HELP? Cant get an IP on my guest VLAN... Setting up my router

drew411nyc · ‎06-20-2013

Hi Everyone,

Can anyone help please??

I have 3 vlans setup (VLAN 10 - Management, VLAN 20 - Internal, VLAN 30 - Guests) on my 891 Router to do DHCP and NAT...

After configuring my access lists to prevent the guest VLAN 30 from accessing anything on VLAN 10 and VLAN 20. I issued a command to the guest interface VLAN30 "ip access-group Restrict_GUESTS in" and now any ports configured to be VLAN 30 is not receving an IP address.

I attached a config of my router... Is there something wrong with my config? The only issue is with this VLAN 30, tested other VLANS and works fine on getting an IP address.

Thanks in advance!

Reza Sharifi · ‎06-20-2013

Hi,

When you apply an access-list inbound

"ip access-group Restrict_GUESTS in"

This will block access for host in that vlan (30).

Try applying the access-list outbound to vlan 10 and 20, so vlan 30 will not be able to access them.

HTH

drew411nyc · ‎06-20-2013

Im sorry for the new-bie question... But do you know what the exact command would be? or what I would need to enter?

I am a beginner in this...

kcnajaf · ‎06-20-2013

Hi Drew,

You could try changing the ACL as below.

Remove your exisiting ACL with

no ip access-list extended Restrict_GUESTS

and create a new one as below

conf terminal

ip access-list extended Restrict_GUESTS

deny ip 192.168.20.0 0.0.0.255 192.168.10.30 0.0.0.255

deny ip 192.168.10.0 0.0.0.255 192.168.10.30 0.0.0.255

permit ip any any

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

Reza Sharifi · ‎06-20-2013

try this on vlan 10 and 20 it inbound

access-list 100 deny ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 100 permit ip any any

interface vlan 10

ip access-group 110 in

access-list 100 deny ip 172.16.30.0 0.0.0.255 172.16.20.0 0.0.0.255

access-list 100 permit ip any any

interface vlan 20

ip access-group 110 in

HTH

kcnajaf · ‎06-20-2013

Hi Reza,

It looks like you have got wrong ACL number applied with access-group :-) Ur ACL number is 100 and access-group ACL number you have mentioned as 110.

Regards

Najaf

Reza Sharifi · ‎06-20-2013

Hi Najaf,

Thanks for point this out. my typo

Drew,

It should be

interface vlan 20

ip access-group 100 in

interface vlan 10

ip access-group 100 in

HTH

drew411nyc · ‎06-20-2013

Thanks for your help guys!! Didnt work completely..

I am able to receive an IP from each of the VLANS but from the guest VLAN 30; I am still able to ping devices in VLAN 10 and VLAN 20. I wanted to set it up where from VLAN30 I have no access to VLAN 10, 20.

This is what I have for the ACLs in my config:

ip access-list extended NAT_ACL

deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.30.0 0.0.0.255 any

deny ip any any

ip access-list extended Restrict_GUESTS

deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

!

route-map NAT_MAP permit 10

match ip address NAT_ACL

!

access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any

access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

kcnajaf · ‎06-20-2013

Sorry,

Small correction in my ACL. The destination should have been 192.168.30.0 0.0.0.255 as below.Please correct it..
ip access-list extended Restrict_GUESTS
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Permit ip any any

Also which interface you have applied the ACL?

Could you share entire config?

Regards
Najaf

Sent from Cisco Technical Support iPhone App

drew411nyc · ‎06-20-2013

I am still able to ping other VLANS 10 & 20 from VLAN 30(Guest)...

Attached my config...

nathan.edwards1 · ‎06-20-2013

Access-lists are read from top to bottom. In the config you are denying the vlan 30 IP's to VLAN 10 with the first line but the second permits everything else. Try taking it out with a "no access-list 100" and adding this:

access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip any any

HTH

Nate

drew411nyc · ‎06-20-2013

Unfortunatly, I am still able to ping VLAN 10 and 20

192.168.10.X or 192.168.20.X

kcnajaf · ‎06-20-2013

HI Drew,

This should stop it.

ip access-list extended Restrict_GUESTS

deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

deny icmp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

deny icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

permit ip any any

Also take off the access-group from vlan 20 and 10.

Only this should there.

interface Vlan30

description ****GUESTS****

ip address 192.168.30.1 255.255.255.0

ip access-group Restrict_GUESTS in

Hope that helps

Regards

Najaf

Please rate when applicable or helpful !!!

drew411nyc · ‎06-20-2013

Sorry... I am still able to pick the other vlans from the guest vlan...

Appreciate everyone's help!!

Attached is the copy of the new config...

drew411nyc · ‎06-20-2013

Its working now... I changed up the ACL by:

ip access-list extended Restrict_GUESTS

deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

deny icmp 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

deny icmp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip any any

Now, Would this be good to use? I know its working but wanted to double check with you guys just incase...