net 10.138.75.0/25 the wildcard mask is:

01111111 = 127

126 is = 01111110 and odd addresses like 10.138.75.3 doesn't match these lines


the same reasoning applies to some destinations.


90 = 01011010

101 = 01100101

so they have very less in common

the wildcard masks are to be calculated in binary and then converted in decimal


10.138.77.88 0.0.0.7

will match from 10.138.77.88 t0 10.138.77.95

10.138.77.96 0.0.0.7

will match from 10.138.77.96 to 10.138.77.103


modify all lines following the above suggestions


Hope to help

Giuseppe



somnath21 Sun, 11/16/2008 - 21:45
User Badges:

I have following range of VLAN.


VLAN11=10.138.74.192/26

VLAN12=10.138.75.0/25

VLAN13=10.138.75.128/26

VLAN17=10.138.77.0/24 (server)

VLAN20=10.138.75.192/27

VLAN21=10.138.75.224/27


For example: I need to give access to VLAN 12 like that...


VLAN12 sould get access of below host or network..

10.138.77.9

10.138.77.90-10.138.77.101

10.138.77.47-10.138.77.62

10.138.76.0-10.138.76.255

10.138.75.224-10.138.75.255


Access blocked:

VALN11 (10.138.74.192/26)

VLAN13 (10.138.75.28/26)

VLAN20 (10.138.75.192/27)

VLAN17 (10.138.77.0/24) (server)


Configuration..


access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.15

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.15

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128 0.0.0.127

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.75.224 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.0 0.0.0.127

access-list 112 permit ip any any


Please let me know whether above configuration is ok or not?

Davy Ad Mon, 11/17/2008 - 01:40
User Badges:

Hi Somnath,

I think you should change the second line.

to:

2nd access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.11

And what is this doing -> access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128.0.0.0.127<- i can't understand what/where is this for

HTH

DAK

Davy Ad Mon, 11/17/2008 - 01:49
User Badges:

Hi somnath,

You are right only some little correction need to be done. Configure it like this


access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.11

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.15

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128 0.0.0.127 -> removed this all let me know what for

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.75.224 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.28 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.0 0.0.0.255

access-list 112 permit ip any any


Then i think it should be fine

HTH

DAK

somnath21 Mon, 11/17/2008 - 01:46
User Badges:

yes ....got it

wildcard mask should be according to block size (2,4,8,16,64).


Thanks!!

Correct Answer
vaisharm Mon, 11/17/2008 - 04:10
User Badges:
  • Cisco Employee,

Som,


I have broken down your question into sub-parts below. As Giuseppe had pointed out, this ACL is different from what you have posted.


a) Team A should get access to 10.138.77.9


access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

!- permits host 10.138.77.9



b) Allow access to 10.138.77.90 - 101


access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

!- permits IP address range 10.138.77.88-95, need to deny 88-89


access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

!- denies IP address range 10.138.77.88-89



c) Allow access to 10.138.77.47 - 61


access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

!- permits IP address 10.138.77.47 only


access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

!- permits IP address range 10.138.75.48-63, need to deny 62-63


access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

!- denies access to IP address range 10.138.77.62-63


d) Allow access to 10.138.76.0 - 10.138.76.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255



e) Deny access to VLAN11, VLAN13 and VLAN 20.


access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

!- denies VLAN 11

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

!- denies VLAN 13

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

!- denies VLAN 20


f) if you want to deny access to the server then specify the server IP address.

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x



======


access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x



You had permit ip any any in the end. With this you would enable access to all destinations which you have not denied here. Effectively, the permit statements above would not be required if you use permit ip any any in the end. That line should be dropped.


HTH,

~Vaibhav


Actions

This Discussion