Cisco – Segregate Cisco network using ACL’s

aclciscoip

I am using a Cisco 1841 router and I have 2 sub interfaces configured. F0/1.10 and 1.20.

I would like to stop the devices on VLAN 10 accessing VLAN 20 and visa versa.

VLAN 10 is on 10.10.10.1 and VLAN 20 10.10.20.1

I have configured the following access control lists

access-list 19 deny 10.10.10.0 0.0.0.255
access-list 19 permit any

access-list 29 deny 10.10.20.0 0.0.0.255
access-list 29 permit any

And applied them to the outbound side of the sub interfaces

interface f0/1.10
ip access-group 29 out

interface f0/1.20
ip access-group 19 out

The trouble is I can still ping across the networks.

Any help greatly appreciated, full configuration is below if you need it.

Thanks,

Full config:

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.201 10.10.10.255
ip dhcp excluded-address 10.10.20.201 10.10.20.255
!
ip dhcp pool 10.10.10.0/24
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1 
   dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool 10.10.20.0/24
   network 10.10.20.0 255.255.255.0
   default-router 10.10.20.1 
   dns-server 8.8.8.8 8.8.4.4 
!
!
vpdn enable
!

!
interface FastEthernet0/0
 description Fibre WAN Interface
 no ip address
 ip broadcast-address 0.0.0.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet0/1
 description LAN Interface
 no ip address
 ip broadcast-address 10.10.10.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip access-group 29 out
 ip nat inside
 no cdp enable
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
 ip access-group 19 out
 ip nat inside
 no cdp enable
!
interface Serial0/0/0
 no ip address
 ip broadcast-address 0.0.0.0
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Dialer1
 description ADSL WAN Dialer
 ip address negotiated
 no ip unreachables
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname bne001-indigointegrated@surfdsluk
 ppp chap password 0 T57Gfc09Hjd5SQw
 ppp ipcp route default
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.20.0 0.0.0.255
access-list 19 deny   10.10.10.0 0.0.0.255
access-list 19 permit any
access-list 20 permit 10.10.10.0 0.0.0.255
access-list 29 deny   10.10.20.0 0.0.0.255
access-list 29 permit any
dialer-list 1 protocol ip permit
no cdp run

control-plane

line con 0
line aux 0
line vty 0 4
 access-class 20 in
 login
!
scheduler allocate 20000 1000
end

Best Answer

You're using a standard access list, so only source addresses are referenced. Going out of VLAN 10, for example, your source addresses are 10.10.10.0, but its access list has 10.10.20.0 which won't match and doesn't do what you think.

You need extended access lists to specify the destinations which is one option keeping with the access lists idea.

access-list 119 extended deny ip any 10.10.10.0 0.0.0.255
access-list 119 extended permit ip any any
access-list 129 extender deny ip any 10.10.20.0 0.0.0.255
access-list 129 extended permit ip any any
  • Standard IP ACLs: 1 to 99 and 1300 to 1999
  • Extended IP ACLs: 100 to 199 and 2000 to 2699

Another option if you need complete routing isolation between interfaces is to use VRF-lite if your software supports it.

Related Topic