10-01-2005 11:03 AM - edited 03-03-2019 12:14 AM
We want to log all undesirable activities on our Internal network that has not connection to outside "internet"
I taught about ACL to permit only the address 10.10.0.0 and deny all other and log them
Access-list 2000 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
Access-list 2000 permit ip 224.0.0.0 15.255.255.255 10.10.0.0 255.255.0.0
Access-list 2000 deny ip any any log
And apply this ACL in each vlan definied in our Catalyst 6500
Router# sh run
int vlan 2
10.10.2.1 255.255.254.0
access-group 2000 in
access-group 2000 in
int vlan 26
10.10.26.1 255.255.255.0
access-group 2000 in
access-group 2000 out
An issue with this or any other ideas?
Thanks
10-01-2005 12:00 PM
Tayeb
I am not sure that I quite understand what you need to accomplish. I am especially not clear about the part where you talk about not connection to outside internet. If we understood more clearly we could give better advice.
The first issue that I see is that you have the incorrect masks in the access list. The mask you have is 255.255.0.0 which would be a subnet mask. If you want an access list which says the first 2 octets must be 10.10 and the last 2 octets can be anything the mask should be 0.0.255.255. This is the inverse mask used by access lists.
Also implementation of this access list will not allow any traffic to pass whose source is not within 10.10.0.0 and whose destination is not within 10.10.0.0. This will certainly prevent any internet traffic. I am not clear whether this is what you really want or not.
HTH
Rick
10-01-2005 12:56 PM
We have two physically separated networks. One has connection to Outside world "internet" and another one one hasn't and it the production network.
The production network "one who has no connection to Internet". We use mutilple VLANs "Vlan2: 10.10.1.0/24
Vlan3 10.10.3/24, ...., Vlan 250:10.10.250.0/24" [We use all subnet 10.10.0.0/16.
We want to log all traffic that doesn't belong to 10.10.0.0.
Thanks
10-01-2005 01:25 PM
Tayeb
Log the traffic is one thing. Deny the traffic is something different. The access list that you propose will deny and log the traffic. If you just want to log the traffic for identification purposes but let the traffic go through then the last line of the access list should not be deny ip any any log but should be permit ip any any log.
HTH
Rick
10-01-2005 01:35 PM
Sorry, I wanted to log and deny the traffic that doesn't belong to 10.10.0.0/16. Thanks
10-02-2005 01:26 PM
Tayeb
If what you want to do is to deny and log then if you correct the masks in the access list and apply the access list in and out on each interface, then you will receive and transmit traffic only with source and destination addresses in 10.10.0.0/16. Any traffic with other addresses will be denied and logged.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide