Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

WAN ACLs

Greetings:

We have a private WAN IP network (WAN: 10.255.255.0/28) consisting with five different subnets each with their own IP (LAN)addressing space.

LAN 1= 172.16.0.0/16

LAN 2= 10.1.7.0/22

LAN 3= 172.28.130.0/23 (VLAN)

LAN 4= 172.17.0.0/16

LAN 5= 10.169.254.0/24

I need to be able connect LAN 5 to LAN 3 (VLAN) - and route all Internet traffic from LAN 3 (VLAN) to a gateway on LAN 5 - while at the same time restrict LAN 5 from connecting to any of the other LANs.

The biggest problem I can't get my arms around is all of the 10.x networks involved. We also employ EIRGP on each router.

4 REPLIES
New Member

Re: WAN ACLs

Logic check: Will this work?

++++++++++++++++++++++

LAN 5 router:

interface GigabitEthernet0/0

description ***Connection to WAN***

ip address 10.255.255.5 255.255.255.240

ip flow ingress

ip flow egress

duplex auto

speed auto

interface GigabitEthernet0/1

description *** LAN port ***

ip address 10.169.254.69 255.255.255.0

shutdown

duplex auto

speed auto

ON LAN 3 router:

ip dhcp pool JPI

network 172.28.130.0 255.255.254.0

dns-server 10.169.254.10

default-router 172.28.130.1

interface GigabitEthernet0/1.14

description ** LAN 5 **

encapsulation dot1Q 14

ip address 172.28.130.1 255.255.254.0

ip access-group INETLAN5-ONLY in

ip policy route-map INETONLYLAN5

no snmp trap link-status

ip access-list extended INETLAN5-ONLY

permit udp any any eq bootpc

deny ip any 10.1.7.0 0.0.3.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit icmp any any

permit ip any any

ip access-list extended LAN5-INETONLY-NETS

deny ip 172.28.130.0 0.0.0.255 10.1.7.0 0.0.3.255

deny ip 172.28.130.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 172.28.130.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 172.28.130.0 0.0.15.255 any

deny ip any any

route-map INETONLYLAN5 permit 10

match ip address LAN5-INETONLY-NETS

set ip next-hop 10.255.255.5

Hall of Fame Super Gold

Re: WAN ACLs

interface GigabitEthernet0/1

description *** LAN port ***

shutdown < --- Your LAN may NOT work.

New Member

Re: WAN ACLs

Yes - I had that down prior to shipping the router to LAN5. The router is now up with LAN up, but neither LAN on both ends can see the other. I can ping hosts on LAN3 from the LAN5 router, but hosts behind each can't get to the other side.

New Member

Re: WAN ACLs

Correction - from the router on LAN5 I can ping hosts behind LAN3 router - but I can only ping the LAN port on LAN5 router from the LAN3 router.

254
Views
0
Helpful
4
Replies
CreatePlease to create content