Restricting traffic from one interface to another in a router.

Sam17 · ‎04-22-2021

Hello,

I would like to quickly ask if anyone knows of a way to prevent traffic going from one interface to another. This is in packet tracer, my objective is to create a guest WIFI area without the ability to access the workspace through one of the two routers. Below you will see the layout and a illustration of the general Idea. I know I have to use an ACL but I'm not entirely sure how to do this.

The IP of the workspace Subnet is 192.168.3.0

The IP going between the two routers is 192.168.5.0 with the 2nd router having the IP 192.168.5.253 and the building 2 router .3.254.

The black arrow shows the way I wish the guest Wi-Fi traffic to be restricted to, with the red cross showing where it should be unable to access.

Thanks in advance

Giuseppe Larosa · ‎04-22-2021

Hello,

you need to use an extended IP ACL that allows you to specify source and destination addresses

Example:

access-list 111 remark ACL for Guest traffic.

! note I suppose that 192.168.11.0/24 is you guest subnet

access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 111 permit ip 192.168.11.0 0.0.0.255 any

The deny statement needs to be first ( order is very important in ACL) and denies access to the workplace subnet.

On C2811 right FE you can apply :

interface type x/y

ip access-group 111 in

Hope to help

Giuseppe

Sam17 · ‎04-23-2021

Thanks, I'll give it a go and see if it works.