Solved

Cisco Vlans

Posted on 2011-09-27
9
328 Views
Last Modified: 2012-06-27
Hi there,
I have recently put VLANS into our network. I have setup about 5 different VLANS and since I have added the Router into the network all of the VLANS can talk to each other. But I don't want this to happen.

I have my Server VLAN 5 which is 192.168.5.0
I have my Admin Vlan 20 which is 192.168.20.0
I have my Guest Vlan 15 which is 192.168.15.0

I would like my Admin to talk to the Server Vlan but I do not wish for the Guest Vlan to talk to the Servers. Could anyone tell me what commands I need to use to be able to stop this from happening?

Thanks for your help
0
Comment
Question by:dan4132
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 17

Accepted Solution

by:
Garry-G earned 250 total points
ID: 36708703
Two possible solutions - one is configuring ACLs on the different VLANs, the other is using VRFs to segregate the VLANs from each other ... first one is easier to configure I reckon, second more elegant and safer ...

For ACLs, add something like:

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
  [add additional ranges you don't want to permit access to]
  permit ip 192.168.15.0 0.0.0.255 any

int vlan 15
  ip access-group GUEST_IN in

Open in new window

0
 
LVL 3

Author Comment

by:dan4132
ID: 36708885
Hi Garry,
I thought ACL's might be the way to go.
I typed in all of the code you gave me but I can still ping the Servers from the Guest Machine.
Any ideas?

My IP Address is 192.168.15.0/24

I typed in exactly as you have above and when I type in the Command show access list its all there.

Thanks
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 250 total points
ID: 36709485
Hi,

You also need to deny ICMP.

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny icmp 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  [add additional ranges you don't want to permit access to]

  permit ip 192.168.15.0 0.0.0.255 any

0
 
LVL 3

Author Comment

by:dan4132
ID: 36709588
Hiya,
I tried the Deny ICMP and I can still ping from the Guest to the clients. I have copied the router config below. I have done it to .20.0 rather than .5.0

Router#show running-config
Building configuration...

Current configuration : 1531 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip access-group GUEST_IN in
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
ip access-list extended GUEST_IN
 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 17

Expert Comment

by:Garry-G
ID: 36709652
Do you see any counters at the end of the lines when you do the "show ip access-list"? What happens if you remove the last "permit" line (just out of curiosity - it should essentially block any incoming traffic on that VLAN interface)
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36709689
Whoops.. I have just realised what I was doing wrong.. I was putting the Access Groups on the main interface instead of the the Sub interfaces!! This is now working. Thanks for your help guys!
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709698
deny IP denies all traffic there is no need to specifically deny ICMP here.

for starters the ACL should be applied inbound under interface FastEthernet0/0.15, change that and then test and let us know.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709703
doh was too slow in putting in my comment.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36710770
sorry, my comment was incorrect.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now