Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL help for Expert

I have the following Networks:

192.168.1.0/24 - int vlan 10

192.168.2.0/24 - int vlan 20

192.168.3.0/24 - int vlan 30

192.168.4.0/24 - int vlan 40

My DHCP Server is on the 192.168.2.0/24 Network - IP 192.168.2.10

My Firewall is on 192.168.1.0/24 network - IP 192.168.1.1

I need to make sure that 192.168.4.0/24 Network is able to get an IP from the DHCP Server and can access the internet through the firewall but have no communication with the other networks and vice-versa.

I'm trying to secure 192.168.4.0/24 as much as possible.

Can someone tell me the exact configuration for the ACLS to put on my router?

4 REPLIES

Re: ACL help for Expert

Hi,

The following configuration would achieve what you are looking to do.

int vlan 40

ip helper-address 192.168.2.10

ip policy route-map cisco

route-map cisco permit 10

match ip address 150

route-map cisco permit 20

match ip address 160

set ip next-hop 192.168.1.1

route-map cisco deny 30

access-list 150 permit udp any any eq 67

access-list 150 permit udp any any eq 68

access-list 160 permit tcp any any eq www

Hope that helps!

Regards,

Sundar

Re: ACL help for Expert

Hi,

Just noticed in your post you wanted to block other networks from accessing this subenet as well.

Configure the following to get that done.

int vlan 40

ip access-group 170 out

access-list 170 permit tcp any eq www any

My assumption is based on the fact that the Internet traffic is just web traffic. If there's any other traffic, like SMTP, POP3 etc., that goes to the Internet then add ACL statements to that effect.

Regards,

Sundar

New Member

Re: ACL help for Expert

I will try and see how it works

New Member

Re: ACL help for Expert

hi Sundar,

I has similar problem. I just want allow vlan 75 access to internet and get ip address from dhcp server, others traffic will be blocked.

my network topology is all switches are connected to 2 core 5509 core switches which are using HSRP.

when i apply those filters, the pc in vlan 75 which all traficc still allow. what's step I missed? please help.

------------------------------------------------------------------

core1_rs#sh run int vlan 75

Building configuration...

Current configuration:

!

interface Vlan75

ip address 10.7.75.2 255.255.255.0

ip helper-address 10.7.11.58

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip route-cache cef

ip policy route-map mtg_room

mls rp vtp-domain APP

mls rp ip

standby priority 110

standby preempt

standby ip 10.7.75.1

end

------------------------------------------------------------------

core1_rs#sh route-map mtg_room

route-map mtg_room, permit, sequence 10

Match clauses:

ip address (access-lists): 150

Set clauses:

Policy routing matches: 11 packets, 5102 bytes

route-map mtg_room, permit, sequence 20

Match clauses:

ip address (access-lists): 160

Set clauses:

ip next-hop 10.7.11.43

Policy routing matches: 8 packets, 496 bytes

route-map mtg_room, deny, sequence 30

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

core1_rs#

------------------------------------------------------------------

core1_rs#sh access-lists 150

Extended IP access list 150

permit udp any any eq bootps (7 matches)

permit udp any any eq bootpc

core1_rs#sh access-lists 160

Extended IP access list 160

permit tcp any any eq www (8 matches)

core1_rs#

===========================================================================

===========================================================================

core2_rs#sh run int vlan 75

Building configuration...

Current configuration:

!

interface Vlan75

ip address 10.7.75.3 255.255.255.0

ip helper-address 10.7.11.58

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip route-cache cef

ip policy route-map mtg_room

mls rp vtp-domain APP

mls rp ip

standby ip 10.7.75.1

end

------------------------------------------------------------------

core2_rs#sh route-map mtg_room

route-map mtg_room, permit, sequence 10

Match clauses:

ip address (access-lists): 150

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map mtg_room, permit, sequence 20

Match clauses:

ip address (access-lists): 160

Set clauses:

ip next-hop 10.7.11.43

Policy routing matches: 0 packets, 0 bytes

route-map mtg_room, deny, sequence 30

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

core2_rs#

------------------------------------------------------------------

core2_rs#sh access-list 150

Extended IP access list 150

permit udp any any eq bootps (1 match)

permit udp any any eq bootpc (1 match)

core2_rs#sh access-list 160

Extended IP access list 160

permit tcp any any eq www

core2_rs#

------------------------------------------------------------------

Regards,

Samuel

110
Views
0
Helpful
4
Replies
CreatePlease to create content