GNS3

[Deception]

Switchport mode access is only supposed to be used on ports connected to hosts, not other trunks. So, set ports that are connected to other switches as switchport mode trunk.

Can you still ping the host on vlan 30 or do you mean ping all hosts as in you can ping the Switches IP?

 

[TomElZ]

Cheers for the help. Right I've changed the interface from SW1 to SW2 from mode access to trunk however now I can't ping anything. Furthermore, the Host that is connected to SW2 can also not do anything. Should I be assigning the switch any ip address/default route?

At the moment the port from SW2 to SW1 has an IP address of 192.168.3.2 and an IP route of 192.168.3.1. The port from SW2 to the host is set up as switchport access vlan 30. I think these should work however I am probably missing something obvious.

Cheer for this deception

 

[TomElZ]

YESS!! Finally done it. Cheers for the help deception. Was setting it up wrong. Set SW1 port out to SW2 as trunk and vice versa. Connected Host to SW2 with IP address 192.168.3.2 with IP route 192.168.3.1 and it works. Can't believe I've just wasted like 3 hours of my life trying to do that when it was so simple!

Got any ideas of how I can make the network a bit more advanced after I've set up VLAN's 30 and 40? Maybe add another switch and make some more VLAN's but that may be a bit repetitive?

 

[Deception]

Why dont you mix up VLANs on switches, so some ports are VLAN 10, some are VLAN 20 etc. Also set up VTP domain and clients for switches instead of manually adding VLANS on them yourself

 

[Deception]

Can also get to grips with ACL (Access Control Lists). Create a host/server (depending if you want to use Packet Tracer or GNS3) in a VLAN and then block a set of hosts from connecting to it, but allow the same hosts to be able to access everything else.

 

[TomElZ]

Can also get to grips with ACL (Access Control Lists). Create a host/server (depending if you want to use Packet Tracer or GNS3) in a VLAN and then block a set of hosts from connecting to it, but allow the same hosts to be able to access everything else.

That is really strange as that is exactly what I was going to start looking at next haha.

Can I create a router but use it as a server? Also, how easy is it to carry a VLAN over a WAN link?

Oh yeah, and I am going to change it so that instead of having VLAN's 30 & 40 off SW2 they are VLAN's 10 & 20 instead (more realistic).

 

[Deception]

That is really strange as that is exactly what I was going to start looking at next haha.

Can I create a router but use it as a server? Also, how easy is it to carry a VLAN over a WAN link?

Oh yeah, and I am going to change it so that instead of having VLAN's 30 & 40 off SW2 they are VLAN's 10 & 20 instead (more realistic).

They call it a VLAN for a reason - Virtual Local Area Network . You could always use another host, but just pretend its a server (doesnt have to be a server, could be a normal host). Just deny certain hosts from accessing that 1 host, but they can still ping other hosts in the VLAN.

You could have a switch that has all VLAN's on it (lots of different departments in same office), and another switch with the same. Can use commands like interface range command, which is very nice for working on a range of ports, instead of one by one

 

[TomElZ]

Haha touché! Right OK that is something that I can be getting on with today.

How do you mean a switch that has all VLAN's on it? Does't SW1 and SW2 have all VLAN's on it anyway?

 

[Deception]

Haha touché! Right OK that is something that I can be getting on with today.

How do you mean a switch that has all VLAN's on it? Does't SW1 and SW2 have all VLAN's on it anyway?

Sorry, I meant put all the VLANS you created on one switch (assigned to different ports, for different hosts). Then assign same VLANS to different ports on another switch. So you can make sure hosts can communicate with everyone, no matter which switch they are on.

Regarding the ACL, you can do a rule that denies a particular VLAN from communicating with another (say you dont want sales pinging/communicating with management, but you still want management to be able to ping/access sales )

 

[TomElZ]

Right cheers for that.

I am going to keep VLANS 30 & 40 off from SW2. Create another switch SW3 and have VLAN's 10 & 20 off SW3 as well as SW1.

Do you think I should try and create a Server and do access control from that or do access control from VLAN to VLAN? I.e. hosts on VLAN 10 can communicate with hosts on VLAN 30, however hosts from VLAN 30 can't communicate with hosts on VLAN 10?

Thanks again for this Deception.

 

[Deception]

Start with the VLAN one, see how it goes. Can always create more ACL's after once you get it down. A tip for ACL's, always write them out in notepad first, to make sure its ok and then just copy and paste it in to the CLI.

 

[TomElZ]

Should I try and do the ACL by VLAN or by a particular IP address do you think?

I've had a quick look and it looks harder to do it by VLAN? Should I be looking into VACL's?

 

[Deception]

Well as your VLAN's are on a particular subnet, just use that for now. So, yea, do it IP based for now.

 

[TomElZ]

Alright cheers. Will have a look at some documentation on them now and see how I get on.

Say for example the VLAN Administration is off SW2. Would I do the access lists within SW2 or would I do them within SW1. There is a trunk port between SW1 and SW2.

 

[Deception]

Alright cheers. Will have a look at some documentation on them now and see how I get on.

Say for example the VLAN Administration is off SW2. Would I do the access lists within SW2 or would I do them within SW1. There is a trunk port between SW1 and SW2.

The router As the traffic goes through this first when it passes over different IP subnets

 

[TomElZ]

Right OK. Will spend tomorrow on it and see how I get on. No doubt I will get stuck again ahha!!

Thanks for the help.

 

[Deception]

Right OK. Will spend tomorrow on it and see how I get on. No doubt I will get stuck again ahha!!

Thanks for the help.

No worries, helps me to remember stuff too

 

[TomElZ]

So I have ran into problems (unsurprisingly ahha). Basically I have set up R1 which is the only Router in the network to this command 'access-list 2 deny 192.168.2.1'. This host is on VLAN 10. For testing purposes, I have put this command in the config of T9 (VLAN 30) 'ip access-group 2 in' on the incoming interface from SW2 so f0/0.

Yet T1 (192.168.2.1) can still fully ping T9 even though I have set it to deny any packets from them? Do you have any ideas why this is?

You said before about the different IP Subnets - does it matter that all of the hosts no matter what VLAN they are on share the same subnet? (255.255.255.0).

Thanks

 

[Deception]

So you created an ACL on the router and then tried to apply it on a different device or do you mean a switch interface on the router? It will be a lot easier to apply it on the subinterface for the VLAN you want to block it from, in the OUT direction.
Also, if you didnt put a permit any any at the end of the list, ALL traffic will get denied as ACL's have an implicit deny at the end, unless you tell it otherwise.
Dont forget about wild card masks too for ACLs.

In regards to the subnets, the Class C (255.255.255.0) is fine; I was just referring to the 192.168.x.x addresses.

 

[TomElZ]

So what your saying is basically set the access lists up on both the router and the switch?

Any idea when I try to configure the interface F0/1 from SW2 to T9 (VLAN 30) it says this; 'IP ACL configuration on 'out' direction is not supported'.

In SW2 I have set the following in the access list table;

access-list 1 deny 192.168.1.2
access-list 1 permit 192.168.1.0 0.0.0.255

Now I am trying to configure F0/1 to 'ip access-group 1 out' hence if someone tries to communicate with T9 they can as long as they don't have the ip address of 192.168.1.2 (T1).

This is annoying ahha!

EDIT:

Right I have got it working to an extent by putting the access list on T9 instead of SW2 and setting it to;

access-list 1 deny 192.168.1.0 0.0.0.255
access-list 1 permit all

Then setting its interface (f0/0) to 'ip access-group 1 in'. This seems to work however I would have to do it for each host on the VLAN. Is this OK? I was hoping I could just do it on the switch once and then it would work for all of the other hosts but this doesn't seem to be the case.

Also, how can I make it so T9 can ping to say for example T1 but T1 can't ping to T9. At the moment, what I have done makes it so T9 can't ping any of the users in the 192.168.1.x mask which is what I don't want.

Ideally I want it so the VLAN (Administration) for example can communicate to a set of hosts, however them same hosts aren't allowed to communicate back to them.