Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

How to restrict access to another subnet on same VLAN

A bit of background. I have a network that I need to restrict access to from another network that is on the same VLAN.

192.168.0.0/24 <- Restricted Network

10.10.10.0/24 <- Secure Network

I want to prevent 192.168.0.0/24 from being able to access the 10.10.10.0/24 network. I cannot create this as a separate VLAN, as some of my devices are not VLAN aware.

The following config was added to try to block this in the ip access-list extended NATout-Acl:
 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255

Which did not work.

Sterilized Config:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Mikes_House_Router

!

boot-start-marker

boot system flash c2801-adventerprisek9-mz.151-4.M8.bin

boot-end-marker

!

!

logging buffered 4096

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.9

ip dhcp excluded-address 10.10.10.11 10.10.10.49

ip dhcp excluded-address 192.168.0.1 192.168.0.29

ip dhcp excluded-address 192.168.0.32 192.168.0.254

!

ip dhcp pool Mikes_House

 import all

 network 10.10.10.0 255.255.255.0

 default-router 10.10.10.1 

!

ip dhcp pool static-10.10.10.15

 import all

 host 10.10.10.15 255.255.255.0

 client-identifier 0100.1111.cb34.9e

 default-router 10.10.10.1 

!

ip dhcp pool static-10.10.10.25

 import all

 host 10.10.10.25 255.255.255.0

 client-identifier 0100.1921.b31c.d6

 default-router 10.10.10.1 

!

ip dhcp pool static-192.168.0.30

 host 192.168.0.30 255.255.255.0

 client-identifier 0124.a2e1.595a.fe

 default-router 192.168.0.1 

 dns-server 208.67.222.222 208.67.220.220 

!

ip dhcp pool static-192.168.0.31

 host 192.168.0.31 255.255.255.0

 client-identifier 018c.7c92.72e1.e7

 default-router 192.168.0.1 

 dns-server 208.67.222.222 208.67.220.220 

!

ip dhcp pool Mikes_House_Kids

 import all

 network 192.168.0.0 255.255.255.0

 default-router 192.168.0.1 

 dns-server 208.67.222.222 208.67.220.220 

!

!

ip cef    

ip flow-cache timeout active 1

ip ddns update method DuckDNS

 HTTP

  add http://www.duckdns.org/update?domains=wb6vpm&token=910669b9-9b6f-48b1-aadb-387ab211bb4e

 interval maximum 0 0 5 0

!

login block-for 30 attempts 3 within 30

login on-failure log

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!         

voice-card 0

!

crypto pki token default removal timeout 0

!

!

!

!

license udi pid CISCO2801 sn FTX1143Y11R

archive

 log config

  logging enable

  logging size 200

  notify syslog contenttype plaintext

  hidekeys

username wb6vpm privilege 15 secret 5 $1$/1yd$0zly0Jo4A0ynHrrS2TCef1

username opengear privilege 15 secret 5 $1$kFBL$OU0Tez/HcrxnIVhV9F7dS/

!

redundancy

!

!

ip ssh version 1

!

class-map match-any VOIP

 match protocol sip

 match protocol rtp

class-map match-any WebEmail

 match protocol http

 match protocol secure-http

 match protocol ftp

 match protocol smtp

 match protocol pop3

!

!

policy-map VoIPQOS

 class VOIP

  priority percent 52

  set dscp ef

 class WebEmail

  bandwidth remaining percent 75

 class class-default

  fair-queue

!

crypto keyring newkeyring  

  pre-shared-key address 0.0.0.0 0.0.0.0 key NXCWLS$777

!         

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

 lifetime 28800

crypto isakmp keepalive 10 3

!

!

crypto ipsec transform-set NXCWLSVPNTransform esp-3des esp-sha-hmac 

 mode transport

!

crypto ipsec profile NXCWLSVPN-Prof

 set transform-set NXCWLSVPNTransform 

!

!

!

!

!

!

!

interface Loopback0

 ip address 10.255.0.2 255.255.255.255

!         

interface Tunnel1

 bandwidth 1000

 ip address 10.255.255.2 255.255.255.0

 no ip redirects

 ip mtu 1408

 ip nhrp authentication NXCW@777

 ip nhrp map multicast dynamic

 ip nhrp map multicast 168.215.217.26

 ip nhrp map 10.255.255.1 168.215.217.26

 ip nhrp network-id 1772777

 ip nhrp holdtime 300

 ip nhrp nhs 10.255.255.1

 ip tcp adjust-mss 574

 ip ospf network broadcast

 ip ospf priority 0

 delay 1000

 qos pre-classify

 tunnel source FastEthernet0/0

 tunnel mode gre multipoint

 tunnel key 1772777

 tunnel protection ipsec profile NXCWLSVPN-Prof shared

!

interface FastEthernet0/0

 description ISP

 ip dhcp client update dns server none

 ip ddns update DuckDNS

 ip address dhcp client-id FastEthernet0/0 hostname wb6vpm.duckdns.org

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet0/1/0

 description WiFi

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/1/1

 description Laptop Docking Station

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/1/2

 description Desktop

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/1/3

 description Roku

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/3/0

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/3/1

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/3/2

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface FastEthernet0/3/3

 switchport access vlan 10

 no ip address

 spanning-tree portfast

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan10

 ip address 192.168.0.1 255.255.255.0 secondary

 ip address 192.168.170.1 255.255.255.0 secondary

 ip address 192.168.1.1 255.255.255.0 secondary

 ip address 10.10.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

router ospf 10

 router-id 10.255.255.2

 redistribute connected

 redistribute static subnets

 network 10.10.10.0 0.0.0.255 area 0

 network 10.255.0.0 0.0.0.0 area 0

 network 10.255.255.0 0.0.0.255 area 0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip flow-export version 9

!

ip nat inside source list NATout-Acl interface FastEthernet0/0 overload

ip nat inside source static tcp 10.10.10.15 45000 interface FastEthernet0/0 45000

ip nat inside source static udp 10.10.10.15 45000 interface FastEthernet0/0 45000

ip nat inside source static udp 10.10.10.15 65000 interface FastEthernet0/0 65000

ip nat inside source static tcp 10.10.10.15 65000 interface FastEthernet0/0 65000

ip nat inside source static tcp 10.10.10.15 8080 interface FastEthernet0/0 8080

ip nat inside source static tcp 10.10.10.15 8980 interface FastEthernet0/0 8980

ip nat inside source static tcp 10.10.10.15 80 interface FastEthernet0/0 80

ip nat inside source static tcp 10.10.10.15 21 interface FastEthernet0/0 21

ip nat inside source static tcp 10.10.10.15 20 interface FastEthernet0/0 20

ip nat inside source static tcp 10.10.10.15 5000 interface FastEthernet0/0 5000

ip nat inside source static tcp 10.10.10.15 5001 interface FastEthernet0/0 5001

ip nat inside source static tcp 10.10.10.15 5002 interface FastEthernet0/0 5002

ip nat inside source static tcp 10.10.10.15 5003 interface FastEthernet0/0 5003

ip nat inside source static tcp 10.10.10.15 5004 interface FastEthernet0/0 5004

ip nat inside source static tcp 10.10.10.15 5005 interface FastEthernet0/0 5005

ip nat inside source static tcp 10.10.10.15 5006 interface FastEthernet0/0 5006

ip nat inside source static tcp 10.10.10.15 5007 interface FastEthernet0/0 5007

ip nat inside source static tcp 10.10.10.15 5008 interface FastEthernet0/0 5008

ip nat inside source static tcp 10.10.10.15 5009 interface FastEthernet0/0 5009

ip nat inside source static tcp 10.10.10.15 5010 interface FastEthernet0/0 5010

ip nat inside source static tcp 10.10.10.15 5011 interface FastEthernet0/0 5011

ip nat inside source static tcp 10.10.10.15 5012 interface FastEthernet0/0 5012

ip nat inside source static tcp 10.10.10.15 5013 interface FastEthernet0/0 5013

ip nat inside source static tcp 10.10.10.15 5014 interface FastEthernet0/0 5014

ip nat inside source static tcp 10.10.10.15 5015 interface FastEthernet0/0 5015

ip nat inside source static tcp 10.10.10.15 5016 interface FastEthernet0/0 5016

ip nat inside source static tcp 10.10.10.15 5017 interface FastEthernet0/0 5017

ip nat inside source static tcp 10.10.10.15 5018 interface FastEthernet0/0 5018

ip nat inside source static tcp 10.10.10.15 5019 interface FastEthernet0/0 5019

ip nat inside source static tcp 10.10.10.15 5020 interface FastEthernet0/0 5020

ip nat inside source static tcp 10.10.10.15 5021 interface FastEthernet0/0 5021

ip nat inside source static tcp 10.10.10.15 5022 interface FastEthernet0/0 5022

ip nat inside source static tcp 10.10.10.15 5023 interface FastEthernet0/0 5023

ip nat inside source static tcp 10.10.10.15 5024 interface FastEthernet0/0 5024

ip nat inside source static tcp 10.10.10.15 5025 interface FastEthernet0/0 5025

ip nat inside source static tcp 10.10.10.15 5026 interface FastEthernet0/0 5026

ip nat inside source static tcp 10.10.10.15 5027 interface FastEthernet0/0 5027

ip nat inside source static tcp 10.10.10.15 5028 interface FastEthernet0/0 5028

ip nat inside source static tcp 10.10.10.15 5029 interface FastEthernet0/0 5029

ip nat inside source static tcp 10.10.10.25 4242 interface FastEthernet0/0 4242

ip nat inside source static udp 10.10.10.25 4242 interface FastEthernet0/0 4242

ip nat inside source static tcp 10.10.10.25 4240 interface FastEthernet0/0 4240

ip nat inside source static udp 10.10.10.25 4240 interface FastEthernet0/0 4240

!

