Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
0
Helpful
2
Replies

3750v2 to 3750v2 Trunk, block network access

Michael Durham
Level 4
Level 4

‎10-31-2017 02:40 PM - edited ‎03-08-2019 12:34 PM

I have two 3750v2 switches connected via a trunk.  On one switch I have my home network with several networks on it.  On the other switch, my neighbor has his network on it.  When his Internet connection goes down, he needs to go out my switch and my Internet.  This all works fine now.  But, from his switch he can ping my server and workstation.  I am only allowing his vlan to pass over the trunk or so I thought.

 

My Switch Config:

!
interface FastEthernet2/0/46
description WHITE - Connects to Sommer's house port fa3/0/48 (192.168.0.254) Alt 1 Internet Access Source
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1,2,69,200
switchport mode trunk
switchport nonegotiate
!

 

Neighbor's Switch Config:

!
interface FastEthernet3/0/48
description WHITE - Connection to Durham's Garage port fa2/0/46 (192.168.69.3)
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1,2,69,200
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!

I need an acl to allow them to surf the Internet via my Internet connection but not my servers and workstations.

My 2851 router has a sub-interface for the neighbor's network. Its IP is 192.168.0.253 and their switch is 192.168.0.253.

My servers are on IP 192.168.50.x and my workstations are on IP 192.168.69.x

 

Thanks in advance.

Michael

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-31-2017 03:28 PM

Hello,

 

the below access list should do it. Apply it inbound to the subinterface where your neighbor's IP address is configured:

 

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.69.0 0.0.0.255
access-list 100 permit ip any any

 

interface FastEthernet0/0.x
ip access-group 100 in

0 Helpful

Michael Durham
Level 4
Level 4
In response to Georg Pauwen

‎11-02-2017 02:11 PM

Almost there. 

I want to give them access to my color laser printer when they need it and when I apply the access list it blocks me from logging into the switch at their home.  I tried the following but I am still blocked when applied.  I ONLY want to be able to telnet to the switch.  The neighbor does not know Cisco at all.

 

access-list 150 remark "Block Sommer's access to our server, workstations, and Dish Network but not the Color Laser printer
access-list 150 permit 23 192.168.0.0 0.0.0.255 192.168.69.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 host 192.168.69.100
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.69.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 150 permit ip any any

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card