Cisco IOS: Segregating VLANS

ios vlan access-control-list cisco

I am trying to segregate the traffic on the VLANs, as one is our visitor VLAN (VLAN 3 is the guest lan). It is a Cisco 881W router.

Here is my VLAN configuration:

interface Vlan2
 ip address 10.10.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
interface Vlan3
 ip address 10.100.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!

Here are my ACLs

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.100.0 0.0.0.255
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.100.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 70.22.148.0 0.0.0.255 any
access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255
access-list 101 deny   icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 deny   ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 permit ip host 255.255.255.255 any

As soon as I add ip access-group 101 in to VLAN 3, VLAN 3 can no longer get out of the router. VLAN 3 can ping the router via 10.100.10.1, and 10.10.100.* is no longer pingable from VLAN 3 (Desired).

Update: I also had to add

access-list 10 permit udp any any eq bootpc
access-list 10 permit udp any any eq bootps

To make DHCP work


To address your issue of not being able to get out to the Internet, you do not have an allow rule allowing 10.100.10.0/24 to 0.0.0.0/0. If you simply want to deny access to the 10.10.100.0/24 network from the 10.100.10.0/24 network, you want your access list to work like this (in this order):

1) Deny 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 2) Permit 10.100.10.0 0.0.0.255 any


As a disclaimer I am not familiar with zone security. However it does look like at a glance you are permiting ICMP (pings) with that.

If you intent is to block the pings with your ACLs you will have to actually apply those ACLs to an interface with a command like: ip access-group 101 in while in the configuration area of a particular vlan.

Related

Unable to upload file FTP
able to dig a hostname but doesn't resolve via ssh or ping
Real-time website traffic monitoring for operations teams
SQL Server 2008 R2 Express + Wildcard SSL Certificate
How to Tell Whether a site is using Akamai Networks
Apache: redirect subfolder to another IP in the LAN
Should a call to SVNSYNC be blocking or not in a post-commit hook?
Virtualbox host to guest networking with NAT enabled
Automated install of Lucid guests on Lucid KVM Server
Parse HTTP requests through Wireshark?
How to add HP 64 bit printers for printers that use universal printer driver to server 2003
What group does a package belong to?