01-27-2012 09:31 AM - edited 03-07-2019 04:35 AM
Hello,
I'm using PT 532 to test inter vlan routing, the testing diagram included LAN, DMZ and WAN.
ip routing enabled on Cisco 3560 L3 switch, so PCs on different Vlan can ping each other. I want apply ACL on Vlan 5 (test) interface that can access to Vlan1 (this Vlan has DHCP server that assign IP to all Vlan), DMZ and WAN, but can't access to other Vlan, and DMZ and WAN cannot access to Vlan 5.
Please download the PT .pkt file.
Please help.
Thanks !
01-27-2012 02:48 PM
Hi,
If you want vlan 5 to talk to vlan 1, DMZ and WAN only then you can deploy something like this:
In this case vlan 5 subnet is 192.168.5.0/24 and the other vlans (the once you don't want vlan 5 to talk to) are 192.168.6.0/24 (vlan 6) and 192.168.7.0/24 (vlan 7)
vlan 5 = 192.168.5.0/24
access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 111 permit ip 192.168.200.0 0.0.0.255 any
int vlan 5
ip access-group 111 out
HTH
01-27-2012 09:26 PM
Hello,
Sorry, I haven't test your ACL on my lab, I don't understand of blow ACL:
access-list 111 permit ip 192.168.200.0 0.0.0.255 any
My lab didn't have 192.168.200.0 subnet, could you explain?
Thank for the help !
01-29-2012 01:00 AM
Hello,
My lab information:
Vlan 1 = 192.168.14.0/24
Vlan 5 = 192.168.15.0/24
Vlan 60 = 192.168.6.0/24
Vlan 70 = 192.168.7.0/24
So I changed your ACL as below:
access-list 111 deny ip 192.168.15.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny ip 192.168.15.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 111 permit ip 192.168.15.0 0.0.0.255 any
int vlan 5
ip access-group 111 out
This ACL didnt work, even I apply swithport mode access on DHCP server fa0/4 port that conencted to L3 switch.
Vlan 5 can't ping to Vlan1 and WAN PC 203.186.0.32, even the School firewall fa0/0 10.0.0.1/30.
Thank for help !
01-29-2012 09:11 AM
Completed, it is ip access-group 111 in on vlan5 int.
Now, testing School firwall ACLs ~
Thanks !
01-27-2012 09:29 PM
The problem you have with you trunk ports configuration.
On the switch you should have only Fa0/1 which conects to router and Fa0/4 which connects to DHCP server as access ports assigned to their respective vlans, the rest should be trunk ports assigned to the native vlan.
If you do that you should be able to follow Reza's advice to configure and apply the ACLs.
You have all the ACLs you need on the switch just choose the right one and apply it to right interface and should work.
Please mark the questions as answered, that way people know that it has been answered and can help other people with unanswered questions.
Eugen
01-27-2012 10:15 PM
sorry I dont understand but will try it later thx
2012-1-28 下午1:30 於 "ebarticel"
寫道:
**
Home <> Re: Inter Vlan>
routing ACL question created by eugen barticel<>in>
LAN, Switching and Routing - View the full discussion<>>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: