Announcement

Collapse
No announcement yet.

ACL query

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL query

    I'm redesigning a network for a client....

    they need a separate guest wifi network, and a corporate network.
    Let's say guest is 192.168.20.0/25 and Corp is 192.168.0.0/24

    there'll be a netgear JGS24 unmanaged switch, and probably a cisco SF/SG200 24 port managed switch.
    We're sticking with a single, flat vlan for many reasons.

    Will cascade the JGS to port 23 on the SF200.
    Will connect port 24 on the SF200 to a router - likely an 887 Sec-K9.

    So I've got two subnets, 192.168.0.0/24 and 192.168.20.0/24.
    I don't want 192.168.20.0 to be able to access 0.0 at all.
    I do want them to be able to access the internet.


    On the router:

    conf t
    ip int FA0 (or whatever)
    ip address 192.168.0.1 255.255.255.0
    ip address 192.168.20.1 255.255.255.128 secondary

    ip access-list extended Wifi
    deny ip 192.168.20.0 0.0.0.127 192.168.0.0 0.0.0.255 any
    deny tcp 192.168.20.0 0.0.0.127 192.168.0.0 0.0.0.255 any
    deny icmp 192.168.20.0 0.0.0.127 192.168.0.0 0.0.0.255 any


    int fa0
    ip access-list extended wifi In
    ip access-list extended wifi out


    would this, more or less, achieve my aim ? (I'll worry more about the other entries later - my big concern is making sure a wifi network can't access a corp network)
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: ACL query

    im trying to use PacketTracer to do this
    And wouldn't you know it, it doesn't support ip address secondary

    so I'm trying to do it by creating two interfaces on the router.. eventaully, I have my ACLs working..
    I'm sure i have more to build.. but it'll do for now
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: ACL query

      ip access-list extended Wifi
      deny ip 192.168.20.0 0.0.0.127 192.168.0.0 0.0.0.255 any
      deny tcp 192.168.20.0 0.0.0.127 192.168.0.0 0.0.0.255 any
      deny icmp 192.168.20.0 0.0.0.127 192.168.0.0 0.0.0.255 any

      The ACE entry in red takes care of guest to corp segment. You can drop the other 2 lines as they are redundant (IP takes care of tcp,udp,icmp etc....) You may have to add some permits for dns, dhcp depending on how those clients are being addressed/resolved. If the router supports it I would consider using zone based firewall for traffic inspection.

      I only use secondary addressing as a last resort. I would do sub-interfaces on the router. This config however would segment into separate vlans. No reason not to use vlans to provide segregation of the two networks at layer 2, then the acl covers layer 3.

      int fa0/0
      no shut

      int fa0/0.10
      encapsulation dot1q 10
      ip address x.x.x.x y.y.y.y

      int fa0/0.20
      encapsulation dot1q 20
      ip address x.x.x.x y.y.y.y

      Then just trunk those vlans to your switch. Your cisco is a managed switch so create your vlans on that. Since the other switch is unmanaged, create an access port for the guest network on the managed switch and plug your other unmanaged switch into that port (No trunk, just an access port)


      Also come to think about it, if you used Zone Based Policy Firewall you wouldnt need ACL's. Just create zone pair corp to outside and guest to outside and configure your policy's. Traffic cant be forwarded between zone's without a zone pair.
      Last edited by auglan; 11th September 2012, 13:32.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: ACL query

        the reason I've tried to stay away from vlans, is the convolution within the network.

        Somewhere along the line, they have wireless bridge, that creates a wireless link between the two buildings.
        On the other side of that link, is a dumb switch, with a Guest Wifi point, and another device that needs to be on the Corp network.

        The wifi devices don't support vlan tagging - they are fairly dumb APs as well.
        (DHCP is on, or off. Can't specify a forwarder for instance)

        so we'd need to either buy another vlan-capable switch for the remote side (more expense) or an AP that is capable of running vlans.
        But even then, I'd need to VLANs coming across that link, one device which wouldn't be tagged, and one which would.. so I can't figure out how to make that work easily.



        can't do sub-interfaces without vlans I guess ?
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: ACL query

          can't do sub-interfaces without vlans I guess ?
          Unfortunately not. The vlan has to specified under sub interface to let the router know what vlans its encapsulating.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment

          Working...
          X