05-10-2012 10:03 PM - edited 03-07-2019 06:38 AM
I currently have vlans setup on my cisco 881 router and I'm needing help setting up the access list permissions for the vlans. What I can not seem to get correct is that for the management vlan (103) I want that vlan to have full access to all the other vlans. Then the other vlans need to be seperated out on their own so that they do not have access to any other vlan. All I seem to manage to do is either block myself out from all the vlans on the network or set have access even after I have made access lists and applied. Please help me with what I need to do. Thanks!
Here is the important parts for this config:
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.20
ip dhcp excluded-address 10.10.30.1 10.10.30.50
ip dhcp excluded-address 10.10.40.1 10.10.40.20
ip dhcp excluded-address 10.10.60.1 10.10.60.20
ip dhcp excluded-address 10.10.70.1 10.10.70.20
ip dhcp excluded-address 10.10.50.1 10.10.50.30
!
ip dhcp pool shared
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1 255.255.255.0
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool remax-bcspm
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool mgmt
import all
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool VoIP
network 10.10.40.0 255.255.255.0
option 66 ascii "http://10.10.40.10:5000/provisioning/$ma.xml"
default-router 10.10.40.1
dns-server 8.8.8.8
!
ip dhcp pool security
import all
network 10.10.50.0 255.255.255.0
default-router 10.10.50.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool guest
import all
network 10.10.60.0 255.255.255.0
default-router 10.10.60.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool agents
import all
network 10.10.70.0 255.255.255.0
default-router 10.10.70.1
dns-server 8.8.8.8
lease 0 2
!
!
ip cef
ip domain name remaxselect.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX160284FR
!
!
archive
path tftp:10.10.50.5
username administrator privilege 15 secret 5 $1$QgsE$hC8uXXdg76nLX/miwjtz3/
!
!
!
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
switchport mode trunk
!
!
interface FastEthernet4
ip address 4.31.0.222 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
!
!
interface Vlan101
ip dhcp client hostname remax-bcspm
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan102
ip dhcp client hostname shared
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan103
ip dhcp client hostname mgmt
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan104
ip dhcp client hostname VoIP
ip address 10.10.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan105
ip dhcp client hostname security
ip address 10.10.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan106
ip dhcp client hostname guest
ip address 10.10.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan107
ip dhcp client hostname agents
ip address 10.10.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat pool VoIP-NAT 10.10.40.10 10.10.40.10 netmask 255.255.255.0 type rotary
ip nat pool security-NAT 10.10.50.5 10.10.50.5 netmask 255.255.255.0 type rotary
ip nat inside source list nat-2-internet interface FastEthernet4 overload
ip nat inside destination list 100 pool VoIP-NAT
ip nat inside destination list 101 pool security-NAT
ip route 0.0.0.0 0.0.0.0 (##.##.##.##)
!
ip access-list extended deny-all
deny ip any any
ip access-list extended nat-2-internet
permit ip 10.10.10.0 0.0.0.255 any
permit ip 10.10.20.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
permit ip 10.10.40.0 0.0.0.255 any
permit ip 10.10.50.0 0.0.0.255 any
permit ip 10.10.60.0 0.0.0.255 any
permit ip 10.10.70.0 0.0.0.255 any
!
access-list 100 permit udp any any range 9000 10010
access-list 100 permit udp any any eq 5000
access-list 100 permit tcp any any eq 5000
access-list 100 permit tcp any any range 5060 5090
access-list 100 permit udp any any range 5060 5090
access-list 101 permit tcp any any eq 3454
access-list 101 permit udp any any eq 3454
access-list 101 permit udp any any eq 8080
access-list 101 permit tcp any any eq 8080
access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 120 deny ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
!
!
!
!
!
control-plane
!
!
banner exec ^C
Hello World, Have A Lot of Fun!
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
05-11-2012 12:05 AM
You could use something like the configuration I have pasted below. Each ACL number matches the VLAN number you would apply it too. The ACL denies access to every other VLAN you have, and then permits all other access (e.g. out to the Internet). You shouldn't need to apply any ACL to your management VLAN if you don't want it restricted.
access-list 101 deny ip any 10.10.20.0 0.0.0.255
access-list 101 deny ip any 10.10.30.0 0.0.0.255
access-list 101 deny ip any 10.10.40.0 0.0.0.255
access-list 101 deny ip any 10.10.50.0 0.0.0.255
access-list 101 deny ip any 10.10.60.0 0.0.0.255
access-list 101 deny ip any 10.10.70.0 0.0.0.255
access-list 101 permit ip any any
!
access-list 102 deny ip any 10.10.10.0 0.0.0.255
access-list 102 deny ip any 10.10.30.0 0.0.0.255
access-list 102 deny ip any 10.10.40.0 0.0.0.255
access-list 102 deny ip any 10.10.50.0 0.0.0.255
access-list 102 deny ip any 10.10.60.0 0.0.0.255
access-list 102 deny ip any 10.10.70.0 0.0.0.255
access-list 102 permit ip any any
You would then apply the relevant ACL to the relevant SVI (VLAN interface) in an inbound direction, e.g;
interface Vlan101
access-group 101 in
!
interface Vlan102
access-group 102 in
You need to also remember that ACL's use wildcard/inverse masks, not subnet masks. The easiest way to calculate this is subtract the subnet mask bits from 255. For example, if you wanted to create an ACL to match traffic from 192.168.0.0/255.255.255.128 then your ACL would read access-list 100 permit ip 192.168.0.0 0.0.0.127.
Hope that helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: