Need help with Access Lists...

I have 4 VLAN's running router on a stick on my Network...

VLAN 1 network is 10.10.10.0
VLAN 2 network is 10.10.20.0
VLAN 3 network is 10.10.30.0
VLAN 4 network is 10.10.40.0
VLAN 99 network is 10.10.99.0

I want VLAN 1 and 2 to be able to intercommunicate, ping and IP but NOT beable to access in ANY (includes pinging, IP, everything / no access) way VLAN 3, and 99... and shouldn't beable to PING VLAN 4...

VLAN 3, 4, and 99 should beable to all intercommunicate with each other AND should be able to communicate to VLAN's 1 and 2 as well...

Is this possible?

If so how?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Chris_

It's all possible with access lists. Why don't you have a go first with the help of some docs and then post your config up if you are having problems. It's always best to give it a go.

CompUBug

Chris_ wrote: »

It's all possible with access lists. Why don't you have a go first with the help of some docs and then post your config up if you are having problems. It's always best to give it a go.

I found some of my problem already, I was applying the access-group to the wrong direction of the interface...

Okay here's whats going on

Router wrote:

interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip helper-address 10.10.40.10
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip helper-address 10.10.40.20
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
ip helper-address 10.10.40.30
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.10.40.1 255.255.255.0
!
interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 10.10.99.1 255.255.255.248
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown

And this is the way I configured my Access Lists for VLAN 10

Router Access List Config wrote:

Router(config)#access 110 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255 <<Allow users from VLAN 30 to access VLAN 10
Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 30
Router(config)#access 110 permit ip 10.10.99.0 0.0.0.255 10.10.10.0 0.0.0.255 <<Allow users from VLAN 99 to access VLAN 10
Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 99
Router(config)#access 110 permit ip any any <<Allow users from VLAN 10 to access the rest of the VLANs
Router(config)#int fa0/0.10
Router(config-subif)#ip access-group 110 in

The problem with this is...although users from VLAN 10 can't reach VLAN 30 and 99, users from VLAN 30 and 99 ALSO can't reach VLAN 10... is there a way to make a one way channel so to speak?

tomaifauchai

You're mixing up things now, if you apply an access list to the IN direction, you can't block vlan 30 or vlan 99 from entering subinterface 10, because it's considered OUT

You can just control vlan 10 users by applying a IN acl and this is the way to go with extended ones.

This is good

Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 30
Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 99
Router(config)#access 110 permit ip any any <<Allow users from VLAN 10 to access the rest of the VLANs
Router(config)#int fa0/0.10
Router(config-subif)#ip access-group 110 in

You have to create an ACL 130 and apply it under fa0/0.30 interface IN and an ACL 199 under fa0/0.99 IN

CompUBug

tomaifauchai wrote: »

You're mixing up things now, if you apply an access list to the IN direction, you can't block vlan 30 or vlan 99 from entering subinterface 10, because it's considered OUT

You can just control vlan 10 users by applying a IN acl and this is the way to go with extended ones.

This is good
Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 30
Router(config)#access 110 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255 <<Deny users from VLAN 10 to access VLAN 99
Router(config)#access 110 permit ip any any <<Allow users from VLAN 10 to access the rest of the VLANs
Router(config)#int fa0/0.10
Router(config-subif)#ip access-group 110 in

You have to create an ACL 130 and apply it under fa0/0.30 interface IN and an ACL 199 under fa0/0.99 IN

So ACL 130..
access 130 permit ip 10.10.30.0 0.0.0.255 10.10.10.0 0.0.0.255

and likewise for 199???

Im very confused here.

tomaifauchai

Actually, you don't have to create an ACL only to permit a network, because by default it is permitted !
You just have to create an ACL to deny something, and you add an implicit permit at the end.

(Depend on the case, but this apply to your case)

Chris_

Unless I'm mis-understanding your requirements then something like this should achieve it.

ip access-list extended VLAN10
10 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
20 deny ip 10.10.10.0 0.0.0.255 10.10.99.0 0.0.0.255
30 deny icmp 10.10.20.0 0.0.0.255 10.1.40.0 0.0.0.255 echo
40 permit ip any any
<<<<applied INbound to the fa0/0.10 interface>>>>>>>>>>>

ip access-list extended VLAN20
10 deny ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255
20 deny ip 10.10.20.0 0.0.0.255 10.10.99.0 0.0.0.255
30 deny icmp 10.10.20.0 0.0.0.255 10.10.40.0 0.0.0.255 echo
40 permit ip any any
<<<<applied INbound to the fa0/0.20 interface>>>>>>>>>>>

Chris_

scrap that!!!!!!
just noticed you said you wanted vlans 1 and 2 to be denied from talking to 3,4,and 99 >>possible with the access lists above

Vlans 3,4 and 99 to be able to talk to each other >> this is default

but at the end said you wanted 3,4 and 99 to be able to communicate with 1 and 2. this isn't possible as vlans 1 and 2 won't be able to reply to 3,4 and 99 due to the access list we've applied.

This is probably where you need to use access-lists to a more granular level to block and permit by traffic type i.e. port number or defined protocol. this would allow/block the flows of traffic between specific applications across these vlans, instead of complete ip blocking.

Also if traffic was initiated by vlan 3,4 or 99 to vlans 1 & 2 you could maybe play with the 'established' keyword to allow these sessions - but this won't work with UDP or ICMP.

can someone tell me if i'm completely off the mark here!