07-03-2011 02:58 AM - edited 03-07-2019 01:04 AM
Hello.
Thanks to the people in this forum, I was able to get inter-vlan routing working.
Now, I have a different issue.
I have 3 VLANs now, but I need to prevent VLAN2 from accessing servers on VLAN1, but still be able to get to the internet.
The problem is that VLAN1 also contains the default gateway. When I tried to create an access list, it shuts off all connections from VLAN2 to the internet in addition to the other VLANs.
What should I do? If I could even just block specific IP addresses on the other VLANs, that would be sufficient. [I can't move the servers to another VLAN at this point] (Sample config below of what I tried to do. This is a router config, and 3 Catalyst 2960 switches are connected on ports 2,3, and 4)
.............
interface FastEthernet0
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
no cdp enable
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
switchport mode trunk
!
interface FastEthernet4
switchport mode trunk
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
no cdp enable
!
interface FastEthernet9
no cdp enable
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1
no ip address
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Virtual-Template100 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE
!
interface Vlan1
description VLAN for Internal Systems
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1414
!
interface Vlan2
description VLAN for Security
ip address 10.10.34.1 255.255.255.0
ip nat inside
ip access-group 170 out
ip virtual-reassembly
ip tcp adjust-mss 1414
!
interface Vlan3
description VLAN for Wireless
ip address 10.10.35.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1414
!
interface Dialer1
description Connected to WAN
mtu 1454
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxxxxxxxxxxxxxx
!
ip local pool xxxxxxxx-REMOTE-VPN-POOL 10.10.100.0 10.10.100.254
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
!
no ip http server
no ip http secure-server
ip nat inside source list 150 interface Dialer1 overload
ip nat inside source list 170 interface Dialer1 overload
ip nat inside source list 180 interface Dialer1 overload
!
ip access-list extended VPN-SPLIT-TUNNELS
remark ACL for VPN client split tunnel networks
permit ip 10.10.33.0 0.0.0.255 any
!
access-list 140 permit tcp host xxx.xxx.xxx.xxx any eq 22
access-list 140 permit tcp host xxx.xxx.xxx.xxx any eq 22
access-list 150 permit ip 10.10.33.0 0.0.0.255 any
access-list 150 deny ip 10.10.33.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 150 permit ip 10.10.33.0 0.0.0.255 10.10.34.0 0.0.0.255
access-list 160 permit ip 10.10.33.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 170 deny ip 10.10.34.0 0.0.0.255 10.10.33.0 0.0.0.255
access-list 170 deny ip 10.10.34.0 0.0.0.255 10.10.35.0 0.0.0.255
access-list 170 permit ip 10.10.34.0 0.0.0.255 any
Solved! Go to Solution.
07-03-2011 03:22 AM
Hi,
Do you want to block VLAN2 from accessing VLAN1? If so, just try this.
!
ip access-list extend Deny-VL2-To-VL1
deny ip 10.10.34.0 0.0.0.255 10.10.33.0 0.0.0.255
permit ip any any
!
interface vlan 2
no ip access-group 170 out
ip access-group Deny-VL2-To-VL1 in
!
HTH,
Toshi
07-03-2011 03:22 AM
Hi,
Do you want to block VLAN2 from accessing VLAN1? If so, just try this.
!
ip access-list extend Deny-VL2-To-VL1
deny ip 10.10.34.0 0.0.0.255 10.10.33.0 0.0.0.255
permit ip any any
!
interface vlan 2
no ip access-group 170 out
ip access-group Deny-VL2-To-VL1 in
!
HTH,
Toshi
07-03-2011 04:31 AM
Thank you for the reply. I will try it.
Will this still allow me to have internet access? The router/default gateway for the network is on VLAN1 (10.10.33.1). All internet traffic is going through this router.......
Also, I forgot to mention that the 3 switches have ip addresses of 10.10.33.2, 10.10.33.3, and 10.10.10.34.
07-03-2011 04:33 AM
Hi,
That ACL is used to block VLAN2 from accessing VLAN1. Anything else would be fine.
HTH,
Toshi
07-03-2011 04:47 AM
Hi
Do you want vlan2 to manage those 3 IP addresses?
Toshi
Sent from Cisco Technical Support iPhone App
07-03-2011 09:41 PM
Thanks.
It worked.
But when i tried to take out the other access list from the config (access-list 170) it all stopped working. Weird.
Anyway, I'm happy. I can get internet access, and access to VLAN1 is blocked.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide