Solved: Re: router-on-a-stick allow access only to certain networks

kapydan88 · ‎06-27-2020

Hello for everybody.

On one of the sites, we use router-on-a-stick technology. On this site, we decided to add one new network and allow access for pc from this network only to the same network and one another. Whether the correct solution is to do this using acl and access-group in/out on this subinterface?

Extended IP access list 154
10 permit ip 192.168.26.0 0.0.0.255 192.168.26.0 0.0.0.255
20 permit ip 192.168.26.0 0.0.0.255 192.168.19.0 0.0.0.255
30 deny ip any any

ISR_4331#sh ip int br
Interface IP-Address OK? Method Status Protocol
...
Gi0/0/1.119 192.168.119.1 YES NVRAM up up
Gi0/0/1.121 192.168.121.1 YES NVRAM up up
Gi0/0/1.127 192.168.127.1 YES NVRAM up up
Gi0/0/1.514 192.168.26.1 YES manual up up
...
ISR_4331#sh run int Gi0/0/1.514
Building configuration...
!
interface GigabitEthernet0/0/1.514
description test_system
encapsulation dot1Q 514
ip address 192.168.26.1 255.255.255.0
ip access-group 154 in
ip access-group 154 out
end

Richard Burts · ‎06-27-2020

You ask an interesting question about what to do if the network can only communicate with itself. And it prompts me to ask a question to clarify one aspect of your environment. We have been focusing on communication between networks in your organization. We have not addressed any possible communication to outside of your network (access to Internet). Would devices in the 192.168.26.0 need access to outside? Or is it truly just to communicate with each other?

If it is just to communicate with each other then I think you do not need the router subinterface. Just configure the vlan and access ports on the switch. That would allow them to communicate with each other and no one else. (The possible exception to this would be if they need access to something like a DHCP server)

I believe that the access list and interface configurations you posted would be appropriate if you want 192.168.26.0 to communicate with 192.168.19.0 and with no one else.

HTH

Rick

View solution in original post

Richard Burts · ‎06-27-2020

You do not want that access list applied both in and out. Remove the line that configures it for out. Both entries in the acl specify 192.168.26.0 as the source. It is hard to imagine what traffic would be sent out that interface with this source address. I am puzzled at the acl entry that uses 192.168.26.0 as both source and destination. That suggests that some device in 192.168.26.0 is going to send a packet to the router to reach some other device that is in the same subnet.

The access list allows 192.168.26.0 to communicate with 192.168.19.0 and not with anything else. If that is what you are attempting to achieve then this should do it.

HTH

Rick

kapydan88 · ‎06-27-2020

So, in this particular case, when we need to allow traffic only within this subnet itself (192.168.26.0/24) and one another network (192.168.19.0/24), the acl must be configured as follows

Extended IP access list 154
10 permit ip 192.168.26.0 0.0.0.255 192.168.19.0 0.0.0.255
20 deny ip any any

interface GigabitEthernet0/0/1.514
description test_system
encapsulation dot1Q 514
ip address 192.168.26.1 255.255.255.0
ip access-group 154 in
end

paul driver · ‎06-27-2020

Hello

A routed access-list would be applicable for this. However you wouldn't require to specify an acl entry for L2 traffic only L3 and you don't need to add a deny any any at the end of the acl as there is an implicit deny for traffic by default unless that is you wish to log the traffic that is being denied.

no ip access-list extended 154
ip access-list extended 154
permit ip any 192.168.19.0 0.0.0.255
permit ip 192.168.19.0 0.0.0.255 any
deny ip any any log <---optional

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

kapydan88 · ‎06-27-2020

What should the acl look like if traffic is allowed only inside the network itself 192.168.26.0/24. In other words, none of the PCs on this network should have access to other networks.

Richard Burts · ‎06-27-2020

You ask an interesting question about what to do if the network can only communicate with itself. And it prompts me to ask a question to clarify one aspect of your environment. We have been focusing on communication between networks in your organization. We have not addressed any possible communication to outside of your network (access to Internet). Would devices in the 192.168.26.0 need access to outside? Or is it truly just to communicate with each other?

If it is just to communicate with each other then I think you do not need the router subinterface. Just configure the vlan and access ports on the switch. That would allow them to communicate with each other and no one else. (The possible exception to this would be if they need access to something like a DHCP server)

I believe that the access list and interface configurations you posted would be appropriate if you want 192.168.26.0 to communicate with 192.168.19.0 and with no one else.

HTH

Rick

kapydan88 · ‎06-27-2020

I considered the option of creating a simple vlan in the first place (without subinterface on the router). But it had to be discarded, because the task sounds like "create vlan 514 with gateway 192.168.26.1/24. PCs in this network must be able to communicate with each other and with the 192.168.19.0/24 network." The 192.168.19.0/24 network is located on another physical site and contains several ftp servers where information should be uploaded.

Joseph W. Doherty · ‎06-27-2020

Either:

ip access-list extended 154
deny ip any any !since you have no other ACEs, you need to be explicit

or

no interface GigabitEthernet0/0/1.514

BTW, is the "other" network supposed to be .19. or .119.?

kapydan88 · ‎06-27-2020

ip access-list extended 154
deny ip any any - i'm not sure that in this case, hosts will be able to communicate with each other inside their own vlan

no interface GigabitEthernet0/0/1.514 - unfortunately, i can't do this, because according to the task conditions, the network must have its own gateway 192.168.26.1/24

Richard Burts · ‎06-27-2020

Thanks for the update. As for your points:

- devices within the same subnet (within the same vlan) can always communicate with each other. There is no possibility for the router to prevent communication between devices in the same subnet/same vlan. A router can only control communication of devices in the subnet with devices in other subnets.

- you asked about the possibility of devices communicating only within the same subnet (same vlan). Removing the router subinterface is a valid way to implement that. If you have other requirements that there be a gateway configured then this option would not work for you. But when we suggested this we did not know of additional requirements.

HTH

Rick

Joseph W. Doherty · ‎06-27-2020

"no interface GigabitEthernet0/0/1.514 - unfortunately, i can't do this, because according to the task conditions, the network must have its own gateway 192.168.26.1/24"

Okay, although if you block all IP communication it doesn't support much having it.