Beginner Access control Lists

101pch382 · ‎09-29-2008

I have a 6509 with a router module installed. On this router I have multiple vlan interfaces one for each subnet. I am adding a new subnet which I want to isolate except for outbound Internet access and specified functions between the subnets.

the subnets are 10.1.2.0/24 which is the gateway to the internet 10.1.3.0/24, 10.1.4.0/24 and I want to add 10.1.5.0/24

All of these have an interface on the router of 1 as the last octet. I have written the following access lists

101

deny ip 10.1.5.0 0.0.0.255 10.1.2.0 0.0.0.255

deny ip 10.1.5.0 0.0.0.255 10.1.3.0 0.0.0.255

deny ip 10.1.5.0 0.0.0.255 10.1.4.0 0.0.0.255

permit ip any any

102

permit ip 10.1.2.0 0.0.0.255 10.1.5.0 0.0.0.255 eq telnet

Will these access lists do what I need and which should be applied outbound and which should be applied inbound

Thanks

Giuseppe Larosa · ‎09-29-2008

Hello Ron,

I would suggest you to use only one ACL.

first the permitted communication between local subnets

access-list 105 permit tcp 10.1.5.0 0.0.0.255 eq telnet 10.1.2.0 0.0.0.255

! note the position of the TCP port you want to have telnet access to devices in 10.1.5.0/24 from 10.1.2.0/24

! then you deny all other internal communication

access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 105 deny ip 10.1.5.0 0.0.0.255 10.1.4.0 0.0.0.255

! then you permit internet access

access-list 105 permit ip 10.1.5.0 0.0.0.255 any

! in this way you have also anti-spoofing you don't allow a source non in 10.1.5.0/24 to go out

I would apply this ACL inbound on SVI Vlan with ip address 10.1.5.1/24

let's suppose it is vlan 10:

int vlan 10

ip access-group 105 in

Hope to help

Giuseppe