I have implemented LAN design in packet tracer with 6 VLANS using router on a stick configuration. Everything seems to work without ACL but I'm trying to implement rules where only the 02nd floor segments are allowed to access all other floors and the rest of the segments are allowed to access the fellow segments in their respective floors only.
Each department maintain it's own network segment. So far I have implemented ACL on Administration and IT department segments and manage to allow DHCP, DNS and WEB Sever access. However, I'm not able to communicate from IT department to Administration depart. even though I have placed necessary ACL rules. When I implement an ACL rule allowing the access from Administration depart. to IT depart. it works but ignores my requirement where "only the 02nd floor segments are allowed to access all other floors and the rest of the segments are allowed to access the fellow segments in their respective floors only".
ip access-list extended ADMINISTRATION_SEGMENT
permit ip 10.1.30.0 0.0.0.31 10.1.40.0 0.0.0.15
permit tcp 10.1.30.0 0.0.0.31 host 10.1.10.3 eq www
permit udp any eq bootpc any eq bootps
permit udp 10.1.30.0 0.0.0.31 host 10.1.10.2 eq domain
deny ip 10.1.30.0 0.0.0.31 10.1.10.0 0.0.0.31
ip access-list extended IT_SEGMENT
permit ip 10.1.10.0 0.0.0.31 10.1.30.0 0.0.0.31
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.1.2.1 255.255.255.240
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.224
ip helper-address 10.1.10.2
ip access-group IT_SEGMENT in
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.1.20.1 255.255.255.240
ip helper-address 10.1.10.2
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.1.30.1 255.255.255.224
ip helper-address 10.1.10.2
ip access-group ADMINISTRATION_SEGMENT in
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 10.1.40.1 255.255.255.240
ip helper-address 10.1.10.2
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 10.1.50.1 255.255.255.224
ip helper-address 10.1.10.2
!
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 10.1.60.1 255.255.255.240
ip helper-address 10.1.10.2
!
I have attached the packet tracer file if anyone needs to take a closer look. Any ideas/advises are appreciated, Thank you.