Solved: Re: How to block Traffic from a specific network in a router

keeran · ‎06-11-2021

I have the following subnets below. i want to let traffics from the green subnet to go everywhere but the blue subnet(DMZ) should not be able to get into the green Network. How do i prevent the blue network get into the green network ? what should i do on my router ?

Martin L · ‎06-11-2021

simply do extended ACLs on router; technically, real world solution would be a Firewall but for CCNA exam cert, ACL is ok.

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

paul driver · ‎06-11-2021

Hello

You can negate access (tcp) with a routed-access list, as for udp that is connectionless so you would have to either allow/deny specific udp traffic both ways.

example:
ip access-list extended blue-access
permit tcp 192.168.127.0 0.0.0.255 any established
deny tcp 192.168.127.0 0.0.0.255 any
permit ip any any

int vlan x (green l3 interface)
ip access-group blue-access out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Martin L · ‎06-11-2021

Old way was Copy into notepad and edit there then copy and paste acl back into router. Using no access-list x will delete all lines/entries in ACL x on router. new option -called Named mode- came out in order to edit acl on device itself.

First of all, Only if you see sequence numbers in front of acl statements when you do show ip access-list. IOS adds sequence numbers to ACL since version 12.2 I think or 12.4. Then you can use Named ACL which start with ip access-list not access-list.

in any case, you must get into Named mode to see no option or sequence numbers to edit acl (see example below).

Example:

Router(config)#ip access-list extended 100

Router(config-ext-nacl)#?

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

Router(config-ext-nacl)#

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Martin L · ‎06-11-2021

simply do extended ACLs on router; technically, real world solution would be a Firewall but for CCNA exam cert, ACL is ok.

Regards, ML
**Please Rate All Helpful Responses **

paul driver · ‎06-11-2021

Hello

You can negate access (tcp) with a routed-access list, as for udp that is connectionless so you would have to either allow/deny specific udp traffic both ways.

example:
ip access-list extended blue-access
permit tcp 192.168.127.0 0.0.0.255 any established
deny tcp 192.168.127.0 0.0.0.255 any
permit ip any any

int vlan x (green l3 interface)
ip access-group blue-access out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

keeran · ‎06-11-2021

how can i change the access list order ? like how can i move the permit any any rule to the bottom ?

Martin L · ‎06-11-2021

Old way was Copy into notepad and edit there then copy and paste acl back into router. Using no access-list x will delete all lines/entries in ACL x on router. new option -called Named mode- came out in order to edit acl on device itself.

First of all, Only if you see sequence numbers in front of acl statements when you do show ip access-list. IOS adds sequence numbers to ACL since version 12.2 I think or 12.4. Then you can use Named ACL which start with ip access-list not access-list.

in any case, you must get into Named mode to see no option or sequence numbers to edit acl (see example below).

Example:

Router(config)#ip access-list extended 100

Router(config-ext-nacl)#?

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

Router(config-ext-nacl)#

Regards, ML
**Please Rate All Helpful Responses **

keeran · ‎06-12-2021

thank you. That helps :))

could you take a look at my other question ? I think you will be able to answer that too. You find it in my profile