Network#20: Control Inter-VLAN routing by ACLs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to the new episode of the network and cisco packet tracer tutorials for beginner CRH is here and in today's tutorial we are going to combine some of our networking knowledge together in previous videos you became familiar with the concept of inter VLAN routing by using the multi-layer switch as well as you know how the access lists are working so here we are going to combine the ACL you know interval and network scenario I just add this server to the previous scenario in video number 9 and just assigned the IP address 192.168.1.1 wheel and hundred for IT department here and the sales department with VLAN 200 with 192.168 200 0/24 and since we run the IP routing in the multi-layer switch here we can ping all the segments why are the hosts in this network so let's try go to the laptop 0 in IT department since you are working in IT department go to the desktop command prompt and just like to config to make sure that we got IP address now can change 192.168.0.1 I just think this everyone waiting for the first ICMP packet ok we can ping the server one let's try the server 2 as well ok waiting for replied pink and here we go we can ping from the IT department both the computer in servers on we length 15 and let's try some ping of the wheel and 200 as well just being one of those PC here okay here we go request I'm on a final reply from those machines so back to the PC one for example and try from just pinging sub servers in one eye to that 1 6 8 does you one we can ping easily let's try the other one also we can ping from the PC one as well as PC to ping 192.168.1 correct number two yes we go to reply from both so let's say we want to block the traffic from the wheel and 200 to our server form wheel and 50 by using the excess leaves actually we can control this traffic what type of taxes we have to use obviously we want to have a control both on source and destination so we don't have any other choice except extended access list let's begin by configuring the extended access please go to the switch enable the switch go to global configuration mode now you are very familiar with this concept and let's start one exists is for this control before i creating let's see where how we can do this we want to block the traffic from this segment to this segment but the rest of the traffic from the wheel and hundred must be able to go through okay so i starting with the IP access list command question mark for you to remember these things extend that and let's create something like we want to control over the VLAN to unread just make it as a sales ACL if you want to control there so extended access list the rule is near to the source address to have a better performance for our control plane on our device so we all want to we want to actually block the traffic from this segment we're going to the user question mark we have option for deny and IP protocol one won't use and we want to let's let's say for example first of all we want to block the entire segment so one and two the one six eight that's 200 okay walls card mask 0 0 0 255 to the destination of 1 - that one sixty eight dot zero dot zero zero zero zero two five five as a worker mask if you are not familiar with these excesses I recommend that you go back and watch again the extended access these videos we are using the name access list and to prevent the denial statement we just using the permit IP any and any at the end so let's start applying this access place where we have to apply since we want to these accesses be near to our source we have to apply on the gateway of VLAN 200 which is interface VLAN 200 using the IP access group and we are using our access list which is our sales ACL and in in one direction immediately when the traffic goes to the interface the access this will apply let me zoom for you you take a close look on the configuration here we got the access list extend exit lease sales ACL here we got to line deny everything from the network 192.168.1.0 to the destination of server form here and we add the permit IP do any and finally we apply the excess lease sales ACL in the interface VLAN 200 ok let's use control Z back and use the show access list currently we have this access list I'll take a close look yep here we go let's explain we got two lines here and let's test it okay go to the PC one previously we can ping this server but currently we have a destination unreachable because immediately when our traffic is goes to the access list is catch by our access list and let's try the other one yes we couldn't let's try it can be pinned this laptop here or not okay we're going to pin 192.168.1 hundred dot one and yes we can do that let's go back to the multi-layered Street and use the show excess please and see exactly what's happening here previously we got the show access free sales we don't have any match traffic but after we try to ping from the sales we land to the server real and we got eight matches and when we try to ping the IT department which allow here permit by IP any-to-any we got four matches so as you can see it's a very powerful tool ACL scan or obviously control every traffic on your network let's be a bit more specific here let's say for example what else we can do here okay let's say we don't want to block the all traffic from this wheel and to the server form just let's say we want to allow the one of these the PCs actually can get access to the server one only and only so everyone not several - how we can modify our access list so as you guess is very easy we go to the global configuration mode IP access leaves extend that sales ACL we're going to edit the previous ACLs we got here and I just want to add another line to our ACLs and we just want to permit but since we got the two sequence here 10 and 20 and the access list is read on order we going to add additional sequence before the statement 10 which is denied entire traffic we're going to put the number 5 prepare sequence and permit let's I pee and let's apply - let's supply to rest yeah 192.168 the 200 to 0 wildcard mask 0 0 0 to 255 and we want to permit let's say for example 2 server 1 only let's say this everyone is our web server everyone need to access for the server to is a other service or other incision we don't want to give the sales department to access to that server - we want to premiere to host let's say on specific host one and press okay here we go let me zoom for you okay yes just add five by made they will enter one read to the specific host which is the server one and you are using the show access list and here we go we got our new line new sequence five here if the traffic is matched with this statement is apply and matches if not go to the second sequence which is sequence ten and it is not go to the twenty seconds let's try PC one okay we want to test the previous traffic one I to that one six eight dot zero dot two or sure we couldn't being destination those are reachable but now we got the xs3 sequence that hello to ping the other server so easily as you can see you can ping from the bulb PC number two or short destination unreachable and now we can ping the server let's go and see how many traffic with catches here okay yes as you can see the sequence file also got some matches here because two computer the hosts belong to this subnet got a permit to access to the server one and we using the exercise actually we have a full control over your network I mentioned this previously and also you can apply another excess please let's say for example this Center you want to using more accessories here and want to block the traffic between these two VLAN which is the very common trick or requirement or - dainius works so let's go and a multi-layer switch create another excess lace global configuration i PX s is again we want to use the extended access list and this time we call it this ITA CL t department is here and we just want to deny any traffic from the 192.168.10.0 0 0 0 entire or you can have you choose the host specific host me you know I wanted to that one six eight hundred zero network to 192.168.1 drill and two hundred segment on 0.0025 5 press Intel okay I forget to put the IP here because we don't choose the protocol now this is the line we got here and the second line will be the permit the rest of the traffic which is permit IP any to any destination from any source to any destination let me zoom it for you yes we got the access list extended ITA CL name here and one sequence is denied traffic from the IT department to the sales department and the other one is permit IP to any to any which means that we expect that traffic from doke green VLAN will end on red can reach to the east wheel and 500 server form here and let's apply it okay get interface VLAN you guess yes through interface 900 we want to be close as possible to our source address ok IP access group and we apply the IT ACL and play years I use the meaningful name for your accessories and we put in okay let's show accessories and see what we got here we got to set up access list sales excesses which previously created here we got so much is here and the new IT ACL which try to denied the communication between two wheel ends ok let's see can we ping from the laptop the server yes still can ping it brother server yes you can ping it and let's try c-can we ping 192.168.1.1 and as you can see the destination is unreachable let's go and check our matches and here we go we got some matches here the deny traffic between two VLANs is sketch here for matches and into the server we got all matches also here so you may ask so now we applied access this on a wheel and hundred interface what about the communication from the VLAN 200 to 100 let's see and ok with previously we can ping 192.168.0.1 or now take a look at the ICMP message here the request timeout here we go the request time on what does it mean okay let me explain for you and just compare here to here before I explain just try to ping server number two which is ACL catch it destination unreachable here we got the request timeout when ping the computer in IT department but here we got the destination on to a destination unreachable is easy here we got some catches for our access list here we go these numbers increased previously we got 15 matches now we've got 19 matches which is clearly but what's happening went in from the VLAN 200 to be 900 it didn't apply any ACL here for controlling the traffic from here but is still the king is lost okay the answer is like here your packet is stored from these pcs from these VLAN 200 this goes to the switch reach to this destination actually real word but when they want to come back they couldn't because we have the access these IT ACL which block all traffic from the 192.168 hundredths of 0 networks to this destination that's the reason we then we applied accesses here we actually control the traffic over here as well the other hand ok this quick video is combined technology of the ACL with inter VLAN routing I hope this video is helpful for you to apply in your testing environment as well as your production if you like this video useful please subscribe North YouTube channel as well as sharing thank you and bye for now
Info
Channel: SASiteNet
Views: 38,812
Rating: undefined out of 5
Keywords: Access Control List, Inter-VLAN routing, ACL, Extended ACL, Network#, Cisco, CCNA Tutorial, SASite, S.Kazemi, Siavash, CCNA, CCENT, Network tutorial, SASite.net, Siavash Kazemi, Packet Tracer, Access List
Id: BwEcN_bXLkw
Channel Id: undefined
Length: 15min 49sec (949 seconds)
Published: Sat Mar 14 2015
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.