A 1751 router with a serial interface to the Internet and a single physical Ethernet interface with 15 subinterfaces attached to a switch trunk. The subinterfaces map to 15 separate VLANs on the switch, with 15 separate network segments for 14 separate companies and one VLAN for shared resources.
I need to apply access lists to restrict traffic and routing between the 14 separate corporate network segments (subinterfaces) but allow Internet traffic to and from the serial port to all of the subs. I also need to allow all 14 corporate segments (subinterfaces) to have access to the 15th, shared resource VLAN.
I'm a little twisted in knots with the ACLS at this point. Any advice at all regarding how to implement these access lists to restrict this inter subinterface traffic, but allow the Internet traffic would be GREATLY appreciated!
Should not be too difficult although a little more info about the numbering plan would have been useful.
Let's assume you use vlan 1-14 are addressed 192.168.1-14.x and are assigned to fa0/0.1 to fa0/0.14 and the shared vlan is vlan 15 with address 192.168.16.0
access-list 100 deny ip any 192.168.0.0 0.0.15.255
access-list 100 permit ip any any
this access list has to be applied to each of the 14 subinterfaces (ip access-group 100 in) and will deny traffic from any ip to ip comprised between 192.168.0.0 to 192.168.15.0 allowing any other traffic (including traffic for the internet and the 192.168.16.0 shared resources vlan).
This is right on, despite the fact that I omitted the numbering detail! The only difference between your assumptions and my plan is that I've currently numbered the 15th vlan as 10.1.15.0, but that can be easily changed to .16 to allow for the 0.0.15.255 mask.
On a completely different subject (if you don't mind =) ) with regards to NAT on this router. I've placed the ip nat outside command on the serial interface, and the ip nat inside commands on each of the Ethernet subinterfaces, and I've established a dynamic pool of registered addresses to pull from. Will that work as planned with the subinterfaces? Are there any oddities that I'll need to be aware of? Does the Ethernet interface itself need the ip nat inside command as well? Any other thoughts or pitfalls?
OK. I've applied the access lists with the standard list and the "out" application. Right now I only have a single laptop with me to test, so I'm only connected to a single subnet with this workstation. I am, however, still able to ping the other subinterface's IP address. For example, the subinterface IP address for my laptop's network is 10.1.3.1. From my laptop, I can ping 10.1.1.1, 10.1.5.1, any of the other ip addresses for the other subs. Is that still normal based on the access list I applied? Will it allow me to ping that address but nothing on the network behind it? Is something wrong? What are your thoughts?
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.