01-31-2017 09:14 AM - edited 03-05-2019 07:57 AM
Hello all;
Here is my configuration:
Building configuration...
Current configuration : 2421 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NAME
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool lan
import all
network 10.0.0.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.0.0.254
lease infinite
!
!
ip cef
ip name-server 192.168.1.254
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPN
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
!
interface Vlan1
description *** INTERFACE OUTSIDE ***
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface Vlan2
description *** Client Network ***
ip address 10.0.0.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
ip local pool VPN 192.168.1.50 192.168.1.60
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
no ip http secure-server
!
ip nat inside source list NET interface Vlan1 overload
!
ip access-list extended NET
permit ip 10.0.0.0 0.0.0.255 any
!
access-list 101 deny ip any 192.168.1.0 0.0.0.255
access-list 101 deny tcp any 192.168.1.0 0.0.0.255
access-list 101 deny udp any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXX
transport input ssh
transport output all
!
scheduler max-task-time 5000
end
Now i want to deny ip traffic between any host in vlan 2, except the range 10.0.0.0.1 to 10.0.0.10. Can you help me?
Best regards
01-31-2017 09:19 AM
Hi
I think you could use private vlans to complete that.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html
01-31-2017 09:32 AM
Does this work for any Switch or Just L3 ones? I tried it in some 2960 I got here and no-one has this functionality.
01-31-2017 10:33 AM
Hi
I recommend to verify the Cisco compatible tool (http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp) with your IOS also please see the following link:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/10601-90.html
:-)
02-07-2017 03:48 AM
Hello;
Thanks a lot for your answer. My router is an old one Cisco 877, with c870-advsecurityk9-mz.124-24.T8. I can't have private vlans in this IOS Version, can i deny traffic with access lists?
Best regards;
02-07-2017 04:37 AM
Hello,
I am not sure if your 877 supports Vlan Access Lists. Try the config below (in this example, host 10.0.0.11 cannot talk to anyone, the rest can. If this works, we can add all the other hosts as well, with some address summarization):
877(config)#access-list 101 permit ip host 10.0.0.11 any
877(config)#vlan access-map DENY_RANGE 10
877(config-access-map)#match ip address 101
877(config-access-map)#action drop
877(config-access-map)#vlan access-map DENY_RANGE 20
877(config-access-map)#action forward
877(config)#vlan filter DENY_RANGE vlan-list 2
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: