Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
0
Helpful
5
Replies

Access List in Cisco 861 router

Go to solution
krishan.saran
Level 1
Level 1

‎01-18-2011 10:54 PM - edited ‎03-04-2019 11:07 AM

Hi ALL

we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students

we want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2

VLAN 1     192.168.11.0/24

VLAN 2     192.168.12.0/24

i am using VLAN interfaces

i know we have to use some access lists but if i apply

access-list 100 permit ip 192.168.10.0 0.0.255 any

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255

with this access list two subnets can not access each other

Can some one tell me how these  access list should look likes ??????

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
tkatsiaounis
Level 1
Level 1
In response to cadet alain

‎01-19-2011 02:19 AM

Well that is correct i am afraid.  He could, though use the established keyword but just for TCP sessions. Else your solution with CBAC or ZBF is the best.

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to krishan.saran

‎01-19-2011 11:37 PM

Hi,

"Else your solution with CBAC or ZBF is the best."

i never heared that

These are stateful firewalling implementations on Cisco routers, ZBF is the latest one.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
tkatsiaounis
Level 1
Level 1

‎01-19-2011 12:31 AM

This should work for you.

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 100 permit ip 192.168.12.0 any

interface vlan 2

ip access-group 100 in

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to tkatsiaounis

‎01-19-2011 12:56 AM

Hi,

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255

when applied to VLAN2 interface inbound it will also deny return traffic from VLAN2 to VLAN1 and so disrupt VLAN1 to VLAN2

communication.

I think what he wants to do is impossible with this setup. I think the only way to do this is to use a separate switch and trunk to the router

to do router on a stick and then use ZBF or CBAC on the subinterfaces.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
tkatsiaounis
Level 1
Level 1
In response to cadet alain

‎01-19-2011 02:19 AM

Well that is correct i am afraid.  He could, though use the established keyword but just for TCP sessions. Else your solution with CBAC or ZBF is the best.

0 Helpful

Go to solution
krishan.saran
Level 1
Level 1
In response to tkatsiaounis

‎01-19-2011 08:51 PM

Hi all

thanks for your time, but i have cisco 861 router , it dosen't support subinterfaces, i think its impossibe, what the solution i am thing is that i will allow some TCP/UDP required ports in access list,

By the way what is

"Else your solution with CBAC or ZBF is the best."

i never heared that

Thanks Every body for your time

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to krishan.saran

‎01-19-2011 11:37 PM

Hi,

"Else your solution with CBAC or ZBF is the best."

i never heared that

These are stateful firewalling implementations on Cisco routers, ZBF is the latest one.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents