Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16955
Views
11
Helpful
3
Replies

ACL allowing internet but blocking rfc addresses

Go to solution
leepippins
Level 1
Level 1

‎05-28-2015 12:10 PM - last edited on ‎04-06-2023 10:52 PM by Community Manager

I have multiple subinterfaces on a router. One of the subinterfaces will be for guest access to the internet. I want to allow these users access to the internet but block them from our internal resources on other subinterfaces as well as corporate resources across the mpls/bgp network. Is this the best way to accomplish this? The path to the internet is across the mpls circuit.

 

interface GigabitEthernet0/0
 description LAN
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 description DATA
 encapsulation dot1Q 10
 ip address 10.10.100.1 255.255.255.0
 ip wccp redirect exclude in
!
interface GigabitEthernet0/0.20
 description VOICE
 encapsulation dot1Q 20
 ip address 172.16.100.1 255.255.255.0
 ip wccp 61 redirect in
!
interface GigabitEthernet0/0.30
 description GUEST
 encapsulation dot1Q 30
 ip address 192.168.1.1 255.255.255.0
 ip access-group 199 in
!
interface s0/0/0:0
 description ATT MPLS
 ip address 68.2.4.8 255.255.255.248
 ip flow ingress
 ip flow egress
!
access-list 199 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
!


Notice access-list 199 applied inbound interface g0/0.30. 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-28-2015 02:31 PM

I also use these private networks quite often in ACLs. For that, one of my first copy/pastes to a new router is the following object-group:

object-group network RFC1918
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0

This object-group can then be used in the ACLs:

ip access-list extended XXX
 deny   ip any object-group RFC1918
 permit ip YOUR-NETWORK any

Effectively it's the same as your ACL. For the "deny" I would use the source of "any" as it also prevents spoofed addresses.

 

View solution in original post

3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-28-2015 01:02 PM

Are you really using all the internal private ranges ?

Regardless yes your acl will work except your 172.x.x.x entry is wrong ie. it should be "172.16.0.0 0.15.255.255"

Jon

Go to solution
leepippins
Level 1
Level 1
In response to Jon Marshall

‎05-29-2015 11:34 AM

Thank you for the correction Jon. While we do not use all of the private ranges, we use a bunch. Wouldn't want to have to come fix this acl if we ever added something new later. Easier to cover the whole range now I think.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎05-28-2015 02:31 PM

I also use these private networks quite often in ACLs. For that, one of my first copy/pastes to a new router is the following object-group:

object-group network RFC1918
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0

This object-group can then be used in the ACLs:

ip access-list extended XXX
 deny   ip any object-group RFC1918
 permit ip YOUR-NETWORK any

Effectively it's the same as your ACL. For the "deny" I would use the source of "any" as it also prevents spoofed addresses.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card