Thanks John, exactly what I needed.

So would you still use the next hop as:

ip route 0.0.0.0 0.0.0.0 x.x.x.x   and all the vlans will route in and out ok?

Yes, you'll only need to have the single default route out if you only have a single outbound link.

HTH,
John

*** Please rate all useful posts ***

Alright John, last question, what would be beneficial to have a block of global IPs since a connection only routes out a single interface?

The main benefit for a block of addresses is that you can have an address for different services. For example, if you have a web server, ftp server, and a mail server. Let's say you have addresses 8.8.8.1 - 8.8.8.14 that are useable. You can have your web server mapped to 8.8.8.5, ftp server mapped to 8.8.8.6 and mail server at 8.8.8.14. Your default route is used for when the router doesn't know how to get to a destination. If your user, who has their default gateway set to your router's lan interface, wants to go to a destination of 5.5.5.5, your router is going to do a lookup in its routing table. If it doesn't find that route, it will use its default gateway. This is where your "ip route 0.0.0.0" statement comes in at.

You can also nat out as different global addresses as well. Let's say that you wanted to assign 8.8.8.2 and 8.8.8.3 to be used by your users. Users on the 192.168.2.0/24 subnet can be natted out as 8.8.8.2 and the users at 192.168.3.0/24 can be natted out as 8.8.8.3.  So, there are a few things you can do with global addresses

HTH,
John

*** Please rate all useful posts ***

Correct me if i'm wrong but am I looking at these acls correctly. It looks backwards from your previous reply.

Cisco Version 12.4

access list 101 deny ip

so the command would be to deny vlan 10,20,30,and 100 is:

access list 101 deny ip 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255

access list 101 deny ip 10.1.20.0 0.0.0.255 10.1.1.0 0.0.0.255

etc

etc

access list 101 permit ip any 10.1.1.0 0.0.0.255

and then set it on inbound on vlan 1

The acl that you posted would be better for an outbound direction. Generally when you create an acl, you would apply inbound if it's coming from that subnet. For example, if you have 10.1.1.1 on the router and you want to deny 10.1.1.0/24 from going anywhere, you would deny 10.1.1.0, as a source, inbound on that interface. If you wanted to use the same interface and block outbound, you'd create acl blocking from some source to a destination on the interface.

For example, if you have a host of 10.1.1.50 you want to block to 10.1.20.0/24, you can do it two ways:

access-list 101 deny ip host 10.1.1.50 10.1.20.0 0.0.0.255

access-list 101 permit ip any any

int vlan 1

ip access-group 101 in

This would block 10.1.1.50 from getting to 10.1.20.0/24. It would also have the effect of blocking 10.1.20.0 from getting to 10.1.1.50 (theoretically) because the return traffic would be denied.

Another way to block the same host would be:

access-list 101 deny ip 10.1.20.0 0.0.0.255 host 10.1.1.50

access-list 101 permi ip any any

int vlan 1

ip access-group 101 out

This would block 10.1.20.0/24 from getting to 10.1.1.50.

The acl and direction that it's placed that you posted doesn't look correct. From first glance, it would never match on the first two lines and always match on the last line which would, in effect, still block traffic since your only allowing traffic coming from anything to 10.1.1.0/24. You also want to block as close to the source as you can. I always use inbound acls, but there are some that use outbound acls as well.

HTH,
John

*** Please rate all useful posts ***

So which is better?

Do you block outbound traffic since its the closest to the source.

So to block traffic coming from vlan1 and destined for vlan10

access-list 101 deny ip 10.1.1.0 0.0.0.255 (Source) 10.1.10.0 0.0.0.255 (Destination)

                                   (Vlan 1 subnet)                     (Vlan 10 subnet)

vlan1

access-group 101 out

---or---

block traffic coming in to vlan1 from vlan10

access-list 101 deny ip 10.1.10.0 0.0.0.255 (Source) 10.1.1.0 0.0.0.255 (Destination)

                                      (Vlan 10 subnet)                   (Vlan 1 subnet)

vlan1

access-group 101 in

Or am I just looking at this all wrong?! Thinking that the source is vlan 10,20,30,100 and the destination is vlan1 and blocking the traffic once it gets to vlan1?

Actually, you have the correct acls, but the direction would be reversed on the two. In your first example "deny ip 10.1.1.0" while coming from vlan 1 would be in the "in" direction because the hosts sending to vlan 10 are in vlan 1, so their gateway would be 10.1.1.1 (assuming). Then you're blocking 10.1.1.x from getting to vlan 10 in the "in" direction.

The second example would be correct if it was in the "out" direction, or if you applied this acl on vlan 10 in the "in" direction.

As far as which one is better, I always do mine in the "in" direction although there are times where you might want to use out direction. I've seen some on here only use the out direction, so it's really a preference.

Here's another example:

access-list 101 deny ip host 10.1.1.50 host 10.1.10.50

access-list 101 permit ip any any

The above access list blocks traffic from 10.1.1.50 getting to 10.1.10.50. But there are two locations that this would work: on vlan 1 in the "in" direction OR vlan 10 in the "out" direction:

int vlan 1

ip address 10.1.1.1 255.255.255.0

ip access-group 101 in

int vlan 10

ip address 10.1.10.1 255.255.255.0

ip access-group 101 out

On vlan 10, I'm blocking traffic from host 10.1.1.50 getting to the host 10.1.10.50.

On vlan 1, I'm doing the same thing, but I do it from the perspective of the vlan closest to the soruce.

HTH,
John

*** Please rate all useful posts ***

John, your information has been invaluable. Greatly appreciate you taking the time to answer these questions!

Hopefully all the equipment comes in this week so I can test this all out.

Thanks again!

No problem! If you have any other questions, we'll be here to help out....

Thanks!
John