cancel
Showing results for 
Search instead for 
Did you mean: 

ACL to EXOS and EIGRP Newbie

ACL to EXOS and EIGRP Newbie

martinj
New Contributor
Hello,
I'm converting a cisco 2911 router to an extreme 440-24t. I've never created an access list or even worked with the router currently has the following. I also don't know what to do with the eigrp and if i need to convert that as well

router eigrp 99
network 10.76.0.0 0.0.0.255
network 10.76.22.0 0.0.0.255
network 172.16.0.0
network 192.168.22.0
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
!
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 50 permit 10.76.0.0 0.0.0.255
access-list 101 deny ip any 172.16.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 102 permit ip any 172.16.0.0 0.0.255.255
access-list 102 permit ip any 10.243.4.0 0.0.1.255
12 REPLIES 12

martinj
New Contributor
Thanks, I tried putting in the configure iproute add 0.0.0.0 0.0.0.0 10.76.0.22 <- IP of the Century router
enable ipforwarding <--- enables routing on all VLANs but i get an error "Invalid null netmask detected at '^' marker.

It's showing the marker at the start of the second 0.0.0.0

FredrikB
Contributor II
Hi!

Ok ,for a basic setup, you need three VLANs:

create vlan admin
configure vlan admin tag 10
configure vlan admin ipaddress 10.76.22.1 255.255.255.0

create vlan controls
configure vlan controls tag 20
configure vlan controls ipaddress 172.16.22.1 255.255.254.0

create vlan century
configure vlan century tag 30
configure vlan century ipaddress 10.76.0.xx 255.255.255.0 <- need correct IP here (are you .22 and Century some other IP?)

configure iproute add 0.0.0.0 0.0.0.0 10.76.0.22 <- IP of the Century router
enable ipforwarding <--- enables routing on all VLANs

Add ports to the VLANs (examples, use your own port assignments as needed):

configure vlan admin add ports 1-10 untagged
configure vlan controls add ports 11-20 untagged
configure vlan century add ports 24 untagged

In case you need tagged ports with, say, admin and controls for trunking those to another switch:
configure vlan admin add ports 22-23 tagged
configure vlan controls add ports 22-23 tagged

I am assuming this is how the network is supposed to be connected:

admin------ Extreme ---- Century router ---- Internet
controls---- X440

What I didn't get was which IP addresses you use for the X440-to-Century connection. I assume this:

- Century router has IP 10.76.0.22/24 on the interface towards the X440
- X440 should have another address in that subnet, designated 10.76.0.xx/24 above

This should work, but will not stop the controls network from reaching the Internet. For that you need a policy.

After testing the basic setup (please do that first so you know the basics work), you need a policy (ACL) that denies traffic from VLAN controls to the Internet.

edit policy deny-controls-internet

i (for enabling editing, an ugly vi editor monstrosity)

[Paste the text below into the editor]

# Policy for denying traffic from Controls to the Internet
entry permit-controls-admin {
if {
source-address 172.16.22.0/23;
destination-address 10.76.22.0/24;
} then {
permit;
}
}

entry deny-controls-Internet {
if {
source-address 172.16.22.0/23;
} then {
deny;
}
}

Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)

Apply the policy to the VLANs:

configure access-list deny-controls-internet add vlan controls

This applies the policy/ACL to the VLAN controls and will have no effect on other VLANs.

If all is good, you're done!

I did this as a dry-run, no testing, so if not all is correct, please forgive me 😉

/Fredrik

martinj
New Contributor
vlan admin vid 10 10.76.22.1 /24
vlan controls vid 20 172.16.22.1 /23
century link router 10.76.0.22/24

have dhcp setup as well for controls vlan ip would pick up 172.16.22.x sub:255.255.254.0 gw:172.16.22.1
vlan admin 10.76.22.x sub:10.76.22.1 gw:10.76.22.1
admin vlan (with internet) should be able to communicate with controls vlan but controls vlan should not have internet access.

FredrikB
Contributor II
Ah, you said "We want admin vlan and the controls vlan to not have internet.". Do you need routing between those VLANs? If so, you can use routing between the VLANs and an ACL to prevent the controls VLAN from reaching anything else than the admin VLAN.

If you provide the following, I might be able to help you:

IP, subnet and VLAN ID for the two VLANs
Router for Internet (default gateway)

/Fredrik

martinj
New Contributor
The only vlan that would have internet would be the “admin” vlan. Controls vlan would be closed. Would I still need to look to the OSPF? I also tagged the port that the internet comes Into the switch port 24, and put that port on a 3rd clan called “clink”
GTM-P2G8KFN