Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco Vlans

Posted on 2011-09-27
9
358 Views
Last Modified: 2012-06-27
Hi there,
I have recently put VLANS into our network. I have setup about 5 different VLANS and since I have added the Router into the network all of the VLANS can talk to each other. But I don't want this to happen.

I have my Server VLAN 5 which is 192.168.5.0
I have my Admin Vlan 20 which is 192.168.20.0
I have my Guest Vlan 15 which is 192.168.15.0

I would like my Admin to talk to the Server Vlan but I do not wish for the Guest Vlan to talk to the Servers. Could anyone tell me what commands I need to use to be able to stop this from happening?

Thanks for your help
0
Comment
Question by:dan4132
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 17

Accepted Solution

by:
Garry-G earned 250 total points
ID: 36708703
Two possible solutions - one is configuring ACLs on the different VLANs, the other is using VRFs to segregate the VLANs from each other ... first one is easier to configure I reckon, second more elegant and safer ...

For ACLs, add something like:

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
  [add additional ranges you don't want to permit access to]
  permit ip 192.168.15.0 0.0.0.255 any

int vlan 15
  ip access-group GUEST_IN in

Open in new window

0
 
LVL 3

Author Comment

by:dan4132
ID: 36708885
Hi Garry,
I thought ACL's might be the way to go.
I typed in all of the code you gave me but I can still ping the Servers from the Guest Machine.
Any ideas?

My IP Address is 192.168.15.0/24

I typed in exactly as you have above and when I type in the Command show access list its all there.

Thanks
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 250 total points
ID: 36709485
Hi,

You also need to deny ICMP.

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny icmp 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  [add additional ranges you don't want to permit access to]

  permit ip 192.168.15.0 0.0.0.255 any

0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 3

Author Comment

by:dan4132
ID: 36709588
Hiya,
I tried the Deny ICMP and I can still ping from the Guest to the clients. I have copied the router config below. I have done it to .20.0 rather than .5.0

Router#show running-config
Building configuration...

Current configuration : 1531 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip access-group GUEST_IN in
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
ip access-list extended GUEST_IN
 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36709652
Do you see any counters at the end of the lines when you do the "show ip access-list"? What happens if you remove the last "permit" line (just out of curiosity - it should essentially block any incoming traffic on that VLAN interface)
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36709689
Whoops.. I have just realised what I was doing wrong.. I was putting the Access Groups on the main interface instead of the the Sub interfaces!! This is now working. Thanks for your help guys!
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709698
deny IP denies all traffic there is no need to specifically deny ICMP here.

for starters the ACL should be applied inbound under interface FastEthernet0/0.15, change that and then test and let us know.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709703
doh was too slow in putting in my comment.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36710770
sorry, my comment was incorrect.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question