Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco Access Control List

Posted on 2015-01-20
6
Medium Priority
?
398 Views
Last Modified: 2015-01-23
Hi Experts,

Hope somebody could help out here. I'm banging my head trying to sort a simple issue!

Basically we have multiple VLAN's Setup on out Router:-

interface FastEthernet0/1.101
 desc ** Management LAN **
 encapsulation dot1Q 101 native
 ip address 10.1.1.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
!
interface FastEthernet0/1.102
 desc **  Voice LAN **
 encapsulation dot1Q 102
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 10.1.2.20
 ip helper-address 10.1.2.21
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.103
 desc ** CCTV and T&A LAN **
 encapsulation dot1Q 103
 ip address 10.1.3.1 255.255.255.0
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.104
 desc ** Wireless LAN **
 encapsulation dot1Q 104
 ip address 10.1.4.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC
!
interface FastEthernet0/1.110
 desc ** Clients LAN **
 encapsulation dot1Q 110
 ip address 10.1.110.1 255.255.255.0
 ip helper-address 10.1.1.101
 ip helper-address 10.1.1.102
 ip virtual-reassembly in
 service-policy input DROP_TRAFFIC
 service-policy output DROP_TRAFFIC

interface FastEthernet0/1.190
 desc ** Internet Only LAN **
 encapsulation dot1Q 190
 ip address 10.1.190.1 255.255.255.0
 ip virtual-reassembly in

interface FastEthernet0/1.191
 desc ** Internet Only LAN **
 encapsulation dot1Q 191
 ip address 10.1.191.1 255.255.255.0
 ip virtual-reassembly in

I have setup a DHCP Scope on the Router to serve the Internet Only LAN - 10.1.191.0

What I would like to do is add a ACL which blocks 10.1.191.0 from accessing any of the other VLAN's, but allow traffic out of our Internet Router on 10.1.1.4.

Could anybody possibly Help or point me in the right direction?

Cheers
TME
0
Comment
Question by:TrustGroup-UAE
6 Comments
 
LVL 6

Assisted Solution

by:Matt
Matt earned 400 total points
ID: 40559849
What VLAN's do you have defined on your internal network?

In general for ACL:

deny specific subnets
permit ip any any
0
 

Assisted Solution

by:Jagrenet
Jagrenet earned 400 total points
ID: 40560512
Another potential option is to use "route-map" or "Policy Based Routing" in order to leverage ACL's and to control the behavior of the traffic.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 40561073
This oughta do it:

access-list 101 deny ip any 10.1.1.0 0.0.0.255
access-list 101 deny ip any 10.1.2.0 0.0.1.255
access-list 101 deny ip any 10.1.4.0 0.0.0.255
access-list 101 deny ip any 10.1.110.0 0.0.0.255
access-list 101 deny ip any 10.1.190.0 0.0.0.255
access-list 101 permit ip any any
int f0/1.191
 ip access-group 101 in

Open in new window

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 5

Accepted Solution

by:
Joey Yung earned 400 total points
ID: 40561167
As this VLAN is for internet access only, I would prefer to block all private address subnet to instead, as you no need to update the ACL when you have additional internal subnet in future.

access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
0
 
LVL 32

Assisted Solution

by:Predrag
Predrag earned 400 total points
ID: 40561784
access-list 100 deny ip any 10.0.0.0 0.255.255.255 log
access-list 100 deny ip any 172.16.0.0 0.15.255.255 log
access-list 100 deny ip any 192.168.0.0 0.0.255.255 any log
access-list 100 permit ip any any
int f0/1.191
 ip access-group 101 in
with this nothing is blocked - ACL is 100 and ACL applied  to interface is 101
(those 2 need to match)
:)
0
 
LVL 5

Expert Comment

by:Joey Yung
ID: 40562084
haha mistake
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question