Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco Access Control List

Posted on 2015-01-20
6
Medium Priority
?
389 Views
Last Modified: 2015-01-23
Hi Experts,

Hope somebody could help out here. I'm banging my head trying to sort a simple issue!

Basically we have multiple VLAN's Setup on out Router:-

interface FastEthernet0/1.101
 desc ** Management LAN **
 encapsulation dot1Q 101 native
 ip address 10.1.1.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
!
interface FastEthernet0/1.102
 desc **  Voice LAN **
 encapsulation dot1Q 102
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 10.1.2.20
 ip helper-address 10.1.2.21
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.103
 desc ** CCTV and T&A LAN **
 encapsulation dot1Q 103
 ip address 10.1.3.1 255.255.255.0
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.104
 desc ** Wireless LAN **
 encapsulation dot1Q 104
 ip address 10.1.4.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.110
 desc ** Clients LAN **
 encapsulation dot1Q 110
 ip address 10.1.110.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC

interface FastEthernet0/1.190
 desc ** Internet Only LAN **
 encapsulation dot1Q 190
 ip address 10.1.190.1 255.255.255.0
 ip virtual-reassembly in

interface FastEthernet0/1.191
 desc ** Internet Only LAN **
 encapsulation dot1Q 191
 ip address 10.1.191.1 255.255.255.0
 ip virtual-reassembly in

I have setup a DHCP Scope on the Router to serve the Internet Only LAN - 10.1.191.0

What I would like to do is add a ACL which blocks 10.1.191.0 from accessing any of the other VLAN's, but allow traffic out of our Internet Router on 10.1.1.4.

Could anybody possibly Help or point me in the right direction?

Cheers
TME
0
Comment
Question by:TrustGroup-UAE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Assisted Solution

by:Matt
Matt earned 400 total points
ID: 40559849
What VLAN's do you have defined on your internal network?

In general for ACL:

deny specific subnets
permit ip any any
0
 

Assisted Solution

by:Jagrenet
Jagrenet earned 400 total points
ID: 40560512
Another potential option is to use "route-map" or "Policy Based Routing" in order to leverage ACL's and to control the behavior of the traffic.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 40561073
This oughta do it:

access-list 101 deny ip any 10.1.1.0 0.0.0.255
access-list 101 deny ip any 10.1.2.0 0.0.1.255
access-list 101 deny ip any 10.1.4.0 0.0.0.255
access-list 101 deny ip any 10.1.110.0 0.0.0.255
access-list 101 deny ip any 10.1.190.0 0.0.0.255
access-list 101 permit ip any any
int f0/1.191
 ip access-group 101 in

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Accepted Solution

by:
Joey Yung earned 400 total points
ID: 40561167
As this VLAN is for internet access only, I would prefer to block all private address subnet to instead, as you no need to update the ACL when you have additional internal subnet in future.

access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
0
 
LVL 31

Assisted Solution

by:Predrag
Predrag earned 400 total points
ID: 40561784
access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
with this nothing is blocked - ACL is 100 and ACL applied  to interface is 101
(those 2 need to match)
:)
0
 
LVL 5

Expert Comment

by:Joey Yung
ID: 40562084
haha mistake
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question