cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3458
Views
0
Helpful
6
Replies

Vlan and ACL problem

gulle_ryan
Level 1
Level 1
mysetup.JPG

# im sorry for my english... im trying to make it clear as possible

SETUP:

servers = 10.112.140.0/24

vlan102 = 10.112.145.0/24

vlan103 = 10.112.150.0/24

vlan104 = 10.112.155.0/24

interface 0/1 = assigned to 10.112.140.0 network block.

c3560 = 10.112.140.3/24

CONDITIONS:

1. Vlan 102, Vlan 103, Vlan 104 should NOT see each other

2. Vlan 102, Vlan 103, Vlan 104 should be able to acces servers on common switch (belomgs to 10.112.140.0 network block)

3. Servers and Admin Workstations should be able to ping workstations on each Vlans

4. All workstations under corporateA should be able to access email located at corporateB

MODIFICATION:

Old L3 - use vlan-access map to filter traffic

New L3 - use router ACL

PROBLEM:

Our existing networks works normally. We have a functional L3 fastethernet switch.

The management decided to upgrade our existing L3 switch to Gigabit so we bought one..

We copied almost all of the configurations from the old L3 switch to the new L3 switch only that

we decided not to use the vlan-access map but instead we go for the router ACL.

We put the new L3 switch in a live network for testing

In the new L3 switch, things didnt work as expected. We meet all conditions but not the no.4 item

Only servers (also workstations belong to this group) can successfully connect to the mail server.

Workstations on every Vlans canNOT connect to the mail server.

Did I miss something here? Please enlighten my confused mind..

How can I communicate to mail server on CorporateB?

Thanks in advance for all the support in help

Below is the configuration of the old and new L3 switch...

-----------start OLD L3 switch------------------------

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption

service sequence-numbers

!

hostname c3560

ip subnet-zero

ip routing

!

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

vlan access-map BLOCKADE 10

action drop

match ip address POLICE

vlan access-map BLOCKADE 20

action forward

vlan filter BLOCKADE vlan-list 102-104

!

interface FastEthernet0/1

no switchport

ip address 10.112.140.3 255.255.255.0

!

interface FastEthernet0/2

switchport access vlan 102

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 103

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 104

spanning-tree portfast

!

!

interface Vlan1

no ip address

shutdown

!

interface Vlan102

description vlan102

ip address 10.112.145.1 255.255.255.0

!

interface Vlan103

description vlan103

ip address 10.112.150.1 255.255.255.0

!

interface Vlan104

description vlan104

ip address 10.112.155.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.112.140.5

ip http server

ip http authentication local

!

ip access-list extended POLICE

permit ip 10.112.145.0 0.0.0.255 10.112.150.0 0.0.0.255

permit ip 10.112.145.0 0.0.0.255 10.112.155.0 0.0.0.255

permit ip 10.112.150.0 0.0.0.255 10.112.145.0 0.0.0.255

permit ip 10.112.150.0 0.0.0.255 10.112.155.0 0.0.0.255

permit ip 10.112.155.0 0.0.0.255 10.112.145.0 0.0.0.255

permit ip 10.112.155.0 0.0.0.255 10.112.150.0 0.0.0.255

!

snmp-server community public RO

snmp-server enable traps tty

!

control-plane

!

!

line con 0

line vty 0 4

login local

line vty 5 15

login local

!

end

-----------end OLD L3 switch------------------------

-----------start NEW L3 switch------------------------

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname c3560

!

no logging console

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

no ip domain-lookup

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

description COMMON

no switchport

ip address 10.112.140.3 255.255.255.0

!

interface GigabitEthernet0/2

switchport access vlan 102

!

interface GigabitEthernet0/3

switchport access vlan 103

!

interface GigabitEthernet0/4

switchport access vlan 104

!

interface Vlan1

no ip address

shutdown

!

interface Vlan102

description vlan102

ip address 10.112.145.1 255.255.255.0

ip access-group common out

!

interface Vlan103

description vlan103

ip address 10.112.150.1 255.255.255.0

ip access-group common out

!

interface Vlan104

description vlan104

ip address 10.112.155.1 255.255.255.0

ip access-group common out

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.112.140.5

ip http server

ip http authentication local

!

ip access-list standard common

permit 10.112.140.0 0.0.0.255

!

!

control-plane

!

!

line con 0

login local

line vty 0 4

login local

line vty 5 15

login

!

end

-----------end NEW L3 switch------------------------

3 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

SETUP:

servers = 10.112.140.0/24

vlan102 = 10.112.145.0/24

vlan103 = 10.112.150.0/24

vlan104 = 10.112.155.0/24

interface 0/1 = assigned to 10.112.140.0 network block.

c3560 = 10.112.140.3/24

CONDITIONS:

1. Vlan 102, Vlan 103, Vlan 104 should NOT see each other

2. Vlan 102, Vlan 103, Vlan 104 should be able to acces servers on common switch (belomgs to 10.112.140.0 network block)

3. Servers and Admin Workstations should be able to ping workstations on each Vlans

4. All workstations under corporateA should be able to access email located at corporateB

access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.150.0 0.0.0.255

access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.155.0 0.0.0.255

access-list 102 permit ip 10.112.145.0 0.0.0.255 any

access-list 103 deny ip 10.112.150.0 0.0.0.255 10.112.145.0 0.0.0.255

access-list 102 deny ip 10.112.150.0 0.0.0.255 10.112.155.0 0.0.0.255

access-list 102 permit ip 10.112.150.0 0.0.0.255 any

access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.145.0 0.0.0.255

access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.150.0 0.0.0.255

access-list 102 permit ip 10.112.155.0 0.0.0.255 any

int vlan 102

ip access-group 102 in

int vlan 103

ip access-group 103 in

int vlan 104

ip acess-group 104 in

The only thing i'm not sure about is point 3. If the workstations belonging to the admins are part of vlans 102/103/104 then you will have to explicit entries in the acls 102/103/104 for the pings to work.

Jon

View solution in original post

gatlin007
Level 4
Level 4

Jon beat me to it!!!


Anyway, here's my hack at it.


access-list 102 remark *** Vlan 102 Ingress Filter ***
access-list 102 deny ip any 10.112.150.0 0.0.0.255
access-list 102 deny ip any 10.112.155.0 0.0.0.255
access-list 102 permit ip any any

access-list 103 remark *** Vlan 103 Ingress Filter ***
access-list 103 deny ip any 10.112.145.0 0.0.0.255
access-list 103 deny ip any 10.112.155.0 0.0.0.255
access-list 103 permit ip any any

access-list 104 remark *** Vlan 104 Ingress Filter ***
access-list 104 deny ip any 10.112.145.0 0.0.0.255
access-list 104 deny ip any 10.112.150.0 0.0.0.255
access-list 104 permitn ip any any

int vlan 102
no ip access-group common out
ip access-group 102 in
exit

int vlan 103
no ip access-group common out
ip access-group 103 in
exit


int vlan 104
no ip access-group common out
ip access-group 104 in
exit

Chris

View solution in original post

gulle_ryan wrote:

oh i forgot... admin workstations does NOT belong to any VLans.. instead they are directly connected to 'common' switch together with the servers.

its working on my packet tracer... I'll inform you next week if this works on live test...

Kudos.

Thanks Jon.


If admin workstations are not part of those vlans then it will work fine.

I think part of your issue was that you applied the acls outbound on the vlan interface. Just for your info -

inbound on a vlan interface is traffic coming from clients in that vlan to other destinations

outbound on a vlan interface is traffic going to clients in that vlan from other destinations

Good luck with the implementation.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

SETUP:

servers = 10.112.140.0/24

vlan102 = 10.112.145.0/24

vlan103 = 10.112.150.0/24

vlan104 = 10.112.155.0/24

interface 0/1 = assigned to 10.112.140.0 network block.

c3560 = 10.112.140.3/24

CONDITIONS:

1. Vlan 102, Vlan 103, Vlan 104 should NOT see each other

2. Vlan 102, Vlan 103, Vlan 104 should be able to acces servers on common switch (belomgs to 10.112.140.0 network block)

3. Servers and Admin Workstations should be able to ping workstations on each Vlans

4. All workstations under corporateA should be able to access email located at corporateB

access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.150.0 0.0.0.255

access-list 102 deny ip 10.112.145.0 0.0.0.255 10.112.155.0 0.0.0.255

access-list 102 permit ip 10.112.145.0 0.0.0.255 any

access-list 103 deny ip 10.112.150.0 0.0.0.255 10.112.145.0 0.0.0.255

access-list 102 deny ip 10.112.150.0 0.0.0.255 10.112.155.0 0.0.0.255

access-list 102 permit ip 10.112.150.0 0.0.0.255 any

access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.145.0 0.0.0.255

access-list 102 deny ip 10.112.155.0 0.0.0.255 10.112.150.0 0.0.0.255

access-list 102 permit ip 10.112.155.0 0.0.0.255 any

int vlan 102

ip access-group 102 in

int vlan 103

ip access-group 103 in

int vlan 104

ip acess-group 104 in

The only thing i'm not sure about is point 3. If the workstations belonging to the admins are part of vlans 102/103/104 then you will have to explicit entries in the acls 102/103/104 for the pings to work.

Jon

gatlin007
Level 4
Level 4

Jon beat me to it!!!


Anyway, here's my hack at it.


access-list 102 remark *** Vlan 102 Ingress Filter ***
access-list 102 deny ip any 10.112.150.0 0.0.0.255
access-list 102 deny ip any 10.112.155.0 0.0.0.255
access-list 102 permit ip any any

access-list 103 remark *** Vlan 103 Ingress Filter ***
access-list 103 deny ip any 10.112.145.0 0.0.0.255
access-list 103 deny ip any 10.112.155.0 0.0.0.255
access-list 103 permit ip any any

access-list 104 remark *** Vlan 104 Ingress Filter ***
access-list 104 deny ip any 10.112.145.0 0.0.0.255
access-list 104 deny ip any 10.112.150.0 0.0.0.255
access-list 104 permitn ip any any

int vlan 102
no ip access-group common out
ip access-group 102 in
exit

int vlan 103
no ip access-group common out
ip access-group 103 in
exit


int vlan 104
no ip access-group common out
ip access-group 104 in
exit

Chris

Im impressed by both of you guys (jon, chris)...

we're going to have a live test next week...

Now that both expert have the same solution, i have a great feeling that this would work..

Your presented it like a teacher christoph, step by step.. that's why jon is a minute a head of you.

I appreciate all your help guys

kudos.

thanks chris

gulle_ryan
Level 1
Level 1

oh i forgot... admin workstations does NOT belong to any VLans.. instead they are directly connected to 'common' switch together with the servers.

its working on my packet tracer... I'll inform you next week if this works on live test...

Kudos.

Thanks Jon.

gulle_ryan wrote:

oh i forgot... admin workstations does NOT belong to any VLans.. instead they are directly connected to 'common' switch together with the servers.

its working on my packet tracer... I'll inform you next week if this works on live test...

Kudos.

Thanks Jon.


If admin workstations are not part of those vlans then it will work fine.

I think part of your issue was that you applied the acls outbound on the vlan interface. Just for your info -

inbound on a vlan interface is traffic coming from clients in that vlan to other destinations

outbound on a vlan interface is traffic going to clients in that vlan from other destinations

Good luck with the implementation.

Jon

you're right jon. i do have issues in understanding ACL directions.

Im very glad that you're not only solved my problem but also pointing out my mistake. i'll take note on that and hope i will not fall on the same mistake.

thanks jon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: