Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
2
Replies

ACL BLOCKING

Ikebrooks
Level 1
Level 1

‎06-20-2023 05:48 AM

Hello guys, I'm new here. I want to create an ACL that will block traffic access across the entire network.

Eg. Any devices on Network A cannot reach (ping, traceroute, etc...) any devices on Network B and vice versa. Every network should be independent. This is a sample of my current network configs. Thank you.

interface g0/0
ip address dhcp
description ISP_Interface
ip nat outside
no cdp enable
no shutdown

interface g0/1
description MASTER SUB_INTF
no shutdown

interface g0/1.172
encapsulation dot1q 172
ip address 172.16.9.1 255.255.255.0
description PRODUCTION SERVERS
ip nat inside

interface g0/1.110
encapsulation dot1q 110
ip address 192.168.10.1 255.255.255.0
description ALL DEVICES
ip nat inside

interface g0/1.320
encapsulation dot1q 320
ip address 192.168.20.1 255.255.255.0
description VOIP NETWORK
ip nat inside

interface g0/1.316
encapsulation dot1q 316
ip address 192.168.16.1 255.255.255.0
description CAMS NETWORK
ip nat inside

interface g0/1.321
encapsulation dot1q 321
ip address 192.168.21.1 255.255.255.0
description DESKTOP NETWORK
ip nat inside

interface g0/1.1720
encapsulation dot1q 1720
ip address 172.20.20.1 255.255.254.0
description WIRELESS NETWORK
ip nat inside

interface g0/1.10
encapsulation dot1q 10
ip address 10.10.10.1 255.255.255.0
description GUEST WIRELESS NETWORK
ip nat inside

interface g0/1.377
encapsulation dot1q 377
ip address 192.168.77.1 255.255.255.0
description ACCESS CONTROLS NETWORK
ip nat inside

interface g0/1.313
encapsulation dot1q 313
ip address 192.168.13.1 255.255.255.0
description LAPTOP NETWORK
ip nat inside

interface g0/1.311
encapsulation dot1q 311
ip address 192.168.11.1 255.255.255.0
description REMOTE PANELS ACCESS NETWORK
ip nat inside

interface g0/1.100
encapsulation dot1q 100
ip address 192.168.100.1 255.255.255.0
description MGMT NETWORK
ip nat inside
exit


ip dhcp pool Production-Servers
network 172.16.9.0 255.255.255.0
default-router 172.16.9.1
dns-server 8.8.8.8 172.16.9.1

ip dhcp pool Everything-Included
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8 192.168.10.1

ip dhcp pool VOIP-NETWORK
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8 192.168.20.1

ip dhcp pool CAMS-NETWORK
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 192.168.16.1

ip dhcp pool DESKTOP-NETWORK
network 192.168.21.0 255.255.255.0
default-router 192.168.21.1
dns-server 8.8.8.8 192.168.21.1

ip dhcp pool WIRELESS-NETWORK
network 172.20.20.0 255.255.254.0
default-router 172.20.20.1
dns-server 8.8.8.8 172.20.20.1

ip dhcp pool GUEST-WIRELESS-NETWORK
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 10.10.10.1

ip dhcp pool ACCESS-CONTROLS-NETWORK
network 192.168.77.0 255.255.255.0
default-router 192.168.77.1
dns-server 8.8.8.8 192.168.77.1

ip dhcp pool LAPTOP-NETWORK
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 8.8.8.8 192.168.13.1

ip dhcp pool REMOTE-PANELS-ACCESS-NETWORK
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 8.8.8.8 192.168.11.1
exit

ip dhcp excluded-address 172.16.9.1 172.16.9.100
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 192.168.21.1
ip dhcp excluded-address 172.20.20.1
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.77.1
ip dhcp excluded-address 192.168.13.1
ip dhcp excluded-address 192.168.11.1


ip route 0.0.0.0 0.0.0.0 192.168.163.2
ip name-server 8.8.8.8 8.8.4.4 1.1.1.1
ip domain-lookup
access-list 1 permit any
ip nat inside source list 1 interface g0/0 overload

access-list 100 deny ip any 172.16.9.0 0.0.0.255
access-list 100 deny ip any 192.168.10.0 0.0.0.255
access-list 100 deny ip any 192.168.20.0 0.0.0.255
access-list 100 deny ip any 192.168.16.0 0.0.0.255
access-list 100 deny ip any 192.168.21.0 0.0.0.255
access-list 100 deny ip any 172.20.20.0 0.0.1.255
access-list 100 deny ip any 10.10.10.0 0.0.0.255
access-list 100 deny ip any 192.168.77.0 0.0.0.255
access-list 100 deny ip any 192.168.13.0 0.0.0.255
access-list 100 deny ip any 192.168.11.0 0.0.0.255
access-list 101 permit tcp host 192.168.13.250 any eq 313
access-list 101 deny ip any any
ip access-list extended BLOCK_10.10.10.0
deny ip 10.10.10.0 0.0.0.255 any
permit ip any any

interface g0/1.172
ip access-group 100 in

interface g0/1.110
ip access-group 100 in

interface g0/1.320
ip access-group 100 in

interface g0/1.316
ip access-group 100 in

interface g0/1.321
ip access-group 100 in

interface g0/1.1720
ip access-group 100 in

interface g0/1.10
ip access-group 100 in
ip access-group BLOCK_10.10.10.0 in

interface g0/1.377
ip access-group 100 in

interface g0/1.313
ip access-group 100 in

interface g0/1.311
ip access-group 100 in

Labels:
0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎06-21-2023 10:28 AM

I don't believe you can apply multiple ACLs in the same direction as it is shown on interface g0/1.10 above. Cisco IOS are stateless devices and using the ACLs on them wouldn't be scalable at all, a better way would be to use the zone based firewall feature which allow some sort of stateful inspection. However, if using the ACL is your only option then I would recommend creating a separate ACL for each interface and specifying the source as the subnet connected to the interface because otherwise you might end up in a scenario where the ACL won't match the traffic passing through. For example if you apply ACL 100 on the interface g0/1.313 that won't match the traffic destined to the other subnets. Also, please keep in mind that the ACLs will have an implicit deny at the very end, which means after deny the interested traffic you need to allow the other traffic passing through, otherwise you will end up in a scenario where no traffic is allowed to pass through at all.

 

0 Helpful

Flavio Miranda
VIP
VIP

‎06-21-2023 12:04 PM - edited ‎06-21-2023 12:04 PM

Hi

 This is not a good way to accomplish network seggregation. If your device support VRF, this would be a classic solution. Create two VRFs, put network A in one VRF and network B on another VRF and they will be seggregate for good inside the same device. You dont need to worry about ACL.

0 Helpful
Customers Also Viewed These Support Documents