I would like to setup an ACL to only allow, Internet,DHCP,DNS. No inter vlan routing. Would the following work?
This will be on a pair of 7k's
Thanks for your Help!
ip access-list Internet_Only
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any 172.31.x.x (GateWay)
permit tcp any any eq www
permit tcp any any eq 443
permit UDP 172.31.220.200 any eq 67
permit UDP 172.31.220.200 any eq 68
permit UDP 172.31.2.95 any any eq domain
permit UDP 172.31.2.95 eq domain any
permit TCP 172.31.2.95 any any eq domain
permit TCP 172.31.2.95 eq domain any
deny ip any any log
It depends where you're planning to apply this ACL and what your internal subnets and vlans are if it will have the desired results. It looks like your internal subnets are all the private address spaces, so just for example purposes let's say your network looks like this:
Vlan 10 - 10.0.0.0/8
vlan 20 - 172.16.0.0/12
vlan 30 - 192.168.0.0/16.
ACL's are sequential, once a packet matches a line of the ACL it follows that action and does not check any other lines. If you applied that ACL to, let's say, the switches uplink port (firewall or internet access port) your first 6 lines of the ACL block all traffic for the 3 subnets so your DHCP and DNS traffic gets dropped too. You want to make sure you put the more specific rules on top (before the "deny ip any").
For inter vlan routing, you have to use vlan access-maps and filters. Those can be a little tricky and they don't filter by port or protocol, they only filter by IP address, also they are direction specific, you can't apply one "in" or "out" like you do on a port ACL, you just apply it and if a packet matches the access map and is trying to enter or exit the vlan, it is dropped.
May need a little more info on where you're trying to control and your network layout to build both a PACL and VACL but I hope that gives you a little more insight on both topics
The unwanted IP address space is much larger than the RFC 1918 addresses you have included in your ACL. f you are really fastidious about not letting in undesirable traffic consult such sites as The Bogon Reference - Team Cymru for lists of bogons to be denied. (It is of course not the only site but it is the easiest for me to remember)
Also the easiest way to prevent inter-VLAN routing might be to put each VLAN in its own VRF and leak the global route to the global routing table. Then you have independent control over what each VLAN is able to access.