?
Solved

Cisco Vlans

Posted on 2011-09-27
9
Medium Priority
?
375 Views
Last Modified: 2012-06-27
Hi there,
I have recently put VLANS into our network. I have setup about 5 different VLANS and since I have added the Router into the network all of the VLANS can talk to each other. But I don't want this to happen.

I have my Server VLAN 5 which is 192.168.5.0
I have my Admin Vlan 20 which is 192.168.20.0
I have my Guest Vlan 15 which is 192.168.15.0

I would like my Admin to talk to the Server Vlan but I do not wish for the Guest Vlan to talk to the Servers. Could anyone tell me what commands I need to use to be able to stop this from happening?

Thanks for your help
0
Comment
Question by:dan4132
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 1000 total points
ID: 36708703
Two possible solutions - one is configuring ACLs on the different VLANs, the other is using VRFs to segregate the VLANs from each other ... first one is easier to configure I reckon, second more elegant and safer ...

For ACLs, add something like:

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
  [add additional ranges you don't want to permit access to]
  permit ip 192.168.15.0 0.0.0.255 any

int vlan 15
  ip access-group GUEST_IN in

Open in new window

0
 
LVL 3

Author Comment

by:dan4132
ID: 36708885
Hi Garry,
I thought ACL's might be the way to go.
I typed in all of the code you gave me but I can still ping the Servers from the Guest Machine.
Any ideas?

My IP Address is 192.168.15.0/24

I typed in exactly as you have above and when I type in the Command show access list its all there.

Thanks
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 1000 total points
ID: 36709485
Hi,

You also need to deny ICMP.

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny icmp 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  [add additional ranges you don't want to permit access to]

  permit ip 192.168.15.0 0.0.0.255 any

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Author Comment

by:dan4132
ID: 36709588
Hiya,
I tried the Deny ICMP and I can still ping from the Guest to the clients. I have copied the router config below. I have done it to .20.0 rather than .5.0

Router#show running-config
Building configuration...

Current configuration : 1531 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip access-group GUEST_IN in
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
ip access-list extended GUEST_IN
 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36709652
Do you see any counters at the end of the lines when you do the "show ip access-list"? What happens if you remove the last "permit" line (just out of curiosity - it should essentially block any incoming traffic on that VLAN interface)
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36709689
Whoops.. I have just realised what I was doing wrong.. I was putting the Access Groups on the main interface instead of the the Sub interfaces!! This is now working. Thanks for your help guys!
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709698
deny IP denies all traffic there is no need to specifically deny ICMP here.

for starters the ACL should be applied inbound under interface FastEthernet0/0.15, change that and then test and let us know.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709703
doh was too slow in putting in my comment.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36710770
sorry, my comment was incorrect.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question