Hi All,

I want to setup CBAC as my basis for firewall rules / filtering on a home lab. High level description of the setup is as follows (diagram attached):

• ISP Router / Modem (SpeedTouch 780) supplied by ISP and flashed with their firmware / image, so locked down to "normal user" mode (i.e. - basic changes only). Has a LAN side switch with static IP of 192.168.1.254 /24 which is the Gateway of Last Resort for the 2811 Router
• Cisco 2811 Router:
  • Fa0/0 (192.168.1.200 /24) is connected to LAN Side switch of the ISP Router Modem
  • Gi0/0/0 (no IP address at port level) is split into several sub-interfaces, 1 for each VLAN on the private network, each of which have an IP address used as the Default Gateway for devices on its respective VLAN
  • Provides DHCP to each of the VLANs
  • NAT's each of the VLANs to the IP address of Fa0/0 so that the ISP Router Modem can pass internet destined traffic onwards - necessary as static routes back to the VLANs is not possible because the ISP Router Modem is locked down (many thanks to @Jon Marshall for all his help with that!)

Question 1: If I want to apply CBAC in this situation, my assumption is that I would create the first acl on Fa0/0 in on the 2811 to block incoming traffic, and then acls on each of the VLAN sub-interfaces on Gi0/0/0 (e.g. Gi0/0/0.10 in) to control and check traffic coming out of each of them that is destined for the internet. Is my assumption correct? If so, then:

Question 2: Does this affect the inter-vlan routing that is (presumably) happening on the 2811 Gi0/0/0 port between each of the VLAN's?

Many thanks in advance for all and any help!