12-01-2013 04:25 AM - edited 03-07-2019 04:51 PM
In my network I am using Cisco 2921 with 3 GBit interfaces.
G0/0 goes to the internet
G0/1 goes to my squid proxy
G0/2 connects to SG300- 24 port managed GBit switch.
I am using wccp for my caching mechanism.
The switch has 24 ports I have created Vlans 2-24. Port 1 is the truck port, connecting to G0/2 of router and rest 23 ports are in seperate VLans
Port2-Vlan2-172.16.2.0/24, Port3-Vlans3-172.16.3.0/24 etc.
I have created subinterfaces(G0/2.2, G0/2.3 etc) for various vlans for using router on a stick.
What I need is that devices on Vlan1:
Should be able to access internet
Should be able to access Proxy on G0/1 (192.168.1.0/24)
Should NOT be able to access other vlans
I can go ahead and create ACLS but that will be very difficult to manage I think and sometimes I would need to "join" 2 vlans temporarily.
What is the best option for me ?
Thanks !
Solved! Go to Solution.
12-01-2013 06:51 AM
Akshay
If it just vlan 2 then the simplest solution is -
access-list 101 deny ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip any
the above is the shortest acl and it's important to understand what it is doing -
1) it blocks all traffic from vlan 2 to any 172.16.x.0 network. You could have individual lines for each vlan subnet but 172.16.0.0 255.255.0.0 covers all those networks ie. it covers -
172.16.0.0 -> 172.16.255.0
you can narrow it down if you want with -
172.16.0.0 0.0.31.255 which covers networks 172.16.0.0 -> 172.16.31.0.
If you need to vlan 2 to be able to access vlan 4 for example but not any others you would need to rewrite the acl.
2) the second line allows all other traffic from vlan 2 to any other destination which includes 192.168.1.0/24 and the internet.
then you need to apply the acl -
int gi0/2.2
ip address x.x.x.x y.y.y.y
encapsulation dot1q 2
ip access-group 101 in
The above is by far the simplest solution. Using VRFs would require a lot more config. If you still want to use VRFs do a search on Cisco site where there are lots of config examples. Bear in mind you would need to configure VRFs and then additionally start exchanging routes between VRFs.
Jon
12-01-2013 05:12 AM
HI Akshay,
You can use PBR:
Here is the example.
https://supportforums.cisco.com/thread/2128202
or u you will need an ACL to prevent vlan 10.10 from talking to vlan 10.20 and vise versa. for example:
access-list 10 deny 10.20.0.0 0.0.255.255
access-list 20 deny 10.10.0.0 0.0.255.255
interface vlan 10
ip access-group 20 out >> will prevent any traffic from 10.20.0.0
interface vlan 20
ip access-group 10 out >> will prevent any traffic fomr 10.10.0.0
Regards
Dont forget to rate helpful posts.
12-01-2013 05:17 AM
Hi Sandeep
VRF seems to be another way of doing the same. Can you please let me know the config.
In each VRF routing table it should have:
1. Default route to internet
2. route to G0/1
Can u please help me.
12-01-2013 05:45 AM
Akshay
Can you clarify exactly what you want. You say -
What I need is that devices on Vlan1:
Should be able to access internet
Should be able to access Proxy on G0/1 (192.168.1.0/24)
Should NOT be able to access other vlans
but you don't have any devices in vlan 1 acccording to your description of how you have allocated the ports.
Note also that using VRFs will not make your config any simpler because you would need to exchange routes between VRFs and i don't think it would be that much easier to manage.
Jon
12-01-2013 06:37 AM
Please read it as:
What I need is that devices on Vlan2:
Should be able to access internet
Should be able to access Proxy on G0/1 (192.168.1.0/24)
Should NOT be able to access other vlans
You are saying that it wont make the config easier, can u pls let me know what is the best option for me ?
Also, please post an example of VRF for my scenerio.
12-01-2013 06:51 AM
Akshay
If it just vlan 2 then the simplest solution is -
access-list 101 deny ip 172.16.2.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip any
the above is the shortest acl and it's important to understand what it is doing -
1) it blocks all traffic from vlan 2 to any 172.16.x.0 network. You could have individual lines for each vlan subnet but 172.16.0.0 255.255.0.0 covers all those networks ie. it covers -
172.16.0.0 -> 172.16.255.0
you can narrow it down if you want with -
172.16.0.0 0.0.31.255 which covers networks 172.16.0.0 -> 172.16.31.0.
If you need to vlan 2 to be able to access vlan 4 for example but not any others you would need to rewrite the acl.
2) the second line allows all other traffic from vlan 2 to any other destination which includes 192.168.1.0/24 and the internet.
then you need to apply the acl -
int gi0/2.2
ip address x.x.x.x y.y.y.y
encapsulation dot1q 2
ip access-group 101 in
The above is by far the simplest solution. Using VRFs would require a lot more config. If you still want to use VRFs do a search on Cisco site where there are lots of config examples. Bear in mind you would need to configure VRFs and then additionally start exchanging routes between VRFs.
Jon
12-01-2013 07:11 AM
Agreed.
Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: