06-27-2020 09:19 AM
Hello for everybody.
On one of the sites, we use router-on-a-stick technology. On this site, we decided to add one new network and allow access for pc from this network only to the same network and one another. Whether the correct solution is to do this using acl and access-group in/out on this subinterface?
Extended IP access list 154
10 permit ip 192.168.26.0 0.0.0.255 192.168.26.0 0.0.0.255
20 permit ip 192.168.26.0 0.0.0.255 192.168.19.0 0.0.0.255
30 deny ip any any
ISR_4331#sh ip int br
Interface IP-Address OK? Method Status Protocol
...
Gi0/0/1.119 192.168.119.1 YES NVRAM up up
Gi0/0/1.121 192.168.121.1 YES NVRAM up up
Gi0/0/1.127 192.168.127.1 YES NVRAM up up
Gi0/0/1.514 192.168.26.1 YES manual up up
...
ISR_4331#sh run int Gi0/0/1.514
Building configuration...
!
interface GigabitEthernet0/0/1.514
description test_system
encapsulation dot1Q 514
ip address 192.168.26.1 255.255.255.0
ip access-group 154 in
ip access-group 154 out
end
Solved! Go to Solution.
06-27-2020 12:16 PM
You ask an interesting question about what to do if the network can only communicate with itself. And it prompts me to ask a question to clarify one aspect of your environment. We have been focusing on communication between networks in your organization. We have not addressed any possible communication to outside of your network (access to Internet). Would devices in the 192.168.26.0 need access to outside? Or is it truly just to communicate with each other?
If it is just to communicate with each other then I think you do not need the router subinterface. Just configure the vlan and access ports on the switch. That would allow them to communicate with each other and no one else. (The possible exception to this would be if they need access to something like a DHCP server)
I believe that the access list and interface configurations you posted would be appropriate if you want 192.168.26.0 to communicate with 192.168.19.0 and with no one else.
06-27-2020 09:34 AM
You do not want that access list applied both in and out. Remove the line that configures it for out. Both entries in the acl specify 192.168.26.0 as the source. It is hard to imagine what traffic would be sent out that interface with this source address. I am puzzled at the acl entry that uses 192.168.26.0 as both source and destination. That suggests that some device in 192.168.26.0 is going to send a packet to the router to reach some other device that is in the same subnet.
The access list allows 192.168.26.0 to communicate with 192.168.19.0 and not with anything else. If that is what you are attempting to achieve then this should do it.
06-27-2020 10:22 AM
So, in this particular case, when we need to allow traffic only within this subnet itself (192.168.26.0/24) and one another network (192.168.19.0/24), the acl must be configured as follows
Extended IP access list 154
10 permit ip 192.168.26.0 0.0.0.255 192.168.19.0 0.0.0.255
20 deny ip any any
interface GigabitEthernet0/0/1.514
description test_system
encapsulation dot1Q 514
ip address 192.168.26.1 255.255.255.0
ip access-group 154 in
end
06-27-2020 10:08 AM
Hello
A routed access-list would be applicable for this. However you wouldn't require to specify an acl entry for L2 traffic only L3 and you don't need to add a deny any any at the end of the acl as there is an implicit deny for traffic by default unless that is you wish to log the traffic that is being denied.
no ip access-list extended 154
ip access-list extended 154
permit ip any 192.168.19.0 0.0.0.255
permit ip 192.168.19.0 0.0.0.255 any
deny ip any any log <---optional
06-27-2020 11:25 AM
What should the acl look like if traffic is allowed only inside the network itself 192.168.26.0/24. In other words, none of the PCs on this network should have access to other networks.
06-27-2020 12:16 PM
You ask an interesting question about what to do if the network can only communicate with itself. And it prompts me to ask a question to clarify one aspect of your environment. We have been focusing on communication between networks in your organization. We have not addressed any possible communication to outside of your network (access to Internet). Would devices in the 192.168.26.0 need access to outside? Or is it truly just to communicate with each other?
If it is just to communicate with each other then I think you do not need the router subinterface. Just configure the vlan and access ports on the switch. That would allow them to communicate with each other and no one else. (The possible exception to this would be if they need access to something like a DHCP server)
I believe that the access list and interface configurations you posted would be appropriate if you want 192.168.26.0 to communicate with 192.168.19.0 and with no one else.
06-27-2020 01:47 PM
I considered the option of creating a simple vlan in the first place (without subinterface on the router). But it had to be discarded, because the task sounds like "create vlan 514 with gateway 192.168.26.1/24. PCs in this network must be able to communicate with each other and with the 192.168.19.0/24 network." The 192.168.19.0/24 network is located on another physical site and contains several ftp servers where information should be uploaded.
06-27-2020 12:33 PM
06-27-2020 01:51 PM
ip access-list extended 154
deny ip any any - i'm not sure that in this case, hosts will be able to communicate with each other inside their own vlan
no interface GigabitEthernet0/0/1.514 - unfortunately, i can't do this, because according to the task conditions, the network must have its own gateway 192.168.26.1/24
06-27-2020 02:16 PM
Thanks for the update. As for your points:
- devices within the same subnet (within the same vlan) can always communicate with each other. There is no possibility for the router to prevent communication between devices in the same subnet/same vlan. A router can only control communication of devices in the subnet with devices in other subnets.
- you asked about the possibility of devices communicating only within the same subnet (same vlan). Removing the router subinterface is a valid way to implement that. If you have other requirements that there be a gateway configured then this option would not work for you. But when we suggested this we did not know of additional requirements.
06-27-2020 03:14 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide