GNS3
- Thread starter TomElZ
- Start date
Alright cheers. Will have a look at some documentation on them now and see how I get on.
Say for example the VLAN Administration is off SW2. Would I do the access lists within SW2 or would I do them within SW1. There is a trunk port between SW1 and SW2.
Say for example the VLAN Administration is off SW2. Would I do the access lists within SW2 or would I do them within SW1. There is a trunk port between SW1 and SW2.
So I have ran into problems (unsurprisingly ahha). Basically I have set up R1 which is the only Router in the network to this command 'access-list 2 deny 192.168.2.1'. This host is on VLAN 10. For testing purposes, I have put this command in the config of T9 (VLAN 30) 'ip access-group 2 in' on the incoming interface from SW2 so f0/0.
Yet T1 (192.168.2.1) can still fully ping T9 even though I have set it to deny any packets from them? Do you have any ideas why this is?
You said before about the different IP Subnets - does it matter that all of the hosts no matter what VLAN they are on share the same subnet? (255.255.255.0).
Thanks
Yet T1 (192.168.2.1) can still fully ping T9 even though I have set it to deny any packets from them? Do you have any ideas why this is?
You said before about the different IP Subnets - does it matter that all of the hosts no matter what VLAN they are on share the same subnet? (255.255.255.0).
Thanks
So what your saying is basically set the access lists up on both the router and the switch?
Any idea when I try to configure the interface F0/1 from SW2 to T9 (VLAN 30) it says this; 'IP ACL configuration on 'out' direction is not supported'.
In SW2 I have set the following in the access list table;
access-list 1 deny 192.168.1.2
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to configure F0/1 to 'ip access-group 1 out' hence if someone tries to communicate with T9 they can as long as they don't have the ip address of 192.168.1.2 (T1).
This is annoying ahha!
EDIT:
Right I have got it working to an extent by putting the access list on T9 instead of SW2 and setting it to;
access-list 1 deny 192.168.1.0 0.0.0.255
access-list 1 permit all
Then setting its interface (f0/0) to 'ip access-group 1 in'. This seems to work however I would have to do it for each host on the VLAN. Is this OK? I was hoping I could just do it on the switch once and then it would work for all of the other hosts but this doesn't seem to be the case.
Also, how can I make it so T9 can ping to say for example T1 but T1 can't ping to T9. At the moment, what I have done makes it so T9 can't ping any of the users in the 192.168.1.x mask which is what I don't want.
Ideally I want it so the VLAN (Administration) for example can communicate to a set of hosts, however them same hosts aren't allowed to communicate back to them.
Any idea when I try to configure the interface F0/1 from SW2 to T9 (VLAN 30) it says this; 'IP ACL configuration on 'out' direction is not supported'.
In SW2 I have set the following in the access list table;
access-list 1 deny 192.168.1.2
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to configure F0/1 to 'ip access-group 1 out' hence if someone tries to communicate with T9 they can as long as they don't have the ip address of 192.168.1.2 (T1).
This is annoying ahha!
EDIT:
Right I have got it working to an extent by putting the access list on T9 instead of SW2 and setting it to;
access-list 1 deny 192.168.1.0 0.0.0.255
access-list 1 permit all
Then setting its interface (f0/0) to 'ip access-group 1 in'. This seems to work however I would have to do it for each host on the VLAN. Is this OK? I was hoping I could just do it on the switch once and then it would work for all of the other hosts but this doesn't seem to be the case.
Also, how can I make it so T9 can ping to say for example T1 but T1 can't ping to T9. At the moment, what I have done makes it so T9 can't ping any of the users in the 192.168.1.x mask which is what I don't want.
Ideally I want it so the VLAN (Administration) for example can communicate to a set of hosts, however them same hosts aren't allowed to communicate back to them.
Last edited:
Either your just the best or I am absolutely terrible.
Thanks a lot!!
so now I have got that sorted and VLAN 30 can communicate with VLAN 10 but VLAN 10 can't communicate with VLAN 30!! Exactly what I wanted 
Next thing - what can I do now to make it more complicated ahha?
Maybe add another router to the simulation and hook this up to a 'FileServer' and do permissions on that or look into extended ip?
Hmm I'm now struggling to ping other users from VLAN 30.
Last edited:
When I try to ping from T9 to T1 (blocked) it tries to ping but it is like it doesn't exist. However when I ping from T1 to T9 it comes up with U.U.U which is what I want. However I still want to be able to communicate with T1 from T9.
Any ideas?
Any ideas?
Ah I thought it might be something like that to be honest.
Are extended ACL's just like standard one's?
Am I right in thinking that extended ACL's are where you select the type of traffic? I.e. UDP, TCP, HTTP kind of thing?
Also have you got any ideas how I can take the simulation one step further once I have sorted the access levels?
Are extended ACL's just like standard one's?
Am I right in thinking that extended ACL's are where you select the type of traffic? I.e. UDP, TCP, HTTP kind of thing?
Also have you got any ideas how I can take the simulation one step further once I have sorted the access levels?
Is there a way to test the extended ip acl's?
I.e. with just the standard ip you can test it by using the ping command. are there similiar commands for tcp, udp etc?
Also for the WAN setup - would it make sense to create another router R2 and connect this to R1 via a serial link?
I.e. with just the standard ip you can test it by using the ping command. are there similiar commands for tcp, udp etc?
Also for the WAN setup - would it make sense to create another router R2 and connect this to R1 via a serial link?
With the extended stuff I think I have worked out how you can block particular traffic, i.e. tcp eq http.
As I mentioned early, to test whether the access list is working I was using the Ping command wasn't I to test whether x could communicate with y.
Is there anyway to do this this test for a particular type of traffic.
For Example: Say if I set up a 'WebServer' which would permit any HTTP traffic but deny any other traffic. How could I test that T1 can send HTTP traffic to the server but can't send FTP traffic for instance?
Also: I have connected R2 (WAN) from R1 (LAN). From R2 I have created a Switch and from this Switch I have created a Host who I am trying to make as a member of VLAN 40. However, I'm unsure of how to configure the interface from R2 to SW4. From SW4 to R2 I have a trunk port, however I can't set the other way to be a trunk port aswell (like I have done previously for SW1 to SW2 and SW1 to SW4) as it isn't using a Switch Interface but a Fast Ethernet.
As I mentioned early, to test whether the access list is working I was using the Ping command wasn't I to test whether x could communicate with y.
Is there anyway to do this this test for a particular type of traffic.
For Example: Say if I set up a 'WebServer' which would permit any HTTP traffic but deny any other traffic. How could I test that T1 can send HTTP traffic to the server but can't send FTP traffic for instance?
Also: I have connected R2 (WAN) from R1 (LAN). From R2 I have created a Switch and from this Switch I have created a Host who I am trying to make as a member of VLAN 40. However, I'm unsure of how to configure the interface from R2 to SW4. From SW4 to R2 I have a trunk port, however I can't set the other way to be a trunk port aswell (like I have done previously for SW1 to SW2 and SW1 to SW4) as it isn't using a Switch Interface but a Fast Ethernet.
Last edited:
I can get as far as R2 (WAN) from R1 through a Serial interface but anything connected to R2, i.e from R2 > SW4 > T20 and can't get any connection at all.
Can still ping all of the other nodes from R2 but anything further is a no no. Been trying for like 3 hours straight and still can't get it to work
Don't have a clue what I'm doing wrong or not putting in.
Can still ping all of the other nodes from R2 but anything further is a no no. Been trying for like 3 hours straight and still can't get it to work
Don't have a clue what I'm doing wrong or not putting in.
R1 Config:
Code:
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
ip access-group 1 out
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.4.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.25.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.100.1 255.255.255.0
serial restart-delay 0
!
no ip http server
no ip http secure-server
!
!
!
access-list 1 deny 192.168.2.0 0.0.0.255
access-list 1 permit any
!
endR2 Config:
Code:
interface Serial0/0
ip address 192.168.100.2 255.255.255.0
serial restart-delay 0
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
endI've cut the code down obviously to save room on the the thread.
With regards to F1/0 for R2 which is the interface going from R2 to SW4. I have tried all sorts including going into the sub interface and putting 192.168.4.1 which is what I did for R1 for VLAN 40. I then set a trunk link from SW4 to R2 and set up T25 the same way I set up all my other VLAN's so it probably is something I have done wrong in R1/R2.
With regards to F1/0 for R2 which is the interface going from R2 to SW4. I have tried all sorts including going into the sub interface and putting 192.168.4.1 which is what I did for R1 for VLAN 40. I then set a trunk link from SW4 to R2 and set up T25 the same way I set up all my other VLAN's so it probably is something I have done wrong in R1/R2.
Right OK I will look at setting up some form of RIP on R1 and R2. I purposefully left F1/0 blank ahha because I've tried a number of different things and couldn't get it to work.
At the moment F1/0 is:
interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 192.168.4.1 255.255.255.0
!
As I am trying to create a user of SW4 that belongs to VLAN 40. Don't know if that is correct though.
At the moment F1/0 is:
interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 192.168.4.1 255.255.255.0
!
As I am trying to create a user of SW4 that belongs to VLAN 40. Don't know if that is correct though.
Tried putting OSPF in to no avail 
R1 Config:
R2 Config:
R1 Config:
Code:
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
ip access-group 1 out
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.4.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.25.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.100.1 255.255.255.0
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 192.168.100.0 0.0.0.255 area 1
!R2 Config:
Code:
interface Serial0/0
ip address 192.168.100.2 255.255.255.0
serial restart-delay 0
!
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 192.168.4.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 192.168.4.0 0.0.0.255 area 3
!
router ospf 2
log-adjacency-changes
network 192.168.100.0 0.0.0.255 area 1
!
router ospf 3
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
!R1 Routing Table:
C 192.168.25.0/24 is directly connected, FastEthernet1/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0.40
C 192.168.1.0/24 is directly connected, FastEthernet0/0.10
C 192.168.2.0/24 is directly connected, FastEthernet0/0.20
C 192.168.100.0/24 is directly connected, Serial2/0
C 192.168.3.0/24 is directly connected, FastEthernet0/0.30
R2 Routing Table:
C 192.168.4.0/24 is directly connected, FastEthernet1/0.40
C 192.168.100.0/24 is directly connected, Serial0/0
I'm struggling to see why this doesn't work?!
C 192.168.25.0/24 is directly connected, FastEthernet1/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0.40
C 192.168.1.0/24 is directly connected, FastEthernet0/0.10
C 192.168.2.0/24 is directly connected, FastEthernet0/0.20
C 192.168.100.0/24 is directly connected, Serial2/0
C 192.168.3.0/24 is directly connected, FastEthernet0/0.30
R2 Routing Table:
C 192.168.4.0/24 is directly connected, FastEthernet1/0.40
C 192.168.100.0/24 is directly connected, Serial0/0
I'm struggling to see why this doesn't work?!
I don't think my actual configuration was the problem. I think the way I configured R2 and T25 was the problem.
I changed R2 to:
I also changed T25 to:
Everything is fully working again now however I am unsure whether T25 would still be classed as being in VLAN 40 even though they have a different IP address, i.e. not 192.168.4.x?
I changed R2 to:
Code:
interface FastEthernet1/0
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 192.168.10.1 255.255.255.0 (from 192.168.4.1)
!
Code:
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0 (from 192.168.4.6)
no ip route-cache
duplex auto
speed auto
!Everything is fully working again now however I am unsure whether T25 would still be classed as being in VLAN 40 even though they have a different IP address, i.e. not 192.168.4.x?