BluJ
asked on
Block public wifi subnet/vlan from private network...Cisco3750
Hi,
I have a network setup as such
Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24
I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.
I have written an ACL that I believe accomplishes this;
#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any
int vlan 80
ip access-group 115 in
I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
I have a network setup as such
Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24
I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.
I have written an ACL that I believe accomplishes this;
#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any
int vlan 80
ip access-group 115 in
I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
VACL's can be confusing, and honestly I don't use them much at all. I have more played around with them from time to time, to keep them fresh in mind. However, I just more so go for the old faithful IP ACL.
ASKER
confirmation on an ACL question.
ASKER
I need/want to get a different DHCP/DNS for this situation however I sort of inherited this network and need to accomplish this quickly. I am rusty as hell on ACL's. I had to dig deep to think about everything I needed to allow/deny for this to work. The VACL's are a bit confusing .