Cisco 871 VLANs / ACLs

Discussion in 'Cisco' started by Vincent, Feb 17, 2011.

  1. Vincent

    Vincent Guest

    Hello all. I'm rather a novice to Cisco ACL's, so forgive me if I
    word this question poorly.

    Anyhow, I am using a Cisco 871 with Advanced IP Services as my home
    router and have setup two VLANs. Vlan1 is used for 2 desktop
    computers and Vlan2 is used to host the myriad wireless devices
    throughout. I want to create an ACL that permits ALL traffic
    (including return traffic) to transit between Vlan1 and Vlan2 if that
    traffic originates in Vlan1. I want NO traffic (except for return
    traffic) to transit between Vlan2 and Vlan1. Is there an easy way to
    accomplish this?

    My Vlan1 and Vlan2 definitions and current (rather simple) ACL are as
    follows:

    interface Vlan1
    description internal LAN
    ip address 192.168.200.1 255.255.255.0
    ip access-group LANIn in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip flow ingress
    ip multicast boundary 30
    ip nat inside
    ip virtual-reassembly
    !
    interface Vlan2
    description internal LAN
    ip address 192.168.100.1 255.255.255.0
    ip access-group LANIn in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip flow ingress
    ip multicast boundary 30
    ip nat inside
    ip virtual-reassembly

    ip access-list extended LANIn
    deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    permit ip 192.168.100.0 0.0.0.255 any
    permit ip 192.168.200.0 0.0.0.255 any
    deny ip any any log-input


    Thank you for your assistance!

    Vincent
     
    Vincent, Feb 17, 2011
    #1
    1. Advertising

  2. Vincent <> writes:
    >Hello all. I'm rather a novice to Cisco ACL's, so forgive me if I
    >word this question poorly.


    >Anyhow, I am using a Cisco 871 with Advanced IP Services as my home
    >router and have setup two VLANs. Vlan1 is used for 2 desktop
    >computers and Vlan2 is used to host the myriad wireless devices
    >throughout. I want to create an ACL that permits ALL traffic
    >(including return traffic) to transit between Vlan1 and Vlan2 if that
    >traffic originates in Vlan1. I want NO traffic (except for return
    >traffic) to transit between Vlan2 and Vlan1. Is there an easy way to
    >accomplish this?


    ACL's don't have state. They can't track sessions to say this traffic
    originated here, and to let it back through. You only get a clear-cut
    does this packet match this rule? Yes let it through. No block it.
    The only notion of anything above packet level is it can see if the
    TCP Established flag is set or not.

    It sounds like you really want to be using more advanced features,
    such as using CBAC or Zone-Based Firewall options of the Cisco router.
    You'll have to read up alot on either of those to get started.

    The cisco is really like a big toolbox full of many different tools
    and stuff you can use to build what you want to do. Its not always
    obvious which tool you should pull out of the toolbox.
     
    Doug McIntyre, Feb 17, 2011
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    588
  2. Kronos

    Cisco 871 SDM Problem

    Kronos, Sep 1, 2005, in forum: Cisco
    Replies:
    2
    Views:
    11,230
    charlie
    Nov 4, 2008
  3. punisher
    Replies:
    2
    Views:
    2,105
    Charles Deling
    Nov 17, 2005
  4. ajdaniels
    Replies:
    1
    Views:
    487
    Klutz
    Jul 17, 2007
  5. bod43

    Re: Cisco 871 VLANs / ACLs

    bod43, Feb 18, 2011, in forum: Cisco
    Replies:
    1
    Views:
    1,086
    Vincent
    Feb 18, 2011
Loading...

Share This Page