cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1438
Views
0
Helpful
5
Replies

Access List in Cisco 861 router

krishan.saran
Level 1
Level 1

Hi ALL

we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students

we want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2

VLAN 1     192.168.11.0/24

VLAN 2     192.168.12.0/24

i am using VLAN interfaces

i know we have to use some access lists but if i apply

access-list 100 permit ip 192.168.10.0 0.0.255 any

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255

with this access list two subnets can not access each other

Can some one tell me how these  access list should look likes ??????

2 Accepted Solutions

Accepted Solutions

Well that is correct i am afraid.  He could, though use the established keyword but just for TCP sessions. Else your solution with CBAC or ZBF is the best.

View solution in original post

Hi,

"Else your solution with CBAC or ZBF is the best."

i never heared that

These are stateful firewalling implementations on Cisco routers, ZBF is the latest one.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

5 Replies 5

tkatsiaounis
Level 1
Level 1

This should work for you.

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 100 permit ip 192.168.12.0 any

interface vlan 2

ip access-group 100 in

Hi,

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

when applied to VLAN2 interface inbound it will also deny return traffic from VLAN2 to VLAN1 and so disrupt VLAN1 to VLAN2

communication.

I think what he wants to do is impossible with this setup. I think the only way to do this is to use a separate switch and trunk to the router

to do router on a stick and then use ZBF or CBAC on the subinterfaces.

Regards.

Alain.

Don't forget to rate helpful posts.

Well that is correct i am afraid.  He could, though use the established keyword but just for TCP sessions. Else your solution with CBAC or ZBF is the best.

Hi all

thanks for your time, but i have cisco 861 router , it dosen't support subinterfaces, i think its impossibe, what the solution i am thing is that i will allow some TCP/UDP required ports in access list,

By the way what is

"Else your solution with CBAC or ZBF is the best."

i never heared that

Thanks Every body for your time

Hi,

"Else your solution with CBAC or ZBF is the best."

i never heared that

These are stateful firewalling implementations on Cisco routers, ZBF is the latest one.

Regards.

Alain.

Don't forget to rate helpful posts.