09-20-2005 07:26 AM - edited 03-03-2019 12:06 AM
Have setup vlan on MSFC. I've been asked to allow all the users on this VLAN access to the internet as well as some other internal servers.
internal network: 10.10.0.0
vlan number: 250
vlan ip: 10.10.57.x/24
This is what I have so far:
access-list 116 permit ip 10.10.1.0 255.255.255.0 any
(ip access-group 116 out applied to int vlan 250).
this does not work and any help is appreciated.
09-20-2005 07:56 AM
First we need to know from which network/vlan you are applying this access-list. If this acl is applied on a vlan that receives all traffic from 10.10.1.0 network, then you need to apply it inbound and not outbound.
Also, what is the server vlan subnet ?
09-20-2005 09:29 AM
Have setup vlan on MSFC. I've been asked to allow all the users on this VLAN access to the internet as well as some other internal servers.
internal network: 10.10.0.0
sorry....here is the other info:
internal network: 10.10.0.0/19 (vlan 1)
vlan 250 ip: 10.10.57.0/24
wanting to do the following:
allow all vlan 250 (10.10.57.x)machines access to internet on vlan 1 (10.10.0.x/19
allow all vlan 250 machines to access some servers on vlan 1
thanks for any info.
09-20-2005 05:19 PM
Terry
There are still some things about the topology of the network that we need to understand better.
If I understand correctly VLAN 250 is using addresses in 10.10.57.0/24. You want to allow these users access to the Internet. It is important to understand whether you have existing access lists in place somewhere in the network controlling Internet traffic, and if so where the lists are and how they are configured.
The simple case is that you do not have existing access lists in place. If this were to be true then you just add the new users to the network, make sure that they have a route to the Internet and they will have access.
If you have existing access lists in place it may be necessary to make changes to them to allow these new addresses to access the Internet. We will not know until you supply some additional information.
But I think there are also some comments about the access list that you describe. If you had configured access list 116 as outbound on VLAN 250 it would control traffic going through the MSFC and out interface VLAN 250. If your access list is:
access-list 116 permit ip 10.10.1.0 255.255.255.0 any
then it would look like that only traffic from 10.10.1.0 would be allowed to go out to these new addresses. Except that you have the mask inverted. With the access list as coded any address which had 0 in the fourth octet would be allowed.
So take that access list out and give us some more information about your network.
HTH
Rick
09-21-2005 09:22 AM
rick,
thanks for your reply. here is more info:
interface Vlan1
description *** Production Lan ***
ip address 10.10.5.230 255.255.224.0
ip access-group 115 in
ip access-group 115 out
no ip redirects
no ip unreachables
ip accounting output-packets
ip pim sparse-dense-mode
ip cgmp
no ip mroute-cache
ipx helper-address 31D2C00.ffff.ffff.ffff
ipx encapsulation ARPA
ipx network 31D0400
no ipx pad-process-switched-packets
standby 1 ip 10.10.7.73
standby 1 priority 150
standby 1 preempt
!
interface Vlan105
ip address 10.10.34.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
no ip route-cache cef
standby 5 ip 10.10.34.1
standby 5 priority 100
standby 5 preempt
!
interface Vlan250
description *** NT4.0 Workstations ***
ip address 10.10.57.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
no ip route-cache cef
ip cgmp
standby 4 ip 10.10.57.1
standby 4 priority 150
standby 4 preempt
!
interface Vlan350
description *** Edge Network ***
ip address 10.10.112.1 255.255.252.0
ip access-group 115 in
ip access-group 115 out
ip pim sparse-dense-mode
ip cgmp
ipx encapsulation ARPA
ipx network 31D7000
no ipx pad-process-switched-packets
!
interface Vlan450
description *** Staging ***
ip address 10.10.56.2 255.255.255.0
ip access-group 115 in
ip access-group 115 out
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
standby 2 ip 10.10.56.1
standby 2 priority 150
standby 2 preempt
!
interface Vlan550
description **** LAB 197 *****
ip address 10.10.59.2 255.255.255.0
ip access-group 115 in
ip access-group 115 out
no ip redirects
no ip proxy-arp
standby 3 ip 10.10.59.1
standby 3 priority 150
standby 3 preempt
!
router eigrp 80
network 10.0.0.0
no auto-summary
eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.112.5
ip route 10.10.0.0 255.255.252.0 Vlan1
ip route 10.10.4.0 255.255.252.0 Vlan1
ip route 10.10.8.0 255.255.252.0 Vlan1
ip route 10.10.12.0 255.255.252.0 Vlan1
ip route 10.10.16.0 255.255.252.0 Vlan1
ip route 10.10.20.0 255.255.252.0 Vlan1
ip route 10.10.24.0 255.255.252.0 Vlan1
ip route 10.10.28.0 255.255.252.0 Vlan1
ip route 10.10.34.0 255.255.255.0 Vlan105
ip route 10.10.40.0 255.255.252.0 10.10.4.32
ip route 10.10.57.0 255.255.255.0 Vlan250
ip route 10.10.58.0 255.255.255.0 10.10.7.208
ip route 10.10.59.0 255.255.255.0 Vlan550
no ip http server
!
ip access-list extended DenyPrivate
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 10.10.0.0 0.0.255.255 any log
deny udp any any eq 18246 log
deny tcp any any eq 18246 log
permit ip any any
ip access-list extended VirusBlock
deny udp any any eq 1433
deny udp any any eq 1434
deny tcp any any eq 445
deny tcp any any eq 5000
deny tcp any any eq 6673
deny tcp any any eq 2048
deny tcp any any eq 36963
deny tcp any any eq 1427
deny tcp any any eq 4654
deny tcp any any eq 65528
deny tcp any any eq 65529
deny tcp any any eq 8172
deny tcp any any eq 6664
deny udp any any eq tftp
permit ip any any
!
access-list 52 permit 10.10.0.0 0.0.255.255
access-list 98 permit 10.10.78.5
access-list 98 permit 10.10.78.1
access-list 98 permit 10.10.78.2
access-list 98 permit 10.10.77.71
access-list 99 permit 10.10.203.203
access-list 99 permit 10.10.222.60
access-list 100 deny udp any host 10.10.255.255
access-list 100 permit ip any any
access-list 101 permit ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any 10.0.0.0 0.255.255.255
access-list 101 permit ip any 192.131.0.0 0.0.255.255
access-list 101 permit ip any 224.0.0.0 15.255.255.255
access-list 191 deny udp any any eq 18246 log
access-list 191 deny tcp any any eq 18246 log
access-list 191 permit ip any any
route-map onlylocal permit 10
match ip address 52
09-21-2005 05:19 PM
Terry
There are a number of things in this config that do not make sense to me. I am not sure how much they matter.
As it stands the config that you have posted should allow the users in VLAN 250 to access the Internet and to access other resources. As I see it the MSFC does have a valid default route which sends traffic through VLAN 350 toward the Internet. Depending on whether there are any other access lists between this device and the Internet router, the VLAN 250 users should get out. I also not that you are running EIGRP and have a network statement which includes the subnet of VLAN 250 so these users should have routes to the other parts of your network and the rest of your network should have a route back to 10.10.57.0.
I notice that VLAN 350 which leads toward the Internet has an access list applied. But the access list 115 which it applies does not appear in the config. The result is as if the access list were not applied. So their Internet access would not be impacted. I note that this same access list is also applied on other interfaces (and that that the same access list is applied both inbound and outbound which is kind of unusual). You probably should clean this up.
I notice that you have quite a number of static routes which point routes back to the interface on which they are connected. I do not know why this was done. I do not think that it hurts anything, but it does no good that I can see.
I notice that the configuration includes a route-map called onlylocal but the route map is not used anywhere. Is there some reason for it?
As I said I believe that the config as it stands will accomplish your objective of allowing users on VLAN 250 to access the Internet.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide