06-20-2013 05:53 PM - edited 03-07-2019 02:00 PM
Hi Everyone,
Can anyone help please??
I have 3 vlans setup (VLAN 10 - Management, VLAN 20 - Internal, VLAN 30 - Guests) on my 891 Router to do DHCP and NAT...
After configuring my access lists to prevent the guest VLAN 30 from accessing anything on VLAN 10 and VLAN 20. I issued a command to the guest interface VLAN30 "ip access-group Restrict_GUESTS in" and now any ports configured to be VLAN 30 is not receving an IP address.
I attached a config of my router... Is there something wrong with my config? The only issue is with this VLAN 30, tested other VLANS and works fine on getting an IP address.
Thanks in advance!
06-20-2013 06:25 PM
Hi,
When you apply an access-list inbound
"ip access-group Restrict_GUESTS in"
This will block access for host in that vlan (30).
Try applying the access-list outbound to vlan 10 and 20, so vlan 30 will not be able to access them.
HTH
06-20-2013 06:28 PM
Im sorry for the new-bie question... But do you know what the exact command would be? or what I would need to enter?
I am a beginner in this...
06-20-2013 06:49 PM
Hi Drew,
You could try changing the ACL as below.
Remove your exisiting ACL with
no ip access-list extended Restrict_GUESTS
and create a new one as below
conf terminal
ip access-list extended Restrict_GUESTS
deny ip 192.168.20.0 0.0.0.255 192.168.10.30 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.10.30 0.0.0.255
permit ip any any
Hope that helps
Regards
Najaf
Please rate when applicable or helpful !!!
06-20-2013 06:54 PM
try this on vlan 10 and 20 it inbound
access-list 100 deny ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip any any
interface vlan 10
ip access-group 110 in
access-list 100 deny ip 172.16.30.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 100 permit ip any any
interface vlan 20
ip access-group 110 in
HTH
06-20-2013 06:56 PM
Hi Reza,
It looks like you have got wrong ACL number applied with access-group :-) Ur ACL number is 100 and access-group ACL number you have mentioned as 110.
Regards
Najaf
06-20-2013 07:17 PM
Hi Najaf,
Thanks for point this out. my typo
Drew,
It should be
interface vlan 20
ip access-group 100 in
interface vlan 10
ip access-group 100 in
HTH
06-20-2013 08:31 PM
Thanks for your help guys!! Didnt work completely..
I am able to receive an IP from each of the VLANS but from the guest VLAN 30; I am still able to ping devices in VLAN 10 and VLAN 20. I wanted to set it up where from VLAN30 I have no access to VLAN 10, 20.
This is what I have for the ACLs in my config:
ip access-list extended NAT_ACL
deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
deny ip any any
ip access-list extended Restrict_GUESTS
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
!
route-map NAT_MAP permit 10
match ip address NAT_ACL
!
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
06-20-2013 08:40 PM
Sorry,
Small correction in my ACL. The destination should have been 192.168.30.0 0.0.0.255 as below.Please correct it..
ip access-list extended Restrict_GUESTS
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Permit ip any any
Also which interface you have applied the ACL?
Could you share entire config?
Regards
Najaf
Sent from Cisco Technical Support iPhone App
06-20-2013 08:57 PM
06-20-2013 09:06 PM
Access-lists are read from top to bottom. In the config you are denying the vlan 30 IP's to VLAN 10 with the first line but the second permits everything else. Try taking it out with a "no access-list 100" and adding this:
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip any any
HTH
Nate
06-20-2013 09:11 PM
Unfortunatly, I am still able to ping VLAN 10 and 20
192.168.10.X or 192.168.20.X
06-20-2013 09:14 PM
HI Drew,
This should stop it.
ip access-list extended Restrict_GUESTS
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
deny icmp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny icmp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any any
Also take off the access-group from vlan 20 and 10.
Only this should there.
interface Vlan30
description ****GUESTS****
ip address 192.168.30.1 255.255.255.0
ip access-group Restrict_GUESTS in
Hope that helps
Regards
Najaf
Please rate when applicable or helpful !!!
06-20-2013 09:28 PM
06-20-2013 09:39 PM
Its working now... I changed up the ACL by:
ip access-list extended Restrict_GUESTS
deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
deny icmp 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
deny icmp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
Now, Would this be good to use? I know its working but wanted to double check with you guys just incase...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide