Hi!
This is driving me nuts, hopefully someone can clear things up here..
I have set up 4 vlans, each vlan is a customer network, using the 3560 as default gateway.
Customers should be able to talk eachother BUT only through ports (tcp) , like smtp, www, https, dns, ftp....
Im controlling this by access-lists.
Now here is the config :
(permit ip any any, is there because they must be able to use internet)
interface Vlan11
ip address 172.16.11.1 255.255.255.0
ip access-group whiskey out
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ip access-group lollipop out
!
interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group cheddar out
!
interface Vlan192
ip address 192.168.192.1 255.255.255.0
ip access-group popcorn out
!
ip access-list extended popcorn
permit ip 192.168.192.0 0.0.0.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended cheddar
permit ip 172.16.8.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended lollipop
permit ip 172.16.10.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended whiskey
permit ip 172.16.11.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
Customer Whiskey should be albe to surf to Popcorns webserver. Customer Popcorn should be able to surf to Whiskeys webserver, all neq ports should be open to everyone!
The lists should be as dynamic as possible, for future customers.
Any super ideas?
This is driving me nuts, hopefully someone can clear things up here..
I have set up 4 vlans, each vlan is a customer network, using the 3560 as default gateway.
Customers should be able to talk eachother BUT only through ports (tcp) , like smtp, www, https, dns, ftp....
Im controlling this by access-lists.
Now here is the config :
(permit ip any any, is there because they must be able to use internet)
interface Vlan11
ip address 172.16.11.1 255.255.255.0
ip access-group whiskey out
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
ip access-group lollipop out
!
interface Vlan8
ip address 172.16.8.1 255.255.255.0
ip access-group cheddar out
!
interface Vlan192
ip address 192.168.192.1 255.255.255.0
ip access-group popcorn out
!
ip access-list extended popcorn
permit ip 192.168.192.0 0.0.0.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended cheddar
permit ip 172.16.8.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended lollipop
permit ip 172.16.10.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended whiskey
permit ip 172.16.11.0 0.0.0.255 any
deny tcp 192.168.0.0 0.0.255.255 any neq smtp ftp
deny tcp 192.168.0.0 0.0.255.255 any neq ntp
deny icmp 192.168.0.0 0.0.255.255 any
deny tcp 172.16.0.0 0.0.255.255 any neq smtp ftp
deny udp 172.16.0.0 0.0.255.255 any neq ntp
deny icmp 172.16.0.0 0.0.255.255 any
permit ip any any
!
Customer Whiskey should be albe to surf to Popcorns webserver. Customer Popcorn should be able to surf to Whiskeys webserver, all neq ports should be open to everyone!
The lists should be as dynamic as possible, for future customers.
Any super ideas?