05-28-2015 12:10 PM - last edited on 04-06-2023 10:52 PM by Translator
I have multiple subinterfaces on a router. One of the subinterfaces will be for guest access to the internet. I want to allow these users access to the internet but block them from our internal resources on other subinterfaces as well as corporate resources across the mpls/bgp network. Is this the best way to accomplish this? The path to the internet is across the mpls circuit.
interface GigabitEthernet0/0
description LAN
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description DATA
encapsulation dot1Q 10
ip address 10.10.100.1 255.255.255.0
ip wccp redirect exclude in
!
interface GigabitEthernet0/0.20
description VOICE
encapsulation dot1Q 20
ip address 172.16.100.1 255.255.255.0
ip wccp 61 redirect in
!
interface GigabitEthernet0/0.30
description GUEST
encapsulation dot1Q 30
ip address 192.168.1.1 255.255.255.0
ip access-group 199 in
!
interface s0/0/0:0
description ATT MPLS
ip address 68.2.4.8 255.255.255.248
ip flow ingress
ip flow egress
!
access-list 199 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 199 deny ip 192.168.1.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
!
Notice access-list 199 applied inbound interface g0/0.30.
Solved! Go to Solution.
05-28-2015 02:31 PM
I also use these private networks quite often in ACLs. For that, one of my first copy/pastes to a new router is the following object-group:
object-group network RFC1918 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
This object-group can then be used in the ACLs:
ip access-list extended XXX deny ip any object-group RFC1918 permit ip YOUR-NETWORK any
Effectively it's the same as your ACL. For the "deny" I would use the source of "any" as it also prevents spoofed addresses.
05-28-2015 01:02 PM
Are you really using all the internal private ranges ?
Regardless yes your acl will work except your 172.x.x.x entry is wrong ie. it should be "172.16.0.0 0.15.255.255"
Jon
05-29-2015 11:34 AM
Thank you for the correction Jon. While we do not use all of the private ranges, we use a bunch. Wouldn't want to have to come fix this acl if we ever added something new later. Easier to cover the whole range now I think.
05-28-2015 02:31 PM
I also use these private networks quite often in ACLs. For that, one of my first copy/pastes to a new router is the following object-group:
object-group network RFC1918 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
This object-group can then be used in the ACLs:
ip access-list extended XXX deny ip any object-group RFC1918 permit ip YOUR-NETWORK any
Effectively it's the same as your ACL. For the "deny" I would use the source of "any" as it also prevents spoofed addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide