Solved: restrict access between vlans

hopkintondrug · ‎01-31-2012

Hi,

UC540 (running patch 8.2 and cca 3.1)

default voice Vlan is 100 (172.16.1.x)

data Vlan 1 (192.168.1.x)

guest network Vlan200 (192.168.2.x) - will be accessed from wireless ap only

Right now, anyone connected to vlan200 can access devices on vlan100 (192.168.1.x) and gateway web access at 10.1.10.1. I'd like to make vlan200 "wan only" for the most part with no access to any other subnets or devices. I'm hoping i can do this with ACL's. I've expirimented along the lines of creating an ACL with rules like "deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255" and similar and applied it to the interface (both in and out because i really don't know what i'm doing there ) with no luck. Is this the best method? If so, what is the proper structure for the ACL? Any help would be much appreciated!

Oh one more thing, this UC was set up with a combination of CCA and CLI. I've made it mostly CCA compliant at this point, but the firewall remains CLI only, so this would have to be done there. Thanks!

Fletcher

mcasimirc63 · ‎01-31-2012

You probably have it backwards and you have to apply the ACL as close to the source as possible. So apply the ACL on the VLAN interface the traffic is originating from. ACL's are almost always applied inbound. You will also need to modify your existing access list and add the statements below to it.

VLAN 200

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 10.1.10.0 0.0.0.3

access-list 150 permit ip any any

interface BVI200 or Interface Vlan200

ip access-group 150 in

inbound means traffic is entering the interface. This traffic has not passed through the router yet

Example PC -----> Router interface

outbound means traffic is leaving the interface. This traffic has entered the router through another interface and is exiting.

Example Router-------->PC

View solution in original post

mcasimirc63 · ‎01-31-2012

You probably have it backwards and you have to apply the ACL as close to the source as possible. So apply the ACL on the VLAN interface the traffic is originating from. ACL's are almost always applied inbound. You will also need to modify your existing access list and add the statements below to it.

VLAN 200

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 10.1.10.0 0.0.0.3

access-list 150 permit ip any any

interface BVI200 or Interface Vlan200

ip access-group 150 in

inbound means traffic is entering the interface. This traffic has not passed through the router yet

Example PC -----> Router interface

outbound means traffic is leaving the interface. This traffic has entered the router through another interface and is exiting.

Example Router-------->PC

hopkintondrug · ‎02-01-2012

Marcus,

Thanks for taking the time to answer my question! I applied the ACL to Vlan200(conf t, int Vlan200) with no luck. However, looking in the show run i noticed none of the "VlanXXX" entries showd access-groups applied where as the "BVxxx" ones did. I applied the ACL to BV200(conf t, int BV200) and success! No trace of the main Vlans on the guest_network. Thanks again.

Fletcher

hopkintondrug · ‎02-01-2012

oh, i forgot to ask, is this proper behavior for the diff. interfaces? if so, why the seemingly duplicate interfaces with diff names?

not looking for a book, just a quick "because..." will do, thanks again!

Fletcher

mcasimirc63 · ‎02-01-2012

That Vlan200 is probably bridged to that BVI200 interface. BVI = Bridged Virtual Interface is used when you want two interfaces to be on the same broadcast domain or appear to be on the same L2 domain.