?
Solved

Cisco Access Control List

Posted on 2015-01-20
6
Medium Priority
?
383 Views
Last Modified: 2015-01-23
Hi Experts,

Hope somebody could help out here. I'm banging my head trying to sort a simple issue!

Basically we have multiple VLAN's Setup on out Router:-

interface FastEthernet0/1.101
 desc ** Management LAN **
 encapsulation dot1Q 101 native
 ip address 10.1.1.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
!
interface FastEthernet0/1.102
 desc **  Voice LAN **
 encapsulation dot1Q 102
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 10.1.2.20
 ip helper-address 10.1.2.21
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.103
 desc ** CCTV and T&A LAN **
 encapsulation dot1Q 103
 ip address 10.1.3.1 255.255.255.0
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.104
 desc ** Wireless LAN **
 encapsulation dot1Q 104
 ip address 10.1.4.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.110
 desc ** Clients LAN **
 encapsulation dot1Q 110
 ip address 10.1.110.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC

interface FastEthernet0/1.190
 desc ** Internet Only LAN **
 encapsulation dot1Q 190
 ip address 10.1.190.1 255.255.255.0
 ip virtual-reassembly in

interface FastEthernet0/1.191
 desc ** Internet Only LAN **
 encapsulation dot1Q 191
 ip address 10.1.191.1 255.255.255.0
 ip virtual-reassembly in

I have setup a DHCP Scope on the Router to serve the Internet Only LAN - 10.1.191.0

What I would like to do is add a ACL which blocks 10.1.191.0 from accessing any of the other VLAN's, but allow traffic out of our Internet Router on 10.1.1.4.

Could anybody possibly Help or point me in the right direction?

Cheers
TME
0
Comment
Question by:TrustGroup-UAE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Assisted Solution

by:Matt
Matt earned 400 total points
ID: 40559849
What VLAN's do you have defined on your internal network?

In general for ACL:

deny specific subnets
permit ip any any
0
 

Assisted Solution

by:Jagrenet
Jagrenet earned 400 total points
ID: 40560512
Another potential option is to use "route-map" or "Policy Based Routing" in order to leverage ACL's and to control the behavior of the traffic.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 40561073
This oughta do it:

access-list 101 deny ip any 10.1.1.0 0.0.0.255
access-list 101 deny ip any 10.1.2.0 0.0.1.255
access-list 101 deny ip any 10.1.4.0 0.0.0.255
access-list 101 deny ip any 10.1.110.0 0.0.0.255
access-list 101 deny ip any 10.1.190.0 0.0.0.255
access-list 101 permit ip any any
int f0/1.191
 ip access-group 101 in

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Accepted Solution

by:
Joey Yung earned 400 total points
ID: 40561167
As this VLAN is for internet access only, I would prefer to block all private address subnet to instead, as you no need to update the ACL when you have additional internal subnet in future.

access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
0
 
LVL 30

Assisted Solution

by:Predrag
Predrag earned 400 total points
ID: 40561784
access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
with this nothing is blocked - ACL is 100 and ACL applied  to interface is 101
(those 2 need to match)
:)
0
 
LVL 5

Expert Comment

by:Joey Yung
ID: 40562084
haha mistake
0

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question