Cisco IOS: Segregating VLANS
I am trying to segregate the traffic on the VLANs, as one is our visitor VLAN (VLAN 3 is the guest lan). It is a Cisco 881W router.
Here is my VLAN configuration:
interface Vlan2 ip address 10.10.100.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ! interface Vlan3 ip address 10.100.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone !
Here are my ACLs
access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 2 remark CCP_ACL Category=2 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 10.10.100.0 0.0.0.255 access-list 4 remark CCP_ACL Category=2 access-list 4 permit 10.100.10.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 70.22.148.0 0.0.0.255 any access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255 access-list 101 deny icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 101 deny ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 102 permit ip host 255.255.255.255 any
As soon as I add ip access-group 101 in
to VLAN 3, VLAN 3 can no longer get out of the router. VLAN 3 can ping the router via 10.100.10.1, and 10.10.100.* is no longer pingable from VLAN 3 (Desired).
Update: I also had to add
access-list 10 permit udp any any eq bootpc
access-list 10 permit udp any any eq bootps
To make DHCP work
To address your issue of not being able to get out to the Internet, you do not have an allow rule allowing 10.100.10.0/24 to 0.0.0.0/0. If you simply want to deny access to the 10.10.100.0/24 network from the 10.100.10.0/24 network, you want your access list to work like this (in this order):
1) Deny 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 2) Permit 10.100.10.0 0.0.0.255 any
As a disclaimer I am not familiar with zone security. However it does look like at a glance you are permiting ICMP (pings) with that.
If you intent is to block the pings with your ACLs you will have to actually apply those ACLs to an interface with a command like: ip access-group 101 in
while in the configuration area of a particular vlan.