01-31-2012 04:37 PM - edited 03-21-2019 05:16 AM
Hi,
UC540 (running patch 8.2 and cca 3.1)
default voice Vlan is 100 (172.16.1.x)
data Vlan 1 (192.168.1.x)
guest network Vlan200 (192.168.2.x) - will be accessed from wireless ap only
Right now, anyone connected to vlan200 can access devices on vlan100 (192.168.1.x) and gateway web access at 10.1.10.1. I'd like to make vlan200 "wan only" for the most part with no access to any other subnets or devices. I'm hoping i can do this with ACL's. I've expirimented along the lines of creating an ACL with rules like "deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255" and similar and applied it to the interface (both in and out because i really don't know what i'm doing there ) with no luck. Is this the best method? If so, what is the proper structure for the ACL? Any help would be much appreciated!
Oh one more thing, this UC was set up with a combination of CCA and CLI. I've made it mostly CCA compliant at this point, but the firewall remains CLI only, so this would have to be done there. Thanks!
Fletcher
Solved! Go to Solution.
01-31-2012 10:17 PM
You probably have it backwards and you have to apply the ACL as close to the source as possible. So apply the ACL on the VLAN interface the traffic is originating from. ACL's are almost always applied inbound. You will also need to modify your existing access list and add the statements below to it.
VLAN 200
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 10.1.10.0 0.0.0.3
access-list 150 permit ip any any
interface BVI200 or Interface Vlan200
ip access-group 150 in
inbound means traffic is entering the interface. This traffic has not passed through the router yet
Example PC -----> Router interface
outbound means traffic is leaving the interface. This traffic has entered the router through another interface and is exiting.
Example Router-------->PC
01-31-2012 10:17 PM
You probably have it backwards and you have to apply the ACL as close to the source as possible. So apply the ACL on the VLAN interface the traffic is originating from. ACL's are almost always applied inbound. You will also need to modify your existing access list and add the statements below to it.
VLAN 200
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 10.1.10.0 0.0.0.3
access-list 150 permit ip any any
interface BVI200 or Interface Vlan200
ip access-group 150 in
inbound means traffic is entering the interface. This traffic has not passed through the router yet
Example PC -----> Router interface
outbound means traffic is leaving the interface. This traffic has entered the router through another interface and is exiting.
Example Router-------->PC
02-01-2012 12:02 PM
Marcus,
Thanks for taking the time to answer my question! I applied the ACL to Vlan200(conf t, int Vlan200) with no luck. However, looking in the show run i noticed none of the "VlanXXX" entries showd access-groups applied where as the "BVxxx" ones did. I applied the ACL to BV200(conf t, int BV200) and success! No trace of the main Vlans on the guest_network. Thanks again.
Fletcher
02-01-2012 12:09 PM
oh, i forgot to ask, is this proper behavior for the diff. interfaces? if so, why the seemingly duplicate interfaces with diff names?
not looking for a book, just a quick "because..." will do, thanks again!
Fletcher
02-01-2012 07:18 PM
That Vlan200 is probably bridged to that BVI200 interface. BVI = Bridged Virtual Interface is used when you want two interfaces to be on the same broadcast domain or appear to be on the same L2 domain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide