Community
Switches, Hubs, and Modems
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL's over to subnet's help needed!!!!!

SOLVED
Go to solution
Luke Cameron
Luke Cameron
Occasional Advisor

‎08-04-2010 12:46 AM

‎08-04-2010 12:46 AM

ACL's over to subnet's help needed!!!!!

Hi,
I have been working with Procuvre for a couple of years now doing basic network stuff, but I want to setup ACL's for a new wireless project I have on.

I am still reading about ACL's and how they work but thought I post to see if some can lend a hand.

I have a 8212 on one site with a Cisco 4506 on the other and there is a Layer 3 interface setup between the two.

Both switches have VLAN 323 allocated to them for the wireless.

They have different subnets but want them to see each other but not the rest of the network.

Subnet1 172.26.32.0/20
Subnet2 172.26.48.0/20

Can any one help me set this up or give me some pointers.
0 Kudos
9 REPLIES
Steffen Frederiksen
Steffen Frederiksen
Advisor

‎08-04-2010 01:02 AM

‎08-04-2010 01:02 AM

Re: ACL's over to subnet's help needed!!!!!

I'm not sure that I understand your question..

access-list 101 permit ip host (type ip) host (type ip)

access-list 101 deny any any

Regards, Steffen.
0 Kudos
Luke Cameron
Luke Cameron
Occasional Advisor

‎08-04-2010 01:14 AM

‎08-04-2010 01:14 AM

Re: ACL's over to subnet's help needed!!!!!

Hi Stephen,
I have two Core switches on two sites.

Site 1,
8212 - VLAN 323
Subnet 172.26.32.0/20

Layer 3 routed connection between sites.

Site 2
Cisco 4506 - VLAN 323
Subnet 172.26.48.0/20

Does that help?

Luke
0 Kudos
Steffen Frederiksen
Steffen Frederiksen
Advisor

‎08-04-2010 02:03 AM

‎08-04-2010 02:03 AM

Re: ACL's over to subnet's help needed!!!!!

Yes, now i can imagine the setup :-)

You want the Core switches to be able to communicate with each other, but not the clients on the subnets - it that understood correct?

If so..
Why do you only want to Cores switches to communicate with each other
0 Kudos
Luke Cameron
Luke Cameron
Occasional Advisor

‎08-04-2010 02:05 AM

‎08-04-2010 02:05 AM

Re: ACL's over to subnet's help needed!!!!!

No I want two wifi networks to talk to each other over the two cores but dont want them to talk to the rest of the network its going to be for a student hot spot.
0 Kudos
Steffen Frederiksen
Steffen Frederiksen
Advisor

‎08-04-2010 02:55 AM

‎08-04-2010 02:55 AM

Solution

Re: ACL's over to subnet's help needed!!!!!

Okay.

On the router or layer 3 switch that are holding the subnet 172.26.32.0/20 I would do the following:

access-list 101 permit ip 172.26.32.0 0.0.15.255 172.26.48.0 0.0.15.255
access-list 101 deny ip any any (implicit)

and for the 172.26.48.0/20 subnet
access-list 101 permit ip 172.26.48.0 0.0.15.255 172.26.32.0 0.0.15.255
access-list 101 deny ip any any (implicit)

And the put the access-list on the interface on the wireless LAN interface i Outbound direction. It think It will work. Then the subnet is only allow to communication in Outbound direction if the communication is directed to the other wireless subnet.

regards.
0 Kudos
Steffen Frederiksen
Steffen Frederiksen
Advisor

‎08-04-2010 02:57 AM

‎08-04-2010 02:57 AM

Re: ACL's over to subnet's help needed!!!!!

But you maybe want to allow some internet access also? huh.. :-)
0 Kudos
Luke Cameron
Luke Cameron
Occasional Advisor

‎08-04-2010 02:58 AM

‎08-04-2010 02:58 AM

Re: ACL's over to subnet's help needed!!!!!

Looks like my theory was correct because I came up with the same when reading more into it I have a test system here so I will try it, thanks for your help.
0 Kudos
Luke Cameron
Luke Cameron
Occasional Advisor

‎08-05-2010 02:39 AM

‎08-05-2010 02:39 AM

Re: ACL's over to subnet's help needed!!!!!

Stephen, good news got it all working in test environment I understand it a lot better now as well. Thanks for all your help.

Luke
0 Kudos
Luke Cameron
Luke Cameron
Occasional Advisor

‎08-05-2010 02:40 AM

‎08-05-2010 02:40 AM

Re: ACL's over to subnet's help needed!!!!!

I have commented above this is the config I am using.

ip access-list extended "100"
remark "For Student Net Restictions"
permit ip 172.26.48.0 0.0.15.255 172.26.32.0 0.0.15.255
permit ip 172.26.48.0 0.0.15.255 172.26.48.0 0.0.15.255
deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

ip access-list extended "100"
remark "For Students Net Restictions"
permit ip 172.26.32.0 0.0.15.255 172.26.48.0 0.0.15.255
permit ip 172.26.32.0 0.0.15.255 172.26.32.0 0.0.15.255
deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Between two switches.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.