08-15-2006 01:44 PM - edited 03-03-2019 04:31 AM
I have the following Networks:
192.168.1.0/24 - int vlan 10
192.168.2.0/24 - int vlan 20
192.168.3.0/24 - int vlan 30
192.168.4.0/24 - int vlan 40
My DHCP Server is on the 192.168.2.0/24 Network - IP 192.168.2.10
My Firewall is on 192.168.1.0/24 network - IP 192.168.1.1
I need to make sure that 192.168.4.0/24 Network is able to get an IP from the DHCP Server and can access the internet through the firewall but have no communication with the other networks and vice-versa.
I'm trying to secure 192.168.4.0/24 as much as possible.
Can someone tell me the exact configuration for the ACLS to put on my router?
08-15-2006 01:55 PM
Hi,
The following configuration would achieve what you are looking to do.
int vlan 40
ip helper-address 192.168.2.10
ip policy route-map cisco
route-map cisco permit 10
match ip address 150
route-map cisco permit 20
match ip address 160
set ip next-hop 192.168.1.1
route-map cisco deny 30
access-list 150 permit udp any any eq 67
access-list 150 permit udp any any eq 68
access-list 160 permit tcp any any eq www
Hope that helps!
Regards,
Sundar
08-15-2006 02:02 PM
Hi,
Just noticed in your post you wanted to block other networks from accessing this subenet as well.
Configure the following to get that done.
int vlan 40
ip access-group 170 out
access-list 170 permit tcp any eq www any
My assumption is based on the fact that the Internet traffic is just web traffic. If there's any other traffic, like SMTP, POP3 etc., that goes to the Internet then add ACL statements to that effect.
Regards,
Sundar
08-16-2006 06:02 AM
I will try and see how it works
09-26-2006 08:12 PM
hi Sundar,
I has similar problem. I just want allow vlan 75 access to internet and get ip address from dhcp server, others traffic will be blocked.
my network topology is all switches are connected to 2 core 5509 core switches which are using HSRP.
when i apply those filters, the pc in vlan 75 which all traficc still allow. what's step I missed? please help.
------------------------------------------------------------------
core1_rs#sh run int vlan 75
Building configuration...
Current configuration:
!
interface Vlan75
ip address 10.7.75.2 255.255.255.0
ip helper-address 10.7.11.58
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip route-cache cef
ip policy route-map mtg_room
mls rp vtp-domain APP
mls rp ip
standby priority 110
standby preempt
standby ip 10.7.75.1
end
------------------------------------------------------------------
core1_rs#sh route-map mtg_room
route-map mtg_room, permit, sequence 10
Match clauses:
ip address (access-lists): 150
Set clauses:
Policy routing matches: 11 packets, 5102 bytes
route-map mtg_room, permit, sequence 20
Match clauses:
ip address (access-lists): 160
Set clauses:
ip next-hop 10.7.11.43
Policy routing matches: 8 packets, 496 bytes
route-map mtg_room, deny, sequence 30
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
core1_rs#
------------------------------------------------------------------
core1_rs#sh access-lists 150
Extended IP access list 150
permit udp any any eq bootps (7 matches)
permit udp any any eq bootpc
core1_rs#sh access-lists 160
Extended IP access list 160
permit tcp any any eq www (8 matches)
core1_rs#
===========================================================================
===========================================================================
core2_rs#sh run int vlan 75
Building configuration...
Current configuration:
!
interface Vlan75
ip address 10.7.75.3 255.255.255.0
ip helper-address 10.7.11.58
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip route-cache cef
ip policy route-map mtg_room
mls rp vtp-domain APP
mls rp ip
standby ip 10.7.75.1
end
------------------------------------------------------------------
core2_rs#sh route-map mtg_room
route-map mtg_room, permit, sequence 10
Match clauses:
ip address (access-lists): 150
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map mtg_room, permit, sequence 20
Match clauses:
ip address (access-lists): 160
Set clauses:
ip next-hop 10.7.11.43
Policy routing matches: 0 packets, 0 bytes
route-map mtg_room, deny, sequence 30
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
core2_rs#
------------------------------------------------------------------
core2_rs#sh access-list 150
Extended IP access list 150
permit udp any any eq bootps (1 match)
permit udp any any eq bootpc (1 match)
core2_rs#sh access-list 160
Extended IP access list 160
permit tcp any any eq www
core2_rs#
------------------------------------------------------------------
Regards,
Samuel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide