cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1259
Views
4
Helpful
8
Replies

VLAN ACL not working -urgent

somnath21
Level 1
Level 1

Hi,

please find the VLAN details given below..

VLAN: teamA-VLAN12, teamB-VLAN11, teamC-VLAN13, teamD-VLAN20, teamE-VLAN21

VLAN11=10.138.74.192/26

VLAN12=10.138.75.0/25

VLAN13=10.138.75.128/26

VLAN17=10.138.77.0/24 (server)

VLAN20=10.138.75.192/27

VLAN21=10.138.75.224/27

ACL for teamA

team A should get access of 10.138.77.9,10.138.77.90-10.138.77.101,10.138.77.47-10.138.77.61 and 10.138.76.0-10.138.76.255

team A should not get access of VLAN11, VLAN13 and VLAN 20.

Please find the ACL comnfiguration which I have done..

access-list 112 permit ip 10.138.75.0 0.0.0.126 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.77.90 0.0.0.11

access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.77.47 0.0.0.14

access-list 112 permit ip 10.138.75.0 0.0.0.126 10.138.76.0 0.0.0.255

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.74.192 0.0.0.62

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.75.128 0.0.0.62

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.75.192 0.0.0.30

access-list 112 deny ip 10.138.75.0 0.0.0.126 10.138.77.0 0.0.0.255

access-list 112 permit ip any any

interface Vlan12

ip access-group 112 in

** but after applying the above ACL, team A unable to access 10.138.77.90-10.138.77.101 and 10.138.77.47-10.138.77.61 range.some other access also blocked.

please help to resolve this issue.

Regards,

som

1 Accepted Solution

Accepted Solutions

vaisharm
Cisco Employee
Cisco Employee

Som,

I have broken down your question into sub-parts below. As Giuseppe had pointed out, this ACL is different from what you have posted.

a) Team A should get access to 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

!- permits host 10.138.77.9

b) Allow access to 10.138.77.90 - 101

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

!- permits IP address range 10.138.77.88-95, need to deny 88-89

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

!- denies IP address range 10.138.77.88-89

c) Allow access to 10.138.77.47 - 61

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

!- permits IP address 10.138.77.47 only

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

!- permits IP address range 10.138.75.48-63, need to deny 62-63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

!- denies access to IP address range 10.138.77.62-63

d) Allow access to 10.138.76.0 - 10.138.76.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

e) Deny access to VLAN11, VLAN13 and VLAN 20.

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

!- denies VLAN 11

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

!- denies VLAN 13

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

!- denies VLAN 20

f) if you want to deny access to the server then specify the server IP address.

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x

======

access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x

You had permit ip any any in the end. With this you would enable access to all destinations which you have not denied here. Effectively, the permit statements above would not be required if you use permit ip any any in the end. That line should be dropped.

HTH,

~Vaibhav

View solution in original post

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Som,

for net 10.138.75.0/25 the wildcard mask is:

01111111 = 127

126 is = 01111110 and odd addresses like 10.138.75.3 doesn't match these lines

the same reasoning applies to some destinations.

90 = 01011010

101 = 01100101

so they have very less in common

the wildcard masks are to be calculated in binary and then converted in decimal

10.138.77.88 0.0.0.7

will match from 10.138.77.88 t0 10.138.77.95

10.138.77.96 0.0.0.7

will match from 10.138.77.96 to 10.138.77.103

modify all lines following the above suggestions

Hope to help

Giuseppe

I have following range of VLAN.

VLAN11=10.138.74.192/26

VLAN12=10.138.75.0/25

VLAN13=10.138.75.128/26

VLAN17=10.138.77.0/24 (server)

VLAN20=10.138.75.192/27

VLAN21=10.138.75.224/27

For example: I need to give access to VLAN 12 like that...

VLAN12 sould get access of below host or network..

10.138.77.9

10.138.77.90-10.138.77.101

10.138.77.47-10.138.77.62

10.138.76.0-10.138.76.255

10.138.75.224-10.138.75.255

Access blocked:

VALN11 (10.138.74.192/26)

VLAN13 (10.138.75.28/26)

VLAN20 (10.138.75.192/27)

VLAN17 (10.138.77.0/24) (server)

Configuration..

access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.15

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.15

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128 0.0.0.127

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.75.224 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.0 0.0.0.127

access-list 112 permit ip any any

Please let me know whether above configuration is ok or not?

Hi Somnath,

I think you should change the second line.

to:

2nd access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.11

And what is this doing -> access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128.0.0.0.127<- i can't understand what/where is this for

HTH

DAK

Hi somnath,

You are right only some little correction need to be done. Configure it like this

access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.11

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.15

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.128 0.0.0.127 -> removed this all let me know what for

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.75.224 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.28 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.0 0.0.0.255

access-list 112 permit ip any any

Then i think it should be fine

HTH

DAK

yes ....got it

wildcard mask should be according to block size (2,4,8,16,64).

Thanks!!

are you alright with it now ?

HTH

DAK

vaisharm
Cisco Employee
Cisco Employee

Som,

I have broken down your question into sub-parts below. As Giuseppe had pointed out, this ACL is different from what you have posted.

a) Team A should get access to 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

!- permits host 10.138.77.9

b) Allow access to 10.138.77.90 - 101

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

!- permits IP address range 10.138.77.88-95, need to deny 88-89

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

!- denies IP address range 10.138.77.88-89

c) Allow access to 10.138.77.47 - 61

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

!- permits IP address 10.138.77.47 only

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

!- permits IP address range 10.138.75.48-63, need to deny 62-63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

!- denies access to IP address range 10.138.77.62-63

d) Allow access to 10.138.76.0 - 10.138.76.255

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

e) Deny access to VLAN11, VLAN13 and VLAN 20.

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

!- denies VLAN 11

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

!- denies VLAN 13

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

!- denies VLAN 20

f) if you want to deny access to the server then specify the server IP address.

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x

======

access-list 112 permit ip 10.138.75.0 0.0.0.127 host 10.138.77.9

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.90 0.0.0.7

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.103 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.47 0.0.0.0

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.77.48 0.0.0.15

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.77.63 0.0.0.1

access-list 112 permit ip 10.138.75.0 0.0.0.127 10.138.76.0 0.0.0.255

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.74.192 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.128 0.0.0.63

access-list 112 deny ip 10.138.75.0 0.0.0.127 10.138.75.192 0.0.0.31

access-list 112 deny ip 10.138.75.0 0.0.0.127 host 10.138.77.x

You had permit ip any any in the end. With this you would enable access to all destinations which you have not denied here. Effectively, the permit statements above would not be required if you use permit ip any any in the end. That line should be dropped.

HTH,

~Vaibhav

Thanks...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco