Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LAN security

We want to log all undesirable activities on our Internal network that has not connection to outside "internet"

I taught about ACL to permit only the address 10.10.0.0 and deny all other and log them

Access-list 2000 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Access-list 2000 permit ip 224.0.0.0 15.255.255.255 10.10.0.0 255.255.0.0

Access-list 2000 deny ip any any log

And apply this ACL in each vlan definied in our Catalyst 6500

Router# sh run

int vlan 2

10.10.2.1 255.255.254.0

access-group 2000 in

access-group 2000 in

int vlan 26

10.10.26.1 255.255.255.0

access-group 2000 in

access-group 2000 out

An issue with this or any other ideas?

Thanks

5 REPLIES
Hall of Fame Super Silver

Re: LAN security

Tayeb

I am not sure that I quite understand what you need to accomplish. I am especially not clear about the part where you talk about not connection to outside internet. If we understood more clearly we could give better advice.

The first issue that I see is that you have the incorrect masks in the access list. The mask you have is 255.255.0.0 which would be a subnet mask. If you want an access list which says the first 2 octets must be 10.10 and the last 2 octets can be anything the mask should be 0.0.255.255. This is the inverse mask used by access lists.

Also implementation of this access list will not allow any traffic to pass whose source is not within 10.10.0.0 and whose destination is not within 10.10.0.0. This will certainly prevent any internet traffic. I am not clear whether this is what you really want or not.

HTH

Rick

New Member

Re: LAN security

We have two physically separated networks. One has connection to Outside world "internet" and another one one hasn't and it the production network.

The production network "one who has no connection to Internet". We use mutilple VLANs "Vlan2: 10.10.1.0/24

Vlan3 10.10.3/24, ...., Vlan 250:10.10.250.0/24" [We use all subnet 10.10.0.0/16.

We want to log all traffic that doesn't belong to 10.10.0.0.

Thanks

Hall of Fame Super Silver

Re: LAN security

Tayeb

Log the traffic is one thing. Deny the traffic is something different. The access list that you propose will deny and log the traffic. If you just want to log the traffic for identification purposes but let the traffic go through then the last line of the access list should not be deny ip any any log but should be permit ip any any log.

HTH

Rick

New Member

Re: LAN security

Sorry, I wanted to log and deny the traffic that doesn't belong to 10.10.0.0/16. Thanks

Hall of Fame Super Silver

Re: LAN security

Tayeb

If what you want to do is to deny and log then if you correct the masks in the access list and apply the access list in and out on each interface, then you will receive and transmit traffic only with source and destination addresses in 10.10.0.0/16. Any traffic with other addresses will be denied and logged.

HTH

Rick

190
Views
0
Helpful
5
Replies