Solved

Cisco Access Control List

Posted on 2015-01-20
6
376 Views
Last Modified: 2015-01-23
Hi Experts,

Hope somebody could help out here. I'm banging my head trying to sort a simple issue!

Basically we have multiple VLAN's Setup on out Router:-

interface FastEthernet0/1.101
 desc ** Management LAN **
 encapsulation dot1Q 101 native
 ip address 10.1.1.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
!
interface FastEthernet0/1.102
 desc **  Voice LAN **
 encapsulation dot1Q 102
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 10.1.2.20
 ip helper-address 10.1.2.21
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.103
 desc ** CCTV and T&A LAN **
 encapsulation dot1Q 103
 ip address 10.1.3.1 255.255.255.0
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.104
 desc ** Wireless LAN **
 encapsulation dot1Q 104
 ip address 10.1.4.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.110
 desc ** Clients LAN **
 encapsulation dot1Q 110
 ip address 10.1.110.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC

interface FastEthernet0/1.190
 desc ** Internet Only LAN **
 encapsulation dot1Q 190
 ip address 10.1.190.1 255.255.255.0
 ip virtual-reassembly in

interface FastEthernet0/1.191
 desc ** Internet Only LAN **
 encapsulation dot1Q 191
 ip address 10.1.191.1 255.255.255.0
 ip virtual-reassembly in

I have setup a DHCP Scope on the Router to serve the Internet Only LAN - 10.1.191.0

What I would like to do is add a ACL which blocks 10.1.191.0 from accessing any of the other VLAN's, but allow traffic out of our Internet Router on 10.1.1.4.

Could anybody possibly Help or point me in the right direction?

Cheers
TME
0
Comment
Question by:TrustGroup-UAE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Assisted Solution

by:Matt
Matt earned 100 total points
ID: 40559849
What VLAN's do you have defined on your internal network?

In general for ACL:

deny specific subnets
permit ip any any
0
 

Assisted Solution

by:Jagrenet
Jagrenet earned 100 total points
ID: 40560512
Another potential option is to use "route-map" or "Policy Based Routing" in order to leverage ACL's and to control the behavior of the traffic.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 100 total points
ID: 40561073
This oughta do it:

access-list 101 deny ip any 10.1.1.0 0.0.0.255
access-list 101 deny ip any 10.1.2.0 0.0.1.255
access-list 101 deny ip any 10.1.4.0 0.0.0.255
access-list 101 deny ip any 10.1.110.0 0.0.0.255
access-list 101 deny ip any 10.1.190.0 0.0.0.255
access-list 101 permit ip any any
int f0/1.191
 ip access-group 101 in

Open in new window

0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 5

Accepted Solution

by:
Joey Yung earned 100 total points
ID: 40561167
As this VLAN is for internet access only, I would prefer to block all private address subnet to instead, as you no need to update the ACL when you have additional internal subnet in future.

access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
0
 
LVL 30

Assisted Solution

by:Predrag
Predrag earned 100 total points
ID: 40561784
access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
with this nothing is blocked - ACL is 100 and ACL applied  to interface is 101
(those 2 need to match)
:)
0
 
LVL 5

Expert Comment

by:Joey Yung
ID: 40562084
haha mistake
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question