I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct?
!
interface vlan 1
description Customer_Lan
ip address 192.168.2.1 255.255.255.0
ip dhcp relay destination 192.168.2.5
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 3
description Guest-Wireless
ip address 192.168.3.1 255.255.255.0
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 4
description Voice
ip address 192.168.4.1 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 24
description INET
ip address XX.XX.XX.XX 255.255.255.248
ip access-policy Public
ip route-cache express
no shutdown
!
!
!
!
!
!
!
ip access-list standard PUBLIC
permit any
!
!
ip access-list extended Block_Vlan_3
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip any any
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip policy-class Private
allow list Block_3
nat source list wizard-ics interface vlan 24 overload
allow list self self
!
ip policy-class Public
allow list PUBLIC
!
!
Thanks!
When you use the 'deny' statement in an ACL, you are essentially telling the ACL to ignore that traffic, or "don't match it". This will not prevent ACLs listed below it from matching it and taking an action on. This is what is happening here.
I would suggest the following:
ip access-list extended restrict-3-list
permit ip any 192.168.2.0 0.0.0.255
permit ip any 192.168.4.0 0.0.0.255
!
!
!
ip policy-class vlan-3-policy
discard list restrict-3-list
nat source list wizard-ics interface vlan 24 overload
!
!
!
interface vlan 3
description Guest-Wireless
ip address 192.168.3.1 255.255.255.0
ip access-policy vlan-3-policy
ip route-cache express
no shutdown
jtphoneman wrote:
I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct?!
interface vlan 1
description Customer_Lan
ip address 192.168.2.1 255.255.255.0
ip dhcp relay destination 192.168.2.5
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 3
description Guest-Wireless
ip address 192.168.3.1 255.255.255.0
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 4
description Voice
ip address 192.168.4.1 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 24
description INET
ip address XX.XX.XX.XX 255.255.255.248
ip access-policy Public
ip route-cache express
no shutdown
!
!
!
!
!
!
!
ip access-list standard PUBLIC
permit any
!
!
ip access-list extended Block_Vlan_3
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip any any
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip policy-class Private
allow list Block_3
nat source list wizard-ics interface vlan 24 overload
allow list self self
!
ip policy-class Public
allow list PUBLIC
!
!
Thanks!
You're making t a bit more difficult than it needs to be.
ip access-list extended restrict-3-list
deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
permit ip any any
Alternatively, if you'll be adding other 192.168.x.x subnets in the future...
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip policy-class vlan-3-policy
allow list restrict-3-list
nat source list wizard-ics interface vlan 24 overload
!
interface vlan 3
description Guest-Wireless
ip address 192.168.3.1 255.255.255.0
ip access-policy vlan-3-policy
ip route-cache express
no shutdown
!
I'd leave off the "allow list self self" unless you want to grant access to the Adtran device to your guest wireless users.
You can probably get away with just putting VLAN 3 in a separate policy-class than "Private" with no ACL at all, as traffic between classes is denied by default but adding the ACL gives additional security.
When you use the 'deny' statement in an ACL, you are essentially telling the ACL to ignore that traffic, or "don't match it". This will not prevent ACLs listed below it from matching it and taking an action on. This is what is happening here.
I would suggest the following:
ip access-list extended restrict-3-list
permit ip any 192.168.2.0 0.0.0.255
permit ip any 192.168.4.0 0.0.0.255
!
!
!
ip policy-class vlan-3-policy
discard list restrict-3-list
nat source list wizard-ics interface vlan 24 overload
!
!
!
interface vlan 3
description Guest-Wireless
ip address 192.168.3.1 255.255.255.0
ip access-policy vlan-3-policy
ip route-cache express
no shutdown