Solved: Allow VLAN on sub interface internet access but block traffic to native VLAN

Chris Bailey · ‎09-21-2012

I have a 2821 router w/ SLM 2024 switches. Native VLAN(default vlan) is my private network and VLAN 100 is my guest network. The following shows my interface config...

interface GigabitEthernet0/1

description $ES_LAN$$ETH-LAN$

ip address 10.1.0.2 255.255.0.0

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 100

ip address 10.3.1.254 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

ip default-gateway xx.xxx.xxx.xxx

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

Default route is defined...

ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx

Access list are as follows...

access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 175 permit ip 10.1.0.0 0.0.255.255 any

access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 175 permit ip 10.3.1.0 0.0.0.255 any

I would like to continue to have access to the guest VLAN from the private VLAN in order to allow management of access points etc.

I want to allow the guest newtork internet access but block it from accessing my private network.

Not sure how to go about this. I've tried changing this acl (removing the 10.3.1.0 entries) and creating another acl for those entries and applying that to the VLAN 100 sub interface...so far no luck.

Thanks in advance for the help!

Giuseppe Larosa · ‎09-21-2012

Hello Chris,

>> From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1?

I would go this way, as you cannot in a single ACL express all your needs. The ACL to be applied on gi0/1.1 will likely require additional statements then the ones I have suggested, but dividing the problem in manageable smaller parts is a good strategy.

>> Also with this config would NAT be effected on either network by making this change?

Until both internal network and guest network are on the same side (ip nat inside) there is no NAT triggered in communication between them so you shouldn't influence the NAT configuration with this change.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎09-21-2012

Hello Chris,

I would apply inbound to gig0/1.1 the following access-list made of only two statements.

int gi0/1.1

ip access-group 175 in

access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 175 permit ip 10.3.1.0 0.0.0.255 any

>> I would like to continue to have access to the guest VLAN from the private VLAN in order to allow management of access points

With the ACL above applied inbound to gi0/1.1 you can manage the access-points from the router.

That is you telnet to the router and then you can telnet to the access point.

I know this is a tradeoff, but in this way you keep the guest vlan separated from your internal network and this is a good move for security.

If you need a web based interface to the access-points you can use the following ACL

access-list 175 permit ip 10.3.1.0 0.0.0.255 host 10.1.1.X

access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 175 permit ip 10.3.1.0 0.0.0.255 any

where host 10.1.1.X is a management station in your internal network that is the only host that can be reached from guest subnet. This allows you to access web interface on access-points to poll them via SNMP, to ping them and so on.

You can eventually write the lines equivalent to this like

access-list 175 permit icmp 10.3.1.0 0.0.0.255 host 10.1.1.X

access-list 175 permit udp 10.3.1.0 0.0.0.255 host 10.1.1.X

access-list 175 permit tcp 10.3.1.0 0.0.0.255 eq 80 host 10.1.1.X

access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 175 permit ip 10.3.1.0 0.0.0.255 any

note: I have supposed web access on default TCP port 80 and left unspecified the UDP ports on the second statement.

Hope to help

Giuseppe

Chris Bailey · ‎09-21-2012

Hi Giuseppe,

Thanks for the quick reply...I did neglect to post the acl for my s2s vpn...

ip access-list extended S2S-VPN-TRAFFIC

permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

then

access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 175 permit ip 10.1.0.0 0.0.255.255 any <<<

I have NAT running to provide remote access to devices on both the private and guest networks for management/monitoring purposes.

From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1? Also with this config would NAT be effected on either network by making this change?

Thanks,

Chris

Giuseppe Larosa · ‎09-21-2012

Hello Chris,

>> From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1?

I would go this way, as you cannot in a single ACL express all your needs. The ACL to be applied on gi0/1.1 will likely require additional statements then the ones I have suggested, but dividing the problem in manageable smaller parts is a good strategy.

>> Also with this config would NAT be effected on either network by making this change?

Until both internal network and guest network are on the same side (ip nat inside) there is no NAT triggered in communication between them so you shouldn't influence the NAT configuration with this change.

Hope to help

Giuseppe

Chris Bailey · ‎09-21-2012

Thank you sir for your help...here is my acl which is working beautifully.

access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 175 permit ip 10.1.0.0 0.0.255.255 any

access-list 175 permit ip 10.3.1.0 0.0.0.255 any

access-list 176 permit ip 10.3.1.0 0.0.0.255 host 10.1.99.99

access-list 176 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 176 permit ip 10.3.1.0 0.0.0.255 any

I applied acl 176 to int gi0/1.1 and had to add the 3rd line to acl 175 to allow internet access out for the 10.3.1.0 network.

The first entry on acl 176 is the machine I use for management.

Thanks again...you are a life saver!