Solved

Cisco Vlans

Posted on 2011-09-27
9
365 Views
Last Modified: 2012-06-27
Hi there,
I have recently put VLANS into our network. I have setup about 5 different VLANS and since I have added the Router into the network all of the VLANS can talk to each other. But I don't want this to happen.

I have my Server VLAN 5 which is 192.168.5.0
I have my Admin Vlan 20 which is 192.168.20.0
I have my Guest Vlan 15 which is 192.168.15.0

I would like my Admin to talk to the Server Vlan but I do not wish for the Guest Vlan to talk to the Servers. Could anyone tell me what commands I need to use to be able to stop this from happening?

Thanks for your help
0
Comment
Question by:dan4132
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 250 total points
ID: 36708703
Two possible solutions - one is configuring ACLs on the different VLANs, the other is using VRFs to segregate the VLANs from each other ... first one is easier to configure I reckon, second more elegant and safer ...

For ACLs, add something like:

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
  [add additional ranges you don't want to permit access to]
  permit ip 192.168.15.0 0.0.0.255 any

int vlan 15
  ip access-group GUEST_IN in

Open in new window

0
 
LVL 3

Author Comment

by:dan4132
ID: 36708885
Hi Garry,
I thought ACL's might be the way to go.
I typed in all of the code you gave me but I can still ping the Servers from the Guest Machine.
Any ideas?

My IP Address is 192.168.15.0/24

I typed in exactly as you have above and when I type in the Command show access list its all there.

Thanks
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 250 total points
ID: 36709485
Hi,

You also need to deny ICMP.

ip access-list extended GUEST_IN
  deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  deny icmp 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255

  [add additional ranges you don't want to permit access to]

  permit ip 192.168.15.0 0.0.0.255 any

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:dan4132
ID: 36709588
Hiya,
I tried the Deny ICMP and I can still ping from the Guest to the clients. I have copied the router config below. I have done it to .20.0 rather than .5.0

Router#show running-config
Building configuration...

Current configuration : 1531 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip access-group GUEST_IN in
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.5.3
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
ip access-list extended GUEST_IN
 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny icmp 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36709652
Do you see any counters at the end of the lines when you do the "show ip access-list"? What happens if you remove the last "permit" line (just out of curiosity - it should essentially block any incoming traffic on that VLAN interface)
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36709689
Whoops.. I have just realised what I was doing wrong.. I was putting the Access Groups on the main interface instead of the the Sub interfaces!! This is now working. Thanks for your help guys!
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709698
deny IP denies all traffic there is no need to specifically deny ICMP here.

for starters the ACL should be applied inbound under interface FastEthernet0/0.15, change that and then test and let us know.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36709703
doh was too slow in putting in my comment.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36710770
sorry, my comment was incorrect.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question