GNS3

Dont apply any rules on the switch, just configure and apply the ACL on the router itself. Apply it to the VLAN 30 subinterface in the OUT direction.
 
Deception said:
Dont apply any rules on the switch, just configure and apply the ACL on the router itself. Apply it to the VLAN 30 subinterface in the OUT direction.
Click to expand...

Either your just the best or I am absolutely terrible.

Thanks a lot!! :):) so now I have got that sorted and VLAN 30 can communicate with VLAN 10 but VLAN 10 can't communicate with VLAN 30!! Exactly what I wanted :D:D

Next thing - what can I do now to make it more complicated ahha?

Maybe add another router to the simulation and hook this up to a 'FileServer' and do permissions on that or look into extended ip?

Hmm I'm now struggling to ping other users from VLAN 30.
 
Last edited:
When I try to ping from T9 to T1 (blocked) it tries to ping but it is like it doesn't exist. However when I ping from T1 to T9 it comes up with U.U.U which is what I want. However I still want to be able to communicate with T1 from T9.

Any ideas?
 
It wont work because ping uses echo, which means T1 has to reply in order for T9 to know it exists, but it cant due to the traffic from it, being blocked ;)

This is where extended ACL's come in to play, to block specific protocols.
 
Ah I thought it might be something like that to be honest.

Are extended ACL's just like standard one's?

Am I right in thinking that extended ACL's are where you select the type of traffic? I.e. UDP, TCP, HTTP kind of thing?

Also have you got any ideas how I can take the simulation one step further once I have sorted the access levels?
 
That's right, thats extended ACL's.

Seeing as you're going well with LANS, you could try playing with WANS (set up separate networks and use routing protocols).

Set up DHCP pools for your different VLANS.
Configure NAT, ready for WAN.
Lock down Routers with AAA
Set up site to site VPN's.
 
Is there a way to test the extended ip acl's?

I.e. with just the standard ip you can test it by using the ping command. are there similiar commands for tcp, udp etc?

Also for the WAN setup - would it make sense to create another router R2 and connect this to R1 via a serial link?
 
You can block all traffic with Extended too with deny IP. They're good for specifying specific hosts or protocols; Like you did before with the VLAN block, block the same host from a host in a different VLAN, but allow them to ping other hosts in that same VLAN etc.

With the WAN, set up another router and connect them via serial like you said.
 
With the extended stuff I think I have worked out how you can block particular traffic, i.e. tcp eq http.

As I mentioned early, to test whether the access list is working I was using the Ping command wasn't I to test whether x could communicate with y.

Is there anyway to do this this test for a particular type of traffic.

For Example: Say if I set up a 'WebServer' which would permit any HTTP traffic but deny any other traffic. How could I test that T1 can send HTTP traffic to the server but can't send FTP traffic for instance?

Also: I have connected R2 (WAN) from R1 (LAN). From R2 I have created a Switch and from this Switch I have created a Host who I am trying to make as a member of VLAN 40. However, I'm unsure of how to configure the interface from R2 to SW4. From SW4 to R2 I have a trunk port, however I can't set the other way to be a trunk port aswell (like I have done previously for SW1 to SW2 and SW1 to SW4) as it isn't using a Switch Interface but a Fast Ethernet.
 
Last edited:
I can get as far as R2 (WAN) from R1 through a Serial interface but anything connected to R2, i.e from R2 > SW4 > T20 and can't get any connection at all.

Can still ping all of the other nodes from R2 but anything further is a no no. Been trying for like 3 hours straight and still can't get it to work :mad:

Don't have a clue what I'm doing wrong or not putting in.
 
Well R2 is directly connected to R1 via it's serial interface so that's why R2 can reach R1, have you told R1 to route the subnets that hang off R2 and visa versa.

Config and a diagram would really help.

HEADRAT
 
1yo2ms.jpg


R1 Config:

Code: 
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.3.1 255.255.255.0
 ip access-group 1 out
!
interface FastEthernet0/0.40
 encapsulation dot1Q 40
 ip address 192.168.4.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.25.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 192.168.100.1 255.255.255.0
 serial restart-delay 0
!
no ip http server
no ip http secure-server
!
!
!
access-list 1 deny   192.168.2.0 0.0.0.255
access-list 1 permit any
!
end

R2 Config:
Code: 
interface Serial0/0
 ip address 192.168.100.2 255.255.255.0
 serial restart-delay 0
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
end
 
I've cut the code down obviously to save room on the the thread.

With regards to F1/0 for R2 which is the interface going from R2 to SW4. I have tried all sorts including going into the sub interface and putting 192.168.4.1 which is what I did for R1 for VLAN 40. I then set a trunk link from SW4 to R2 and set up T25 the same way I set up all my other VLAN's so it probably is something I have done wrong in R1/R2.
 
Looking at R2, there isn't an IP address set up for F1/0. Maybe show us the config once you set up this interface too, so we can see where you're going wrong for the LAN connected to R2.
 
Right OK I will look at setting up some form of RIP on R1 and R2. I purposefully left F1/0 blank ahha because I've tried a number of different things and couldn't get it to work.

At the moment F1/0 is:

interface FastEthernet1/0.40
encapsulation dot1Q 40
ip address 192.168.4.1 255.255.255.0
!

As I am trying to create a user of SW4 that belongs to VLAN 40. Don't know if that is correct though.
 
Tried putting OSPF in to no avail :(

R1 Config:

Code: 
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.3.1 255.255.255.0
 ip access-group 1 out
!
interface FastEthernet0/0.40
 encapsulation dot1Q 40
 ip address 192.168.4.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.25.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 192.168.100.1 255.255.255.0
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 192.168.100.0 0.0.0.255 area 1
!

R2 Config:

Code: 
interface Serial0/0
 ip address 192.168.100.2 255.255.255.0
 serial restart-delay 0
!
!
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0.40
 encapsulation dot1Q 40
 ip address 192.168.4.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 192.168.4.0 0.0.0.255 area 3
!
router ospf 2
 log-adjacency-changes
 network 192.168.100.0 0.0.0.255 area 1
!
router ospf 3
 log-adjacency-changes
 network 192.168.1.0 0.0.0.255 area 0
!
 
R1 Routing Table:

C 192.168.25.0/24 is directly connected, FastEthernet1/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0.40
C 192.168.1.0/24 is directly connected, FastEthernet0/0.10
C 192.168.2.0/24 is directly connected, FastEthernet0/0.20
C 192.168.100.0/24 is directly connected, Serial2/0
C 192.168.3.0/24 is directly connected, FastEthernet0/0.30

R2 Routing Table:

C 192.168.4.0/24 is directly connected, FastEthernet1/0.40
C 192.168.100.0/24 is directly connected, Serial0/0

I'm struggling to see why this doesn't work?!
 
You must log in or register to reply here.
Back
Top Bottom