ā07-26-2011 03:38 AM - edited ā03-04-2019 01:05 PM
i would like to implement access lists on traffic passing though the various VLANS
below is my router configuration. Kindly assist
RouterHQ#sh run
Building configuration...
Current configuration : 9666 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHQ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 41.xxx.xxx.xxx
!
username dedan privilege 15 password 7 070B24484F07391245932
!
!
!
interface FastEthernet0/0
description Link To LAN
ip address 192.168.20.254 255.255.255.0 secondary
ip address 192.168.100.1 255.255.255.252 secondary
ip address 192.168.50.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.300
description Link To ISP
encapsulation dot1Q 300
ip address 192.168.168.2 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1783
description Link To Internet
encapsulation dot1Q 1783
ip address 192.168.190.254 255.255.255.224 secondary
ip address 41.72.xxx.xxx 255.255.255.252
ip nat outside
rate-limit input 512000 8000 8000 conform-action transmit exceed-action drop
rate-limit output 512000 8000 8000 conform-action transmit exceed-action drop
no snmp trap link-status
!
interface FastEthernet0/1.1900
description Capital
encapsulation dot1Q 1900
ip address 172.16.30.89 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1930
description Link to Ministry
encapsulation dot1Q 1930
ip address 172.16.30.73 255.255.255.248
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.1989
description Link to Ukay
encapsulation dot1Q 1989
ip address 172.16.20.113 255.255.255.240 secondary
ip address 172.16.20.97 255.255.255.240 secondary
ip address 172.16.20.17 255.255.255.240 secondary
ip address 172.16.25.65 255.255.255.248 secondary
ip address 172.16.30.97 255.255.255.248
no snmp trap link-status
!
interface FastEthernet0/1.1991
encapsulation dot1Q 1991
ip address 172.16.30.65 255.255.255.248 secondary
ip address 172.16.30.57 255.255.255.248 secondary
ip address 172.16.30.1 255.255.255.248 secondary
ip address 172.16.30.41 255.255.255.248 secondary
ip address 172.16.20.209 255.255.255.240 secondary
ip address 172.16.30.33 255.255.255.248 secondary
ip address 172.16.30.81 255.255.255.248
no snmp trap link-status
!
interface FastEthernet0/1.3001
description Link to Western
encapsulation dot1Q 3001
ip address 172.16.20.161 255.255.255.240 secondary
ip address 172.16.20.129 255.255.255.240 secondary
ip address 172.16.30.9 255.255.255.248 secondary
ip address 172.16.20.177 255.255.255.240 secondary
ip address 172.16.30.17 255.255.255.248 secondary
ip address 172.16.20.145 255.255.255.240
no snmp trap link-status
!
interface FastEthernet0/1.3002
description coast
encapsulation dot1Q 3002
ip address 172.16.20.65 255.255.255.240 secondary
ip address 192.168.162.13 255.255.255.252 secondary
ip address 172.16.25.185 255.255.255.248 secondary
ip address 172.16.20.193 255.255.255.240 secondary
ip address 172.16.20.201 255.255.255.248 secondary
ip address 172.16.25.233 255.255.255.252 secondary
ip address 172.16.25.221 255.255.255.252 secondary
ip address 172.16.25.1 255.255.255.240 secondary
ip address 172.16.30.25 255.255.255.248 secondary
ip address 172.16.25.161 255.255.255.252
ip nat inside
no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 41.72.xxx.xxx
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 50 interface FastEthernet0/1.1783 overload
ip nat inside source static tcp 192.168.20.230 25 41.72.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.20.230 80 41.72.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.20.230 110 41.72.xxx.xxx 110 extendable
ip nat inside source static tcp 192.168.20.230 443 41.72.xxx.xxx 443 extendable
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 50 permit 192.168.50.0 0.0.0.255
access-list 50 permit 192.168.20.0 0.0.0.255
access-list 50 permit 192.168.100.0 0.0.0.255
snmp-server chassis-id 189377483875
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport preferred telnet
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end
ā07-26-2011 03:46 AM
Hi Dedan,
Please tell us what access do you want filter say like....
Vlan Capital (172.16.30.0/30)should not access Vlan Ministry (172.16.30.0/29 but Vlam Ministry should be able to access Vlan Capital
Please rate the helpfull posts.
Regards,
Naidu.
ā07-26-2011 04:10 AM
Hi Latchum
indeed yes as you have said Vlan Capital should not access Vlan Ministry or Vlan Capital should only access Vlan ministry ports 80,110,25
ā07-26-2011 04:22 AM
Hi Dedan,
OK, this can be done by configuring in router config mode and applying to specific vlan below rules...
Vlan Capital should not access Vlan Ministry
ip access-list extended Capital_access
deny 172.16.30.0 0.0.0.3 172.16.30.0 0.0.0.7
permit any any
Vlan Capital should only access Vlan ministry ports 80,110,25
ip access-list extended Capital_access
permit tcp 172.16.30.0 0.0.0.3 172.16.30.0 0.0.0.7 eq 80
permit tcp 172.16.30.0 0.0.0.3 172.16.30.0 0.0.0.7 eq 110
permit tcp 172.16.30.0 0.0.0.3 172.16.30.0 0.0.0.7 eq 25
deny any any
ip access-list extended Ministry_access
deny 172.16.30.0 0.0.0.7 172.16.30.0 0.0.0.3
permit any any
interface FastEthernet0/1.1900
description Capital
encapsulation dot1Q 1900
ip address 172.16.30.89 255.255.255.252
no snmp trap link-status
ip access-group Capital_acces in
!
interface FastEthernet0/1.1930
description Link to Ministry
encapsulation dot1Q 1930
ip address 172.16.30.73 255.255.255.248
ip nat inside
no snmp trap link-status
ip access-group Ministry_access in
Please rate the helpfull posts.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide