Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with Access Lists

I currently have vlans setup on my cisco 881 router and I'm needing help setting up the access list permissions for the vlans. What I can not seem to get correct is that for the management vlan (103) I want that vlan to have full access to all the other vlans. Then the other vlans need to be seperated out on their own so that they do not have access to any other vlan. All I seem to manage to do is either block myself out from all the vlans on the network or set have access even after I have made access lists and applied. Please help me with what I need to do. Thanks!

Here is the important parts for this config:

ip source-route

!

!

ip dhcp excluded-address 10.10.10.1 10.10.10.20

ip dhcp excluded-address 10.10.20.1 10.10.20.20

ip dhcp excluded-address 10.10.30.1 10.10.30.50

ip dhcp excluded-address 10.10.40.1 10.10.40.20

ip dhcp excluded-address 10.10.60.1 10.10.60.20

ip dhcp excluded-address 10.10.70.1 10.10.70.20

ip dhcp excluded-address 10.10.50.1 10.10.50.30

!

ip dhcp pool shared

   import all

   network 10.10.20.0 255.255.255.0

   default-router 10.10.20.1 255.255.255.0

   dns-server 8.8.8.8

   lease 0 2

!

ip dhcp pool remax-bcspm

   import all

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 8.8.8.8

   lease 0 2

!

ip dhcp pool mgmt

   import all

   network 10.10.30.0 255.255.255.0

   default-router 10.10.30.1

   dns-server 8.8.8.8

   lease 0 2

!

ip dhcp pool VoIP

   network 10.10.40.0 255.255.255.0

   option 66 ascii "http://10.10.40.10:5000/provisioning/$ma.xml"

   default-router 10.10.40.1

   dns-server 8.8.8.8

!

ip dhcp pool security

   import all

   network 10.10.50.0 255.255.255.0

   default-router 10.10.50.1

   dns-server 8.8.8.8

   lease 0 2

!

ip dhcp pool guest

   import all

   network 10.10.60.0 255.255.255.0

   default-router 10.10.60.1

   dns-server 8.8.8.8

   lease 0 2

!

ip dhcp pool agents

   import all

   network 10.10.70.0 255.255.255.0

   default-router 10.10.70.1

   dns-server 8.8.8.8

   lease 0 2

!

!

ip cef

ip domain name remaxselect.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FTX160284FR

!

!

archive

path tftp:10.10.50.5

username administrator privilege 15 secret 5 $1$QgsE$hC8uXXdg76nLX/miwjtz3/

!

!

!

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

switchport mode trunk

!

!

interface FastEthernet4

ip address 4.31.0.222 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

ip tcp adjust-mss 1452

!

!

interface Vlan101

ip dhcp client hostname remax-bcspm

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan102

ip dhcp client hostname shared

ip address 10.10.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan103

ip dhcp client hostname mgmt

ip address 10.10.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan104

ip dhcp client hostname VoIP

ip address 10.10.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan105

ip dhcp client hostname security

ip address 10.10.50.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan106

ip dhcp client hostname guest

ip address 10.10.60.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan107

ip dhcp client hostname agents

ip address 10.10.70.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

no ip nat service sip udp port 5060

ip nat pool VoIP-NAT 10.10.40.10 10.10.40.10 netmask 255.255.255.0 type rotary

ip nat pool security-NAT 10.10.50.5 10.10.50.5 netmask 255.255.255.0 type rotary

ip nat inside source list nat-2-internet interface FastEthernet4 overload

ip nat inside destination list 100 pool VoIP-NAT

ip nat inside destination list 101 pool security-NAT

ip route 0.0.0.0 0.0.0.0 (##.##.##.##)

!

ip access-list extended deny-all

deny   ip any any

ip access-list extended nat-2-internet

permit ip 10.10.10.0 0.0.0.255 any

permit ip 10.10.20.0 0.0.0.255 any

permit ip 10.10.30.0 0.0.0.255 any

permit ip 10.10.40.0 0.0.0.255 any

permit ip 10.10.50.0 0.0.0.255 any

permit ip 10.10.60.0 0.0.0.255 any

permit ip 10.10.70.0 0.0.0.255 any

!

access-list 100 permit udp any any range 9000 10010

access-list 100 permit udp any any eq 5000

access-list 100 permit tcp any any eq 5000

access-list 100 permit tcp any any range 5060 5090

access-list 100 permit udp any any range 5060 5090

access-list 101 permit tcp any any eq 3454

access-list 101 permit udp any any eq 3454

access-list 101 permit udp any any eq 8080

access-list 101 permit tcp any any eq 8080

access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

access-list 120 deny   ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

!

!

!

!

!

control-plane

!

!

banner exec ^C

Hello World, Have A Lot of Fun!

^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Everyone's tags (5)
1 REPLY

Help with Access Lists

You could use something like the configuration I have pasted below. Each ACL number matches the VLAN number you would apply it too. The ACL denies access to every other VLAN you have, and then permits all other access (e.g. out to the Internet). You shouldn't need to apply any ACL to your management VLAN if you don't want it restricted.

access-list 101 deny ip any 10.10.20.0 0.0.0.255

access-list 101 deny ip any 10.10.30.0 0.0.0.255

access-list 101 deny ip any 10.10.40.0 0.0.0.255

access-list 101 deny ip any 10.10.50.0 0.0.0.255

access-list 101 deny ip any 10.10.60.0 0.0.0.255

access-list 101 deny ip any 10.10.70.0 0.0.0.255

access-list 101 permit ip any any

!

access-list 102 deny ip any 10.10.10.0 0.0.0.255

access-list 102 deny ip any 10.10.30.0 0.0.0.255

access-list 102 deny ip any 10.10.40.0 0.0.0.255

access-list 102 deny ip any 10.10.50.0 0.0.0.255

access-list 102 deny ip any 10.10.60.0 0.0.0.255

access-list 102 deny ip any 10.10.70.0 0.0.0.255

access-list 102 permit ip any any

You would then apply the relevant ACL to the relevant SVI (VLAN interface) in an inbound direction, e.g;

interface Vlan101

access-group 101 in

!

interface Vlan102

access-group 102 in

You need to also remember that ACL's use wildcard/inverse masks, not subnet masks. The easiest way to calculate this is subtract the subnet mask bits from 255. For example, if you wanted to create an ACL to match traffic from 192.168.0.0/255.255.255.128 then your ACL would read access-list 100 permit ip 192.168.0.0 0.0.0.127.

Hope that helps.

2804
Views
0
Helpful
1
Replies