Have setup vlan on MSFC. I've been asked to allow all the users on this VLAN access to the internet as well as some other internal servers.

internal network: 10.10.0.0

sorry....here is the other info:

internal network: 10.10.0.0/19 (vlan 1)

vlan 250 ip: 10.10.57.0/24

wanting to do the following:

allow all vlan 250 (10.10.57.x)machines access to internet on vlan 1 (10.10.0.x/19

allow all vlan 250 machines to access some servers on vlan 1

thanks for any info.

Terry

There are still some things about the topology of the network that we need to understand better.

If I understand correctly VLAN 250 is using addresses in 10.10.57.0/24. You want to allow these users access to the Internet. It is important to understand whether you have existing access lists in place somewhere in the network controlling Internet traffic, and if so where the lists are and how they are configured.

The simple case is that you do not have existing access lists in place. If this were to be true then you just add the new users to the network, make sure that they have a route to the Internet and they will have access.

If you have existing access lists in place it may be necessary to make changes to them to allow these new addresses to access the Internet. We will not know until you supply some additional information.

But I think there are also some comments about the access list that you describe. If you had configured access list 116 as outbound on VLAN 250 it would control traffic going through the MSFC and out interface VLAN 250. If your access list is:

access-list 116 permit ip 10.10.1.0 255.255.255.0 any

then it would look like that only traffic from 10.10.1.0 would be allowed to go out to these new addresses. Except that you have the mask inverted. With the access list as coded any address which had 0 in the fourth octet would be allowed.

So take that access list out and give us some more information about your network.

HTH

Rick

rick,

thanks for your reply. here is more info:

interface Vlan1

description *** Production Lan ***

ip address 10.10.5.230 255.255.224.0

ip access-group 115 in

ip access-group 115 out

no ip redirects

no ip unreachables

ip accounting output-packets

ip pim sparse-dense-mode

ip cgmp

no ip mroute-cache

ipx helper-address 31D2C00.ffff.ffff.ffff

ipx encapsulation ARPA

ipx network 31D0400

no ipx pad-process-switched-packets

standby 1 ip 10.10.7.73

standby 1 priority 150

standby 1 preempt

!

interface Vlan105

ip address 10.10.34.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip route-cache cef

standby 5 ip 10.10.34.1

standby 5 priority 100

standby 5 preempt

!

interface Vlan250

description *** NT4.0 Workstations ***

ip address 10.10.57.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip route-cache cef

ip cgmp

standby 4 ip 10.10.57.1

standby 4 priority 150

standby 4 preempt

!

interface Vlan350

description *** Edge Network ***

ip address 10.10.112.1 255.255.252.0

ip access-group 115 in

ip access-group 115 out

ip pim sparse-dense-mode

ip cgmp

ipx encapsulation ARPA

ipx network 31D7000

no ipx pad-process-switched-packets

!

interface Vlan450

description *** Staging ***

ip address 10.10.56.2 255.255.255.0

ip access-group 115 in

ip access-group 115 out

no ip redirects

no ip proxy-arp

ip pim sparse-dense-mode

standby 2 ip 10.10.56.1

standby 2 priority 150

standby 2 preempt

!

interface Vlan550

description **** LAB 197 *****

ip address 10.10.59.2 255.255.255.0

ip access-group 115 in

ip access-group 115 out

no ip redirects

no ip proxy-arp

standby 3 ip 10.10.59.1

standby 3 priority 150

standby 3 preempt

!

router eigrp 80

network 10.0.0.0

no auto-summary

eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.112.5

ip route 10.10.0.0 255.255.252.0 Vlan1

ip route 10.10.4.0 255.255.252.0 Vlan1

ip route 10.10.8.0 255.255.252.0 Vlan1

ip route 10.10.12.0 255.255.252.0 Vlan1

ip route 10.10.16.0 255.255.252.0 Vlan1

ip route 10.10.20.0 255.255.252.0 Vlan1

ip route 10.10.24.0 255.255.252.0 Vlan1

ip route 10.10.28.0 255.255.252.0 Vlan1

ip route 10.10.34.0 255.255.255.0 Vlan105

ip route 10.10.40.0 255.255.252.0 10.10.4.32

ip route 10.10.57.0 255.255.255.0 Vlan250

ip route 10.10.58.0 255.255.255.0 10.10.7.208

ip route 10.10.59.0 255.255.255.0 Vlan550

no ip http server

!

ip access-list extended DenyPrivate

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 10.10.0.0 0.0.255.255 any log

deny udp any any eq 18246 log

deny tcp any any eq 18246 log

permit ip any any

ip access-list extended VirusBlock

deny udp any any eq 1433

deny udp any any eq 1434

deny tcp any any eq 445

deny tcp any any eq 5000

deny tcp any any eq 6673

deny tcp any any eq 2048

deny tcp any any eq 36963

deny tcp any any eq 1427

deny tcp any any eq 4654

deny tcp any any eq 65528

deny tcp any any eq 65529

deny tcp any any eq 8172

deny tcp any any eq 6664

deny udp any any eq tftp

permit ip any any

!

access-list 52 permit 10.10.0.0 0.0.255.255

access-list 98 permit 10.10.78.5

access-list 98 permit 10.10.78.1

access-list 98 permit 10.10.78.2

access-list 98 permit 10.10.77.71

access-list 99 permit 10.10.203.203

access-list 99 permit 10.10.222.60

access-list 100 deny udp any host 10.10.255.255

access-list 100 permit ip any any

access-list 101 permit ip any 10.0.0.0 0.255.255.255

access-list 101 permit ip any 10.0.0.0 0.255.255.255

access-list 101 permit ip any 192.131.0.0 0.0.255.255

access-list 101 permit ip any 224.0.0.0 15.255.255.255

access-list 191 deny udp any any eq 18246 log

access-list 191 deny tcp any any eq 18246 log

access-list 191 permit ip any any

route-map onlylocal permit 10

match ip address 52

Terry

There are a number of things in this config that do not make sense to me. I am not sure how much they matter.

As it stands the config that you have posted should allow the users in VLAN 250 to access the Internet and to access other resources. As I see it the MSFC does have a valid default route which sends traffic through VLAN 350 toward the Internet. Depending on whether there are any other access lists between this device and the Internet router, the VLAN 250 users should get out. I also not that you are running EIGRP and have a network statement which includes the subnet of VLAN 250 so these users should have routes to the other parts of your network and the rest of your network should have a route back to 10.10.57.0.

I notice that VLAN 350 which leads toward the Internet has an access list applied. But the access list 115 which it applies does not appear in the config. The result is as if the access list were not applied. So their Internet access would not be impacted. I note that this same access list is also applied on other interfaces (and that that the same access list is applied both inbound and outbound which is kind of unusual). You probably should clean this up.

I notice that you have quite a number of static routes which point routes back to the interface on which they are connected. I do not know why this was done. I do not think that it hurts anything, but it does no good that I can see.

I notice that the configuration includes a route-map called onlylocal but the route map is not used anywhere. Is there some reason for it?

As I said I believe that the config as it stands will accomplish your objective of allowing users on VLAN 250 to access the Internet.

HTH

Rick