01-18-2011 10:54 PM - edited 03-04-2019 11:07 AM
Hi ALL
we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students
we want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2
VLAN 1 192.168.11.0/24
VLAN 2 192.168.12.0/24
i am using VLAN interfaces
i know we have to use some access lists but if i apply
access-list 100 permit ip 192.168.10.0 0.0.255 any
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
with this access list two subnets can not access each other
Can some one tell me how these access list should look likes ??????
Solved! Go to Solution.
01-19-2011 02:19 AM
Well that is correct i am afraid. He could, though use the established keyword but just for TCP sessions. Else your solution with CBAC or ZBF is the best.
01-19-2011 11:37 PM
Hi,
"Else your solution with CBAC or ZBF is the best."
i never heared that
These are stateful firewalling implementations on Cisco routers, ZBF is the latest one.
Regards.
Alain.
01-19-2011 12:31 AM
This should work for you.
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.12.0 any
interface vlan 2
ip access-group 100 in
01-19-2011 12:56 AM
Hi,
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
when applied to VLAN2 interface inbound it will also deny return traffic from VLAN2 to VLAN1 and so disrupt VLAN1 to VLAN2
communication.
I think what he wants to do is impossible with this setup. I think the only way to do this is to use a separate switch and trunk to the router
to do router on a stick and then use ZBF or CBAC on the subinterfaces.
Regards.
Alain.
01-19-2011 02:19 AM
Well that is correct i am afraid. He could, though use the established keyword but just for TCP sessions. Else your solution with CBAC or ZBF is the best.
01-19-2011 08:51 PM
Hi all
thanks for your time, but i have cisco 861 router , it dosen't support subinterfaces, i think its impossibe, what the solution i am thing is that i will allow some TCP/UDP required ports in access list,
By the way what is
"Else your solution with CBAC or ZBF is the best."
i never heared that
Thanks Every body for your time
01-19-2011 11:37 PM
Hi,
"Else your solution with CBAC or ZBF is the best."
i never heared that
These are stateful firewalling implementations on Cisco routers, ZBF is the latest one.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide