Cisco Access Control List

Hi Experts,

Hope somebody could help out here. I'm banging my head trying to sort a simple issue!

Basically we have multiple VLAN's Setup on out Router:-

interface FastEthernet0/1.101
 desc ** Management LAN **
 encapsulation dot1Q 101 native
 ip address 10.1.1.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
!
interface FastEthernet0/1.102
 desc **  Voice LAN **
 encapsulation dot1Q 102
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 10.1.2.20
 ip helper-address 10.1.2.21
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.103
 desc ** CCTV and T&A LAN **
 encapsulation dot1Q 103
 ip address 10.1.3.1 255.255.255.0
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.104
 desc ** Wireless LAN **
 encapsulation dot1Q 104
 ip address 10.1.4.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.110
 desc ** Clients LAN **
 encapsulation dot1Q 110
 ip address 10.1.110.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC

interface FastEthernet0/1.190
 desc ** Internet Only LAN **
 encapsulation dot1Q 190
 ip address 10.1.190.1 255.255.255.0
 ip virtual-reassembly in

interface FastEthernet0/1.191
 desc ** Internet Only LAN **
 encapsulation dot1Q 191
 ip address 10.1.191.1 255.255.255.0
 ip virtual-reassembly in

I have setup a DHCP Scope on the Router to serve the Internet Only LAN - 10.1.191.0

What I would like to do is add a ACL which blocks 10.1.191.0 from accessing any of the other VLAN's, but allow traffic out of our Internet Router on 10.1.1.4.

Could anybody possibly Help or point me in the right direction?

Cheers
TME
LVL 1
TrustGroup-UAEAsked:
Who is Participating?
 
Joey YungConnect With a Mentor Senior Network EngineerCommented:
As this VLAN is for internet access only, I would prefer to block all private address subnet to instead, as you no need to update the ACL when you have additional internal subnet in future.

access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
0
 
MattConnect With a Mentor Commented:
What VLAN's do you have defined on your internal network?

In general for ACL:

deny specific subnets
permit ip any any
0
 
JagrenetConnect With a Mentor Commented:
Another potential option is to use "route-map" or "Policy Based Routing" in order to leverage ACL's and to control the behavior of the traffic.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Don JohnstonConnect With a Mentor InstructorCommented:
This oughta do it:

access-list 101 deny ip any 10.1.1.0 0.0.0.255
access-list 101 deny ip any 10.1.2.0 0.0.1.255
access-list 101 deny ip any 10.1.4.0 0.0.0.255
access-list 101 deny ip any 10.1.110.0 0.0.0.255
access-list 101 deny ip any 10.1.190.0 0.0.0.255
access-list 101 permit ip any any
int f0/1.191
 ip access-group 101 in

Open in new window

0
 
JustInCaseConnect With a Mentor Commented:
access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
with this nothing is blocked - ACL is 100 and ACL applied  to interface is 101
(those 2 need to match)
:)
0
 
Joey YungSenior Network EngineerCommented:
haha mistake
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.