Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
5
Replies

LAN security

tmesbah
Level 1
Level 1

‎10-01-2005 11:03 AM - edited ‎03-03-2019 12:14 AM

We want to log all undesirable activities on our Internal network that has not connection to outside "internet"

I taught about ACL to permit only the address 10.10.0.0 and deny all other and log them

Access-list 2000 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Access-list 2000 permit ip 224.0.0.0 15.255.255.255 10.10.0.0 255.255.0.0

Access-list 2000 deny ip any any log

And apply this ACL in each vlan definied in our Catalyst 6500

Router# sh run

int vlan 2

10.10.2.1 255.255.254.0

access-group 2000 in

access-group 2000 in

int vlan 26

10.10.26.1 255.255.255.0

access-group 2000 in

access-group 2000 out

An issue with this or any other ideas?

Thanks

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎10-01-2005 12:00 PM

Tayeb

I am not sure that I quite understand what you need to accomplish. I am especially not clear about the part where you talk about not connection to outside internet. If we understood more clearly we could give better advice.

The first issue that I see is that you have the incorrect masks in the access list. The mask you have is 255.255.0.0 which would be a subnet mask. If you want an access list which says the first 2 octets must be 10.10 and the last 2 octets can be anything the mask should be 0.0.255.255. This is the inverse mask used by access lists.

Also implementation of this access list will not allow any traffic to pass whose source is not within 10.10.0.0 and whose destination is not within 10.10.0.0. This will certainly prevent any internet traffic. I am not clear whether this is what you really want or not.

HTH

Rick

HTH

Rick
0 Helpful

tmesbah
Level 1
Level 1
In response to Richard Burts

‎10-01-2005 12:56 PM

We have two physically separated networks. One has connection to Outside world "internet" and another one one hasn't and it the production network.

The production network "one who has no connection to Internet". We use mutilple VLANs "Vlan2: 10.10.1.0/24

Vlan3 10.10.3/24, ...., Vlan 250:10.10.250.0/24" [We use all subnet 10.10.0.0/16.

We want to log all traffic that doesn't belong to 10.10.0.0.

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to tmesbah

‎10-01-2005 01:25 PM

Tayeb

Log the traffic is one thing. Deny the traffic is something different. The access list that you propose will deny and log the traffic. If you just want to log the traffic for identification purposes but let the traffic go through then the last line of the access list should not be deny ip any any log but should be permit ip any any log.

HTH

Rick

HTH

Rick
0 Helpful

tmesbah
Level 1
Level 1
In response to Richard Burts

‎10-01-2005 01:35 PM

Sorry, I wanted to log and deny the traffic that doesn't belong to 10.10.0.0/16. Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to tmesbah

‎10-02-2005 01:26 PM

Tayeb

If what you want to do is to deny and log then if you correct the masks in the access list and apply the access list in and out on each interface, then you will receive and transmit traffic only with source and destination addresses in 10.10.0.0/16. Any traffic with other addresses will be denied and logged.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents