07-28-2008 06:58 PM - edited 03-06-2019 12:29 AM
I do have vlan 180 was support production network (DHCP and static IP),
how to block all the DHCP scope to access internet.
Vlan 180 range: 10.14.80.1-10.14.95.254/255.255.240.0
DHCP range 10.14.84.1-10.14.89.254/255.255.240.0
Can someone advice whether below configuration correct or not?
access-list 111 deny tcp any 10.14.84.0 0.0.0.255 eq www
access-list 111 deny tcp any 10.14.85.0 0.0.0.255 eq www
access-list 111 deny tcp any 10.14.86.0 0.0.0.255 eq www
access-list 111 deny tcp any 10.14.87.0 0.0.0.255 eq www
access-list 111 deny tcp any 10.14.88.0 0.0.0.255 eq www
access-list 111 deny tcp any 10.14.89.0 0.0.0.255 eq www
Beside that, which interface I should insert below command?
ip access-group 111
07-28-2008 07:20 PM
If this is for a vlan, you might consider using a VACL (VLAN Access List). Basically you would deny traffic to the internet interface, but permit all other traffic.
HTH
07-28-2008 08:08 PM
Mate,
If you want to stop the DHCP scope address range from using port 80 (http) or 443 (https) you can use the below access list inbound on the inside interface.
access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq www
access-list 111 deny tcp 10.14.89.0 0.0.1.255 any eq www
access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq 443
access-list 111 deny tcp 10.14.89.0 0.0.1.255 any eq 443
access-list 111 permit ip any any
I think that was what you're after.. Obviously where you put the access-list largely depends on where most of the traffic will originate.
Also, as mentioned above in the previous post, you can use vlan access lists which can cull traffic even before it hits the router!
Good luck!
07-28-2008 10:43 PM
thx ur advice, why must use wildcard instead 0.0.0.255? Any reason?
BTW,do u think below config more suit my environment? Appreciate u help
access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq www
access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq www
access-list 111 deny tcp 10.14.84.0 0.0.3.255 any eq 443
access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq 443
access-list 111 permit ip any any
07-28-2008 10:51 PM
You don't need to aggregate them if you don't want to. the individual entries using the 24 bit mask will do just as well.
The line "access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq www" will deny connection to the web for 10.14.88.0/24, 10.14.89.0/24, 10.14.90.0/24 and 10.14.91.0/24.
The DHCP scope you mentioned earlier is 10.14.84.1 up to 10.14.89.254. Therefore if you use the "access-list 111 deny tcp 10.14.88.0 0.0.3.255 any eq www", it will deny connection for the address ranges 10.14.90.0/24 and 10.14.91.0/24 (these two ranges are not in your DHCP pool so I assume you want them to have connection to the Internet?
07-28-2008 10:06 PM
try to make it like this
access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www
then apply it to the inside interface
the interface that connected to your LAN
ip access-group 111 in
you can apply it to your outside inteerface like the following but not recomended because it will be CPU intensive
on ouside interface/
ip access-group 111 out
good luck
rate if helpful
07-28-2008 10:50 PM
access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www
ip range 10.14.80.1 to 10.14.95.254
will this block all internet access?
07-28-2008 10:53 PM
only to port 80, port 443 will still be accessible.
07-28-2008 10:55 PM
correction, it will block access to anything on port 80, and the implicit deny at the end of the access-list will deny all other traffic..
that's why you need the permit ip any any statement afterwards..
Brad
07-29-2008 05:45 AM
ok this access list
access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www
will block http
also its right without second statmaent with permit any will block evrything
but i mention the acl just for the idea of summarizing the address
so for only web traffic
access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq www
access-list 111 deny tcp 10.14.80.0 0.0.15.255 any eq 443
access-list 111 permit ip any any
then apply it as i mention in the prevous post
rate if helpful
07-29-2008 08:58 AM
Lewis:
From a security standpoint, it is preferable to not use "permit ip any any" at the end of your interface ACLs. It is preferable to construct your interface ACLs to only allow traffic permitted by your security policy. Anything not permitted by your security policy should be denied with "deny ip any any log" at the end of your interface ACLs. You might want to transition to this methodology in future implementations.
Ideally you would prevent outbound connection initiation by applying the interface ACL on an internal interface, rather than blocking the return traffic with the interface ACL being applied to an external interface.
You DHCP Scope has been defined as: 10.14.84.1 - 10.14.89.254
The proper masking for this range would be:
10.14.84.0 0.0.3.255 (10.14.84.0 through 10.14.87.0)
10.14.88.0 0.0.1.255 (10.14.88.0 through 10.14.89.0)
Your initial post asked "How to block all the DHCP scope to access internet?", but your ACL specified the keyword "www". It is therefore not clear whether you are seeking to block all access to the Internet, or just HTTP access to the Internet for these hosts.
You've not indicated whether this router resides on your network edge, or elsewhere in your network topology. If these hosts require HTTP access to servers on your network, and the routes to those servers pass through this router, you might want to be careful of using the keyword "any" as the destination in your interface ACLs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide