09-21-2012 11:02 AM - edited 03-04-2019 05:38 PM
I have a 2821 router w/ SLM 2024 switches. Native VLAN(default vlan) is my private network and VLAN 100 is my guest network. The following shows my interface config...
interface GigabitEthernet0/1
description $ES_LAN$$ETH-LAN$
ip address 10.1.0.2 255.255.0.0
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 100
ip address 10.3.1.254 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip default-gateway xx.xxx.xxx.xxx
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
Default route is defined...
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx
Access list are as follows...
access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 175 permit ip 10.1.0.0 0.0.255.255 any
access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 175 permit ip 10.3.1.0 0.0.0.255 any
I would like to continue to have access to the guest VLAN from the private VLAN in order to allow management of access points etc.
I want to allow the guest newtork internet access but block it from accessing my private network.
Not sure how to go about this. I've tried changing this acl (removing the 10.3.1.0 entries) and creating another acl for those entries and applying that to the VLAN 100 sub interface...so far no luck.
Thanks in advance for the help!
Solved! Go to Solution.
09-21-2012 12:19 PM
Hello Chris,
>> From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1?
I would go this way, as you cannot in a single ACL express all your needs. The ACL to be applied on gi0/1.1 will likely require additional statements then the ones I have suggested, but dividing the problem in manageable smaller parts is a good strategy.
>> Also with this config would NAT be effected on either network by making this change?
Until both internal network and guest network are on the same side (ip nat inside) there is no NAT triggered in communication between them so you shouldn't influence the NAT configuration with this change.
Hope to help
Giuseppe
09-21-2012 11:23 AM
Hello Chris,
I would apply inbound to gig0/1.1 the following access-list made of only two statements.
int gi0/1.1
ip access-group 175 in
access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 175 permit ip 10.3.1.0 0.0.0.255 any
>> I would like to continue to have access to the guest VLAN from the private VLAN in order to allow management of access points
With the ACL above applied inbound to gi0/1.1 you can manage the access-points from the router.
That is you telnet to the router and then you can telnet to the access point.
I know this is a tradeoff, but in this way you keep the guest vlan separated from your internal network and this is a good move for security.
If you need a web based interface to the access-points you can use the following ACL
access-list 175 permit ip 10.3.1.0 0.0.0.255 host 10.1.1.X
access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 175 permit ip 10.3.1.0 0.0.0.255 any
where host 10.1.1.X is a management station in your internal network that is the only host that can be reached from guest subnet. This allows you to access web interface on access-points to poll them via SNMP, to ping them and so on.
You can eventually write the lines equivalent to this like
access-list 175 permit icmp 10.3.1.0 0.0.0.255 host 10.1.1.X
access-list 175 permit udp 10.3.1.0 0.0.0.255 host 10.1.1.X
access-list 175 permit tcp 10.3.1.0 0.0.0.255 eq 80 host 10.1.1.X
access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 175 permit ip 10.3.1.0 0.0.0.255 any
note: I have supposed web access on default TCP port 80 and left unspecified the UDP ports on the second statement.
Hope to help
Giuseppe
09-21-2012 11:59 AM
Hi Giuseppe,
Thanks for the quick reply...I did neglect to post the acl for my s2s vpn...
ip access-list extended S2S-VPN-TRAFFIC
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
then
access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 175 permit ip 10.1.0.0 0.0.255.255 any <<<
I have NAT running to provide remote access to devices on both the private and guest networks for management/monitoring purposes.
From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1? Also with this config would NAT be effected on either network by making this change?
Thanks,
Chris
09-21-2012 12:19 PM
Hello Chris,
>> From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1?
I would go this way, as you cannot in a single ACL express all your needs. The ACL to be applied on gi0/1.1 will likely require additional statements then the ones I have suggested, but dividing the problem in manageable smaller parts is a good strategy.
>> Also with this config would NAT be effected on either network by making this change?
Until both internal network and guest network are on the same side (ip nat inside) there is no NAT triggered in communication between them so you shouldn't influence the NAT configuration with this change.
Hope to help
Giuseppe
09-21-2012 01:37 PM
Thank you sir for your help...here is my acl which is working beautifully.
access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 175 permit ip 10.1.0.0 0.0.255.255 any
access-list 175 permit ip 10.3.1.0 0.0.0.255 any
access-list 176 permit ip 10.3.1.0 0.0.0.255 host 10.1.99.99
access-list 176 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 176 permit ip 10.3.1.0 0.0.0.255 any
I applied acl 176 to int gi0/1.1 and had to add the 3rd line to acl 175 to allow internet access out for the 10.3.1.0 network.
The first entry on acl 176 is the machine I use for management.
Thanks again...you are a life saver!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide