Solved: Help with access lists, separate traffic

firstascent · ‎04-27-2011

Hello all,

I've been working on this for awhile now and have tried different configurations but cannot figure out what I'm missing.

It's pretty simple, I think...

I have (1) 1841 router and (1) 2960 24 port switch. Ports 1-12 are on VLAN1 and ports 13-24 are on VLAN5

VLAN1 is on 192.168.1.0 subnet and VLAN5 is on 192.168.10.0 subnet

All I would like to do is keep them separated. I don't want one to see the other and vice versa.

Right now anything on VLAN5 can't ping VLAN1 but... VLAN1 can ping VLAN5. So I'm close, I think, but not quite there yet.

Below is the config from the router. Please let me know if any of you sees something obvious or has any ideas I could try.

Thanks!

Building configuration...

Current configuration : 5204 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname lucee

!

boot-start-marker

boot system flash:c1841-advsecurityk9-mz.124-25c.bin

boot-end-marker

!

enable secret 5 $1$ZfZj$Pa/Fh8QWAWCx.eYdkYwsC/

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

no ip cef

!

ip auth-proxy max-nodata-conns 10

ip admission max-nodata-conns 10

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.9

ip dhcp excluded-address 192.168.1.31 192.168.1.254

!

ip dhcp pool gresham

network 192.168.1.0 255.255.255.0

dns-server 64.100.100.100 64.100.100.00

default-router 192.168.1.1

lease 2

!

no ip domain lookup

!

crypto pki trustpoint TP-self-signed-3233092784

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3233092784

revocation-check none

rsakeypair TP-self-signed-3233092784

!

crypto pki certificate chain TP-self-signed-3233092784

certificate self-signed 01

3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

D466549E 1EA208B3 829B1915 499E00EE 502BD8A5 A7252C6A C99321AD A2D31E90

A56DE969 BBD5184F 25FFEC8A 01E68C33 7C3B3682 EAAD3318 65E19EF5 20FBD087 45

quit

username nameHere password 7 0476

username nameHere privilege 15 password 7 0029

username nameHere privilege 15 password 7 050C

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group groupNameHere

key xxxxx

pool vpnpool

acl 102

crypto isakmp profile ISAKMPprof

match identity group groupNameHere

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

virtual-template 3

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSecprof

set transform-set ESP-3DES-SHA

set isakmp-profile ISAKMPprof

!

interface FastEthernet0/0

no ip address

ip virtual-reassembly

duplex auto

speed auto

no keepalive

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0 secondary

ip address 00.0.000.00 255.255.255.224

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 192.168.10.1 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface FastEthernet0/1

no ip address

ip virtual-reassembly

shutdown

duplex auto

speed auto

no keepalive

!

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

service-module t1 timeslots 1-24

service-module t1 fdl both

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

frame-relay interface-dlci 16 ppp Virtual-Template1

!

interface Virtual-Template1

ip address negotiated

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1452

ppp chap hostname 558

ppp chap password 7 115A4C

ppp ipcp dns request

ppp ipcp route default

ppp ipcp address accept

!

interface Virtual-Template3 type tunnel

ip unnumbered FastEthernet0/0.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSecprof

!

ip local pool vpnpool 172.16.1.1 172.16.1.10

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool nat 00.0.000.00 00.0.000.00 netmask 255.255.255.224

ip nat inside source list 105 pool nat overload

!

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 105 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password 7 12340

logging synchronous

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Antonio Knox · ‎04-28-2011

Vlan 1 - 192.168.1.1 255.255.255.0

Vlan 5 - 192.168.10.1 255.255.255.0

Separate traffic via ACL

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 112 permit ip 192.168.10.0 0.0.0.255 any

interfaceFa0/0.1

ip access-group 111 in

int Fa0/0.5

ip access-group 112 in

That should do it.

Note: You seem to have two ranges on Fa0/0.1 (looks like you masked the primary ip). I would've added the primary to the ACL config, but I don't know what it is so I excluded it. But for practicality, it looks like this as is:

access-list 111 deny ip 0.0.0.0 0.0.0.31 192.168.10.0 0.0.0.255 <-----Replace 0.0.0.0 0.0.0.31 with your fa0/0.1 primary range

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 112 deny ip 192.168.10.0 0.0.0.255 0.0.0.0 0.0.0.31 <-----Replace 0.0.0.0 0.0.0.31 with your fa0/0.1 primary range

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 112 permit ip 192.168.10.0 0.0.0.255 any

Message was edited by: Antonio Knox

View solution in original post

Antonio Knox · ‎04-29-2011

I'll assume you're using the server address 192.168.1.1 (Fa0/0.1)

You will need to allow DHCP requests (UDP 68) to the DHCP server.

Add this to your 111 ACL

Start from scratch(-ish)

no access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit any host 192.168.1.1 eq bootps

no access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

I did it this way so that the order of the access list is maintained. After all the hubub, it will look like this:

access-list 111 permit any host 192.168.1.1 eq bootps <----Allow DHCP requests to 192.168.1.1

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

Corrected for your convenience

Message was edited by: Antonio Knox

View solution in original post

Sebastian Helmer · ‎04-27-2011

Hi Jaime,

did you already try it via ACL? and add them to the vlan interfaces? could work I think...

example:

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.255.255

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.255.255

regards,

Sebastian

firstascent · ‎04-27-2011

On the switch? I haven't tried it on the switch yet if that is what you are referring too.

If you meant the router, I've tried it on the router as you can see at the end of my config, but it doesn't look like what you posted so I could try that.

Let me know if you meant the router or the switch.

Thank You.

Sebastian Helmer · ‎04-27-2011

Sorry I mean on the router

firstascent · ‎04-27-2011

To apply it to the interface I just use

ip access-group 111 in

correct?

I tried applying one to fa0/0.5 and then I couldn't ping 192.168.10.100, which is good. I took it off and then I could ping it again.

But, then I applied 112 instead of 111 to the same interface and it did the same thing.

Why would it do that? I think we/you are on the right track because I haven't gotten it to do that yet until now which is good.

Sebastian Helmer · ‎04-27-2011

If you use just "in" which is enough I would say I would prefer 111 to fas 0/0.5 and 112 to fas 0/0.1

The ACL is source / destination and "in" = destination. OK?

to use 112 on fas0/0.5 gives the same result because I did a mistake try this pls.

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

my last post was:

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.255.255

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.255.255

Sorry for that..

pls. don't forgett to rate if it is solved...

regards

sebastian

firstascent · ‎04-28-2011

Thanks,

I updated it to

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

however, 111 and 112 both still worked on fa0/0.5

When I applied 112 to fa0/0.1 then I lost access to everthing and had to restart the router.

Sebastian Helmer · ‎04-28-2011

Yepp sorr i forgott on ever acl end is a eypliciet deny any i forgott maybe you need to add an permit...

Gesendet von meinem Windows Phone

Antonio Knox · ‎04-28-2011

Vlan 1 - 192.168.1.1 255.255.255.0

Vlan 5 - 192.168.10.1 255.255.255.0

Separate traffic via ACL

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 112 permit ip 192.168.10.0 0.0.0.255 any

interfaceFa0/0.1

ip access-group 111 in

int Fa0/0.5

ip access-group 112 in

That should do it.

Note: You seem to have two ranges on Fa0/0.1 (looks like you masked the primary ip). I would've added the primary to the ACL config, but I don't know what it is so I excluded it. But for practicality, it looks like this as is:

access-list 111 deny ip 0.0.0.0 0.0.0.31 192.168.10.0 0.0.0.255 <-----Replace 0.0.0.0 0.0.0.31 with your fa0/0.1 primary range

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 112 deny ip 192.168.10.0 0.0.0.255 0.0.0.0 0.0.0.31 <-----Replace 0.0.0.0 0.0.0.31 with your fa0/0.1 primary range

access-list 112 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 112 permit ip 192.168.10.0 0.0.0.255 any

Message was edited by: Antonio Knox

firstascent · ‎04-28-2011

that seems to be working for now with adding the 'permit'

can you expain the acl a little for me. I thought I understood it but now I'm a little confused.

When i look at it, acl 111 for example, it looks like we are denying AND permitting 192.168.1.0 0.0.0.255??

Antonio Knox · ‎04-28-2011

An ACL works from top down. Once it finds a match, it stops processing right there and either permits or denies traffic depending on the matching rule. In this case traffic from one vlan to the other hits the first line of the ACL and sees a deny because there is a match in source and destination address. It stops right there, so the ACL never processes that traffic past the first line. If either vlan was going somewhere other than the opposite vlan, it would not match the first line, and would be permitted by the second line.

Make sense?

Please rate helpful posts.

firstascent · ‎04-28-2011

Thanks, yes that makes sense, on ACL 111 it is saying

do not allow traffic from 192.168.1.0 to go to 192.168.10.0

do allow traffic from 192.168.1.0 to anywhere else

because the first portion is the "source' and the second portion is the "destination"

correct? I think I'm understanding it more now.

so when applying the ACL to the interface what would happen if I changed it to "out" instead of "in". I'm a little unclear on that part.

Antonio Knox · ‎04-28-2011

You are correct.

Think of an interface as 'facing' the ip address space that it serves.

Fa0/0.1 --------is facing-------- LAN

when applying an ACL inbound, the LAN goes to the interface, but from the interface's perspective the traffic is filtered as it is coming in.

Fa0/0.1 <-----sees/filers traffic coming in from--------- LAN

when applying an ACL outbound, from the interface's perspective the traffic is filtered as it goes out from the interface to the LAN

Fa0/0.1 --------sees/filters traffic going out to --------> LAN

Make sense?

Please rate helpful posts.

firstascent · ‎04-29-2011

wasn't sure if I should start a new post but this is related to all the above I have been doing.

as you can see from the config I have DHCP setup on the router. Except now with the applied ACL's dhcp isn't working.

Is there something I need to add for dhcp as well? I just have an Access Point connected to vlan 1 on the switch with is going to fa0/0.1

so there may be something I need to add to ACL 111.....?

Antonio Knox · ‎04-29-2011

What is your DHCP server address?