ip access-list extended NATout-Acl

 permit ip 10.10.10.0 0.0.0.255 any

 permit ip 192.168.0.0 0.0.0.255 any

 permit ip 192.168.1.0 0.0.0.255 any

 permit ip 192.168.170.0 0.0.0.255 any

 deny   ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255

ip access-list extended OutsideIn-Acl

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit tcp any any established

 permit udp any eq ntp any

 permit udp any eq domain any

 permit udp any any

 permit tcp 64.17.230.96 0.0.0.7 any eq telnet

 permit tcp 10.10.10.0 0.0.0.255 any eq telnet

 permit tcp 65.255.201.64 0.0.0.3 any eq telnet

 permit tcp any host 10.10.10.15 eq www

 permit tcp any host 10.10.10.15 eq ftp

 deny   ip any any

!

logging trap debugging

logging host 10.10.10.15 transport tcp

!

!

!

!

snmp-server community M1cha3l RO

snmp-server packetsize 4096

snmp-server host 10.10.10.10 version 2c M1cha3l 

snmp-server host 10.10.10.15 version 2c M1cha3l 

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

 login local

line aux 0

line vty 0 4

 login local

 transport input all

line vty 5 15

 login local

 transport input all

!

scheduler allocate 20000 1000

ntp peer 69.65.40.29

ntp peer 50.116.38.157

ntp peer 204.2.134.163

ntp peer 208.79.16.124

event manager applet CLIaccounting

 event cli pattern ".*" sync no skip no

 action 1.0 syslog priority informational msg "$_cli_msg"

 action 2.0 set _exit_status "1"

!

end

Everyone's tags (1)
4 REPLIES
Silver

Hi Michael,it's a little bit

Hi Michael,

it's a little bit late in my country (almost midnight) but I would try to answer your post (may be not a very good idea); it seems me that you are appliing the ACL just to control NAT not to permit/deny IP traffic. This way when a host in 192.168.0.x network try to connect to another host in the 10.10.10.0 network, it just sends the IP packet to it's default gateway (I suppose your router) and it will deliver the packet to the destionation network, un-natted  but it will. Isn't it ?

 

Bye,

enrico

Hall of Fame Super Gold

I am not clear about the

I am not clear about the original poster statement that some devices were not vlan aware and that is why everything is in  the same vlan. Having these 4 networks/subnets all in the same vlan is a very unusual design and I believe that it is causing (or will cause) problems, starting with this need to restrict traffic.

 

To the extent that hosts in the network need to send their traffic through the router to get to destinations then the router is able to control access. To the extent that hosts in the network can communicate directly with other hosts then the router is not able to control that traffic. So the question becomes do these hosts need to send their traffic through the router to reach hosts in the other network?

 

To the extent that a host would send its traffic to its default gateway for destinations that it believes is remote then yes the traffic would go through the router. But considering that all of these hosts are in the same vlan and therefore in the same broadcast domain, then if a host in 10.10.10.0 wants to communicate with a host in 192.168.0.0 and if the host sends an ARP request for the destination address, then the other host would receive the ARP, would reply, and the hosts would communicate without needing the router. And in that case the router can not control the traffic.

 

So the real answer to the question of the original poster is that it depends on the behavior of the hosts in the network. The best that he can do is to configure an access list to control the traffic and to apply it inbound on the vlan 10 interface.

 

HTH

 

Rick

I think security is

I think security is impossible in this design. because anybody can manually set ip address from any network and so get access.

acl mentioned is not prevent access from network to network. because it is nat acl not access acl

Ok, I didn't explain things

Ok, I didn't explain things very well. This is a router that I have as my NAT firewall/DMVPN to the office at my house. What I am doing, if you see the static DHCP assignments for the 192.168 net, those are my daughters iPads. I want to prevent those devices from being able to see anything but the internet, no normal network (10.10) or any of the VPN networks (which if I am remembering my networking correctly, they can't anyways, since their subnet is not being advertised by the OSPF policy). My WiFi access point is the device that is not VLAN compatible (hence my comment about not being able to do separate VLAN's, and then restricting VLAN to VLAN access). 

This is not a "security" issue, beyond wanting to keep my kids from deciding to access either my network share, or our network printer.

I hope this helps clarify things.

672
Views
0
Helpful
4
Replies
CreatePlease to create content