Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
4
Replies

WAN ACLs

iholdings
Level 1
Level 1

‎10-07-2009 06:00 AM - edited ‎03-04-2019 06:17 AM

Greetings:

We have a private WAN IP network (WAN: 10.255.255.0/28) consisting with five different subnets each with their own IP (LAN)addressing space.

LAN 1= 172.16.0.0/16

LAN 2= 10.1.7.0/22

LAN 3= 172.28.130.0/23 (VLAN)

LAN 4= 172.17.0.0/16

LAN 5= 10.169.254.0/24

I need to be able connect LAN 5 to LAN 3 (VLAN) - and route all Internet traffic from LAN 3 (VLAN) to a gateway on LAN 5 - while at the same time restrict LAN 5 from connecting to any of the other LANs.

The biggest problem I can't get my arms around is all of the 10.x networks involved. We also employ EIRGP on each router.

Labels:
0 Helpful
4 Replies 4

iholdings
Level 1
Level 1

‎10-07-2009 07:20 AM

Logic check: Will this work?

++++++++++++++++++++++

LAN 5 router:

interface GigabitEthernet0/0

description ***Connection to WAN***

ip address 10.255.255.5 255.255.255.240

ip flow ingress

ip flow egress

duplex auto

speed auto

interface GigabitEthernet0/1

description *** LAN port ***

ip address 10.169.254.69 255.255.255.0

shutdown

duplex auto

speed auto

ON LAN 3 router:

ip dhcp pool JPI

network 172.28.130.0 255.255.254.0

dns-server 10.169.254.10

default-router 172.28.130.1

interface GigabitEthernet0/1.14

description ** LAN 5 **

encapsulation dot1Q 14

ip address 172.28.130.1 255.255.254.0

ip access-group INETLAN5-ONLY in

ip policy route-map INETONLYLAN5

no snmp trap link-status

ip access-list extended INETLAN5-ONLY

permit udp any any eq bootpc

deny ip any 10.1.7.0 0.0.3.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit icmp any any

permit ip any any

ip access-list extended LAN5-INETONLY-NETS

deny ip 172.28.130.0 0.0.0.255 10.1.7.0 0.0.3.255

deny ip 172.28.130.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.28.130.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 172.28.130.0 0.0.15.255 any

deny ip any any

route-map INETONLYLAN5 permit 10

match ip address LAN5-INETONLY-NETS

set ip next-hop 10.255.255.5

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to iholdings

‎10-07-2009 12:41 PM

interface GigabitEthernet0/1

description *** LAN port ***

shutdown < --- Your LAN may NOT work.

0 Helpful

iholdings
Level 1
Level 1
In response to Leo Laohoo

‎10-08-2009 03:59 AM

Yes - I had that down prior to shipping the router to LAN5. The router is now up with LAN up, but neither LAN on both ends can see the other. I can ping hosts on LAN3 from the LAN5 router, but hosts behind each can't get to the other side.

0 Helpful

iholdings
Level 1
Level 1
In response to iholdings

‎10-08-2009 04:02 AM

Correction - from the router on LAN5 I can ping hosts behind LAN3 router - but I can only ping the LAN port on LAN5 router from the LAN3 router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card