Solved: use acl to limit traffic between vlans

dannan lin · ‎11-19-2011

hi:

i am back with another question.

above is the scenario,

the IP addresses of 4 PCs were assigned by DHCP.

and each PC represent a vlan .

question :

how to block all incoming traffic to 192.168.99.0/24 except from 192.168.1.0/24 .

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.2.1 182.168.2.10

ip dhcp excluded-address 192.168.3.1 192.168.3.10

ip dhcp excluded-address 192.168.99.1 192.168.99.10

!

ip dhcp pool managment

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

ip dhcp pool finance

network 192.168.99.0 255.255.255.0

default-router 192.168.99.1

ip dhcp pool sales

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

ip dhcp pool customer_exp

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 20

ip address 192.168.2.1 255.255.255.0

!

interface FastEthernet0/0.3

encapsulation dot1Q 30

ip address 192.168.3.1 255.255.255.0

!

interface FastEthernet0/0.10

encapsulation dot1Q 99

ip address 192.168.99.1 255.255.255.0

ip access-group 1 in

!

interface FastEthernet1/0

ip address 192.168.4.1 255.255.255.0

duplex auto

speed auto

router eigrp 10

network 0.0.0.0

auto-summary

!

ip classless

!

access-list 1 permit host 192.168.1.0 // i think here i permited traffic of 192.168.1.0

the above configuration is missing something, because if i applied it, the 192.168.99.0 network rejected all kind of traffic including DHCP.

I think use standard ACL is enough but i am not so sure. i also tried to use extended ACL but it did not work as well.

please help.

thanks in advance

dannan

manju.cisco · ‎11-21-2011

Hi Dannan,

You stand on the router and you see packets coming to you from the 99.0 network(source), so you have to apply acl to check the packets coming to you, so you have to apply as "in" to check the incoming packets.

View solution in original post

Latchum Naidu · ‎11-21-2011

Hi Dannan,

my question is why i must put "in" here instead of "out"
The above ip access-group "in" or "out" both will do different job.

The difference in applying an ACL in or out is like this....

When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.

When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

Hope I clear you...

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Reza Sharifi · ‎11-19-2011

Try this and test again:

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 111 deny ip any any

interface FastEthernet0/0.10

encapsulation dot1Q 99

ip address 192.168.99.1 255.255.255.0

ip access-group 111 in

HTH

dannan lin · ‎11-19-2011

thanks Reza,

but it did not work

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 111 deny ip any any

it rejected DHCP service as well.

any thoughts???

Reza Sharifi · ‎11-19-2011

how about first deny all the other subnets

access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 111 deny ip 192.168.12.0 0.0.0.255 192.168.99.0 0.0.0.255

then permit all

access-list 111 permit ip any any

dannan lin · ‎11-19-2011

ummm, i didn't deny all sunbets but

i did one

access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255

and permited all

this time dhcp worked but 192.168.2.0 networkt can still ping 192.168.99.0 network.

dannan lin · ‎11-19-2011

i figured out

if i use

access-list 101 permit udp any any eq bootps

i can keep the dhcp running

but i still don't know how to deny other pc access to 192.168.99.0 network .

i used

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

but it blocked all access to 192.168.99.0 which is not i wanted.

manju.cisco · ‎11-19-2011

dannan lin wrote:

i figured out

if i use

access-list 101 permit udp any any eq bootps

i can keep the dhcp running

but i still don't know how to deny other pc access to 192.168.99.0 network .

i used

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255

but it blocked all access to 192.168.99.0 which is not i wanted.

For this, you should try this

access-list 101 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit udp any eq bootpc any

Message was edited by: Manjunath Shivanna

manju.cisco · ‎11-19-2011

Hi,

dannan lin wrote:

ummm, i didn't deny all sunbets but

i did one

access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255

and permited all

this time dhcp worked but 192.168.2.0 networkt can still ping 192.168.99.0 network.

It should be the other way,

try

access-list 111 deny ip 192.168.99.0 0.0.0.255 192.168.2.0 0.0.0.255

and permit all

Message was edited by: Manjunath Shivanna

Corrected the ip subnet, sorry for typo.

dannan lin · ‎11-19-2011

thank you manju,

but i got another stupid question to ask .

as you suggested

i put

Extended IP access list 101

permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 (3 match(es))

permit udp any eq bootpc any

permit ip 192.168.99.0 0.0.0.255 host 192.168.5.10 (13 match(es)) // i added extra statement to allow traffic to the server

and

interface FastEthernet0/0.10

encapsulation dot1Q 99

ip address 192.168.99.1 255.255.255.0

ip access-group 101 in // the "out" option didn't work

my question is why i must put "in" here instead of "out"

according to the statement

permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255

192.168.99.0 is the source network and 192.168.1.0 is the destination network and we are configuring at int f0/0.10

which ip address is 192.168.99.1 .

from 192.168.99.0 to 192.168.1.0 looks like "out"relationship to me .

(192.168.99.0) -> (192.168.1.0)

???? i am a little confused here.

thanks to your help.

manju.cisco · ‎11-21-2011

Hi Dannan,

You stand on the router and you see packets coming to you from the 99.0 network(source), so you have to apply acl to check the packets coming to you, so you have to apply as "in" to check the incoming packets.

Latchum Naidu · ‎11-21-2011

Hi Dannan,

my question is why i must put "in" here instead of "out"
The above ip access-group "in" or "out" both will do different job.

The difference in applying an ACL in or out is like this....

When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.

When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.

Hope I clear you...

Please rate the helpfull posts.
Regards,
Naidu.

dannan lin · ‎11-21-2011

thanks guys， you are internet heros.