Showing results for 
Search instead for 
Did you mean: 


Setting up CBAC for an Internet Connected Cisco Lab

Hi All,


I want to setup CBAC as my basis for firewall rules / filtering on a home lab. High level description of the setup is as follows (diagram attached):


  • ISP Router / Modem (SpeedTouch 780) supplied by ISP and flashed with their firmware / image, so locked down to "normal user" mode (i.e. - basic changes only). Has a LAN side switch with static IP of /24 which is the Gateway of Last Resort for the 2811 Router
  • Cisco 2811 Router:
    • Fa0/0 ( /24) is connected to LAN Side switch of the ISP Router Modem
    • Gi0/0/0 (no IP address at port level) is split into several sub-interfaces, 1 for each VLAN on the private network, each of which have an IP address used as the Default Gateway for devices on its respective VLAN
    • Provides DHCP to each of the VLANs
    • NAT's each of the VLANs to the IP address of Fa0/0 so that the ISP Router Modem can pass internet destined traffic onwards - necessary as static routes back to the VLANs is not possible because the ISP Router Modem is locked down (many thanks to @Jon Marshall for all his help with that!)


Question 1: If I want to apply CBAC in this situation, my assumption is that I would create the first acl on Fa0/0 in on the 2811 to block incoming traffic, and then acls on each of the VLAN sub-interfaces on Gi0/0/0 (e.g. Gi0/0/0.10 in) to control and check traffic coming out of each of them that is destined for the internet. Is my assumption correct? If so, then:


Question 2: Does this affect the inter-vlan routing that is (presumably) happening on the 2811 Gi0/0/0 port between each of the VLAN's?



Many thanks in advance for all and any help!

Mohammed al Baqari
VIP Advisor


Yes you need ACLs on outside interface with direction in to block incoming
traffic and you need inspect out command to check outgoing connections and
allow reverse packets

For sub-interfaces its not mandatory to apply ACLs but recommended. This
isn't needed for inspecting internet traffic but for securing connections
from clients in general. It will affect intervlan routing
Content for Community-Ad