Solved: Need help with VLANs and Access Lists

Kevin Cummins · ‎07-03-2011

Hello.

Thanks to the people in this forum, I was able to get inter-vlan routing working.

Now, I have a different issue.

I have 3 VLANs now, but I need to prevent VLAN2 from accessing servers on VLAN1, but still be able to get to the internet.

The problem is that VLAN1 also contains the default gateway. When I tried to create an access list, it shuts off all connections from VLAN2 to the internet in addition to the other VLANs.

What should I do? If I could even just block specific IP addresses on the other VLANs, that would be sufficient. [I can't move the servers to another VLAN at this point] (Sample config below of what I tried to do. This is a router config, and 3 Catalyst 2960 switches are connected on ports 2,3, and 4)

.............

interface FastEthernet0

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

no cdp enable

!

interface FastEthernet2

switchport mode trunk

!

interface FastEthernet3

switchport mode trunk

!

interface FastEthernet4

switchport mode trunk

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

no cdp enable

!

interface FastEthernet9

no cdp enable

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio1

no ip address

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

!

interface Virtual-Template100 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE

!

interface Vlan1

description VLAN for Internal Systems

ip address 10.10.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1414

!

interface Vlan2

description VLAN for Security

ip address 10.10.34.1 255.255.255.0

ip nat inside

ip access-group 170 out
ip virtual-reassembly
ip tcp adjust-mss 1414

!

interface Vlan3

description VLAN for Wireless

ip address 10.10.35.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1414

!

interface Dialer1

description Connected to WAN

mtu 1454

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp chap refuse

ppp pap sent-username xxxxxxxxxxxxxxxxxxxx

!

ip local pool xxxxxxxx-REMOTE-VPN-POOL 10.10.100.0 10.10.100.254

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

!

no ip http server

no ip http secure-server

ip nat inside source list 150 interface Dialer1 overload

ip nat inside source list 170 interface Dialer1 overload

ip nat inside source list 180 interface Dialer1 overload

!

ip access-list extended VPN-SPLIT-TUNNELS

remark ACL for VPN client split tunnel networks

permit ip 10.10.33.0 0.0.0.255 any

!

access-list 140 permit tcp host xxx.xxx.xxx.xxx any eq 22

access-list 150 permit ip 10.10.33.0 0.0.0.255 any

access-list 150 deny ip 10.10.33.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 150 permit ip 10.10.33.0 0.0.0.255 10.10.34.0 0.0.0.255

access-list 160 permit ip 10.10.33.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 170 deny ip 10.10.34.0 0.0.0.255 10.10.33.0 0.0.0.255
access-list 170 deny ip 10.10.34.0 0.0.0.255 10.10.35.0 0.0.0.255
access-list 170 permit ip 10.10.34.0 0.0.0.255 any

Thotsaphon Lueangwattanaphong · ‎07-03-2011

Hi,

Do you want to block VLAN2 from accessing VLAN1? If so, just try this.

!

ip access-list extend Deny-VL2-To-VL1

deny ip 10.10.34.0 0.0.0.255 10.10.33.0 0.0.0.255

permit ip any any

!

interface vlan 2

no ip access-group 170 out

ip access-group Deny-VL2-To-VL1 in

!

HTH,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎07-03-2011

Hi,

Do you want to block VLAN2 from accessing VLAN1? If so, just try this.

!

ip access-list extend Deny-VL2-To-VL1

deny ip 10.10.34.0 0.0.0.255 10.10.33.0 0.0.0.255

permit ip any any

!

interface vlan 2

no ip access-group 170 out

ip access-group Deny-VL2-To-VL1 in

!

HTH,

Toshi

Kevin Cummins · ‎07-03-2011

Thank you for the reply. I will try it.

Will this still allow me to have internet access? The router/default gateway for the network is on VLAN1 (10.10.33.1). All internet traffic is going through this router.......

Also, I forgot to mention that the 3 switches have ip addresses of 10.10.33.2, 10.10.33.3, and 10.10.10.34.

Thotsaphon Lueangwattanaphong · ‎07-03-2011

Hi,

That ACL is used to block VLAN2 from accessing VLAN1. Anything else would be fine.

HTH,

Toshi

Thotsaphon Lueangwattanaphong · ‎07-03-2011

Hi

Do you want vlan2 to manage those 3 IP addresses?

Toshi

Sent from Cisco Technical Support iPhone App

Kevin Cummins · ‎07-03-2011

Thanks.

It worked.

But when i tried to take out the other access list from the config (access-list 170) it all stopped working. Weird.

Anyway, I'm happy. I can get internet access, and access to VLAN1 is blocked.

Thanks again.