05-28-2015 12:10 PM - last edited on 04-06-2023 10:52 PM by Translator
I have multiple subinterfaces on a router. One of the subinterfaces will be for guest access to the internet. I want to allow these users access to the internet but block them from our internal resources on other subinterfaces as well as corporate resources across the mpls/bgp network. Is this the best way to accomplish this? The path to the internet is across the mpls circuit.
interface GigabitEthernet0/0
description LAN
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description DATA
encapsulation dot1Q 10
ip address 10.10.100.1 255.255.255.0
ip wccp redirect exclude in
!
interface GigabitEthernet0/0.20
description VOICE
encapsulation dot1Q 20
ip address 172.16.100.1 255.255.255.0
ip wccp 61 redirect in
!
interface GigabitEthernet0/0.30
description GUEST
encapsulation dot1Q 30
ip address 192.168.1.1 255.255.255.0
ip access-group 199 in
!
interface s0/0/0:0
description ATT MPLS
ip address 68.2.4.8 255.255.255.248
ip flow ingress
ip flow egress
!
access-list 199 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 199 deny ip 192.168.1.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 199 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
!
Notice access-list 199 applied inbound interface g0/0.30.
Solved! Go to Solution.
05-28-2015 02:31 PM
I also use these private networks quite often in ACLs. For that, one of my first copy/pastes to a new router is the following object-group:
object-group network RFC1918 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
This object-group can then be used in the ACLs:
ip access-list extended XXX deny ip any object-group RFC1918 permit ip YOUR-NETWORK any
Effectively it's the same as your ACL. For the "deny" I would use the source of "any" as it also prevents spoofed addresses.
05-28-2015 01:02 PM
Are you really using all the internal private ranges ?
Regardless yes your acl will work except your 172.x.x.x entry is wrong ie. it should be "172.16.0.0 0.15.255.255"
Jon
05-29-2015 11:34 AM
Thank you for the correction Jon. While we do not use all of the private ranges, we use a bunch. Wouldn't want to have to come fix this acl if we ever added something new later. Easier to cover the whole range now I think.
05-28-2015 02:31 PM
I also use these private networks quite often in ACLs. For that, one of my first copy/pastes to a new router is the following object-group:
object-group network RFC1918 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
This object-group can then be used in the ACLs:
ip access-list extended XXX deny ip any object-group RFC1918 permit ip YOUR-NETWORK any
Effectively it's the same as your ACL. For the "deny" I would use the source of "any" as it also prevents spoofed addresses.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: