• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 831
  • Last Modified:

Cisco 3845, how do I prevent subnets from routing between each other?

I have a setup with a Cisco 3845 ISR + two Dell PowerConnect 6224 L3 Switches + 4 Cisco 1145 WAPs.

My goal is to create two VLANs for wireless access points.  The first VLAN will authenticate against RADIUS/PEAP for our domain computers and route between VLANs for various resources.  The second VLAN will be for guest use only and route directly to the internet and not communicate between VLANs.

I've worked out the part on creating the VLAN for internal use and it works great.  But I don't really know how to make best use of the equipment to isolate the VLAN and route it straight to the internet.

It seems the PowerConnect 6224 doesn't support PVLANs, so I'm trying to figure out how to do what I need with our Cisco 3845 router.  Honestly I don't know where to start.  I'm guessing I want it to do something like the following:

192.168.4.x -> VLAN Gateway 192.168.4.1 -> Cisco 3845 -> Internet (Serial 1/0)

Since I won't know the MAC addresses connecting to the WAPs, I know I can't use filtering.  We also only have 1 HWIC in use and I do have a spare one I can install.  Could I set up an interface on that and some kind of ACL that only permits access between 192.168.4.x and Serial 1/0 (with NAT)?
0
ITSupportZagat
Asked:
ITSupportZagat
  • 2
  • 2
1 Solution
 
harbor235Commented:
A routed interface is a controlled interface which allows for a security/traffic policy to be implemented.
You can deploy ACLs, you can use policy based routing, and you can use CBAC (ios firewall).

ACLs, craft a ACL that categorizes your traffic via source, desitnation, protocol and port. You could do the following;

vlan A = 1.1.1.0 , vlan B = 2.2.2.0

Apply this to the 2.2.2.x interface (vice versa for 1.1.10 interface)
access-list 100 deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 100 permit ip any any


harbor235 ;}
0
 
ITSupportZagatAuthor Commented:
So, on the acl, can i also specify a (pardon me if i use the term wrong) superscoped ip address to deny since we have several different VLANs in the 192.168.x.x range.

access-list 105 deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 105 permit ip any eq 80
access-list 105 permit ip any eq 443
..etc
0
 
harbor235Commented:


Sure, once crafted you apply to the interface, i recommend inbound in this situatuion.

config t
interface X
ip access-group 105 in
exit
wr mem

harbor235 ;}
0
 
ITSupportZagatAuthor Commented:
Great.  I want to clear up one last thing that's been a point of contention.  I understand that on an ACL if the network isn't allowed access a deny is implied. So, if, as above, I wanted to permit specific network and block others (and all of our internal networks share interface ge0/0), can I do the following or is there a better, best practice:

access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 105 deny ip 192.168.4.0 0.0.0.255 12.230.80.0 0.0.0.255
access-list 105 permit ip 192.168.255.0 0.0.0.255 any
access-list 105 permit ip 192.168.254.0 0.0.0.255 any
access-list 105 permit ip 192.168.253.0 0.0.0.255 any
access-list 105  deny ip any any

With the goal, same as before, since all networks in our company share ge0/0, i want to allow the 192.168.4.0 network to the internet, but deny local subnets.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now