Solved

Cisco Vlans

Posted on 2011-09-27
9
372 Views
Last Modified: 2012-06-27
Hi there,
I have recently put VLANS into our network. I have setup about 5 different VLANS and since I have added the Router into the network all of the VLANS can talk to each other. But I don't want this to happen.

I have my Server VLAN 5 which is 192.168.5.0
I have my Admin Vlan 20 which is 192.168.20.0
I have my Guest Vlan 15 which is 192.168.15.0

I would like my Admin to talk to the Server Vlan but I do not wish for the Guest Vlan to talk to the Servers. Could anyone tell me what commands I need to use to be able to stop this from happening?

Thanks for your help
0
Comment
Question by:dan4132
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 250 total points
ID: 36708703
Two possible solutions - one is configuring ACLs on the different VLANs, the other is using VRFs to segregate the VLANs from each other ... first one is easier to configure I reckon, second more elegant and safer ...

For ACLs, add something like:

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
  [add additional ranges you don't want to permit access to]
  permit ip 192.168.15.0 0.0.0.255 any

int vlan 15
  ip access-group GUEST_IN in

Open in new window

0
 
LVL 3

Author Comment

by:dan4132
ID: 36708885
Hi Garry,
I thought ACL's might be the way to go.
I typed in all of the code you gave me but I can still ping the Servers from the Guest Machine.
Any ideas?

My IP Address is 192.168.15.0/24

I typed in exactly as you have above and when I type in the Command show access list its all there.

Thanks
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 250 total points
ID: 36709485
Hi,

You also need to deny ICMP.

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny icmp 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  [add additional ranges you don't want to permit access to]

  permit ip 192.168.15.0 0.0.0.255 any

0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 3

Author Comment

by:dan4132
ID: 36709588
Hiya,
I tried the Deny ICMP and I can still ping from the Guest to the clients. I have copied the router config below. I have done it to .20.0 rather than .5.0

Router#show running-config
Building configuration...

Current configuration : 1531 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip access-group GUEST_IN in
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
ip access-list extended GUEST_IN
 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36709652
Do you see any counters at the end of the lines when you do the "show ip access-list"? What happens if you remove the last "permit" line (just out of curiosity - it should essentially block any incoming traffic on that VLAN interface)
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36709689
Whoops.. I have just realised what I was doing wrong.. I was putting the Access Groups on the main interface instead of the the Sub interfaces!! This is now working. Thanks for your help guys!
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709698
deny IP denies all traffic there is no need to specifically deny ICMP here.

for starters the ACL should be applied inbound under interface FastEthernet0/0.15, change that and then test and let us know.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709703
doh was too slow in putting in my comment.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36710770
sorry, my comment was incorrect.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question