2

I have implemented LAN design in packet tracer with 6 VLANS using router on a stick configuration. Everything seems to work without ACL but I'm trying to implement rules where only the 02nd floor segments are allowed to access all other floors and the rest of the segments are allowed to access the fellow segments in their respective floors only.

Each department maintain it's own network segment. So far I have implemented ACL on Administration and IT department segments and manage to allow DHCP, DNS and WEB Sever access. However, I'm not able to communicate from IT department to Administration depart. even though I have placed necessary ACL rules. When I implement an ACL rule allowing the access from Administration depart. to IT depart. it works but ignores my requirement where "only the 02nd floor segments are allowed to access all other floors and the rest of the segments are allowed to access the fellow segments in their respective floors only".

ip access-list extended ADMINISTRATION_SEGMENT
permit ip 10.1.30.0 0.0.0.31 10.1.40.0 0.0.0.15
permit tcp 10.1.30.0 0.0.0.31 host 10.1.10.3 eq www
permit udp any eq bootpc any eq bootps
permit udp 10.1.30.0 0.0.0.31 host 10.1.10.2 eq domain
deny ip 10.1.30.0 0.0.0.31 10.1.10.0 0.0.0.31

ip access-list extended IT_SEGMENT
permit ip 10.1.10.0 0.0.0.31 10.1.30.0 0.0.0.31



interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.1.2.1 255.255.255.240
!

interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.224
ip helper-address 10.1.10.2
ip access-group IT_SEGMENT in
!

interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.1.20.1 255.255.255.240
ip helper-address 10.1.10.2
!

interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.1.30.1 255.255.255.224
ip helper-address 10.1.10.2
ip access-group ADMINISTRATION_SEGMENT in
!

interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 10.1.40.1 255.255.255.240
ip helper-address 10.1.10.2
!

interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 10.1.50.1 255.255.255.224
ip helper-address 10.1.10.2
!

interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 10.1.60.1 255.255.255.240
ip helper-address 10.1.10.2
!

Lan Design

I have attached the packet tracer file if anyone needs to take a closer look. Any ideas/advises are appreciated, Thank you.

Packet tracer file

Improve this question

1 Answer 1

Reset to default
4

With this ACL:

ip access-list extended IT_SEGMENT
 permit ip 10.1.10.0 0.0.0.31 10.1.30.0 0.0.0.31
!

You are limiting traffic coming in from that interface to only the 10.1.30.0/27 network because there is an implicit deny all at the end of the ACL.

Also, remember that most network protocols work with a request/reply, and you are limiting what can be replied to that originated from the 10.1.10.0/27. All traffic from the 10.1.30.0/27 network to the 10.1.10.0/27 network, except for HTTP to 10.1.10.3 and DNS to 10.1.10.2 is blocked, including replies to requests from the 10.1.10.0/27 network. The hosts on the 10.1.30.0/27 network simply cannot reply to requests from the 10.1.10.0/27 network.

What you seem to want to do is use a Zone-Based Firewall in your router, and many Cisco routers have that as an optional license, but you probably will not find that in Packet Tracer. You may be able to use reflexive ACLs to do what you want, but Packet Tracer is only designed to get you through the CCNA, and advanced topics are not supported.

Improve this answer
2
  • That's interesting, I'm trying to figure this out for days now.Thank you for the input. Is there anyway I can perform this in packet tracer?
    – Dilum Jayawardhana
    Commented Oct 31, 2018 at 13:15
  • I don't have Packet Tracer because it is just too limiting. You probably want to get something else, like VIRL or GNS to explore more advanced topics.
    – Ron Maupin
    Commented Oct 31, 2018 at 13:17

Not the answer you're looking for? Browse other questions tagged or ask your own question.