2600 and bridging to enable access-list 700 groups (sorry for double post)

router 1:

 User Access Verification

Password: cerberus>en Password: cerberus#sho run Building configuration...

Current configuration : 4189 bytes ! ! Last configuration change at 23:51:43 UTC Fri Aug 24 2007 ! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname cerberus ! no logging console enable secret 5 $1$N98h$xx.dS1 enable password 7 xx ! ! class-map ftp match access-group 142 class-map voice match access-group 105 ! ! policy-map voip class voice priority 256 class class-default fair-queue policy-map ftp-out class ftp priority 1000 class class-default fair-queue ! ip subnet-zero no ip finger no ip domain-lookup ! no ip bootp server ! ! ! interface FastEthernet0/0 ip address 192.168.0.253 255.255.255.0 ip helper-address 192.168.0.111 ip nat inside no ip mroute-cache duplex auto speed auto no cdp enable ! interface Serial0/0 ip address 12.87.xx.xx255.255.255.252 ip access-group 125 in ip access-group 112 out ip nat outside encapsulation ppp service-policy output ftp-out service-module t1 timeslots 1-24 service-module t1 remote-alarm-enable no cdp enable ! interface FastEthernet0/1 ip address 10.0.0.253 255.255.255.0 ip nat inside duplex auto speed auto no cdp enable ! interface Serial0/1 ip address 10.1.1.2 255.255.255.0 ip nat inside encapsulation ppp service-policy output voip service-module t1 clock source internal no cdp enable ! ip nat pool OVERLOAD 12.87.xx.xx12.87.xx.xxnetmask 255.255.255.252 ip nat pool warehouse 12.170.xx.xx12.170.xx.xxnetmask 255.255.255.252 ip nat inside source list 1 pool OVERLOAD overload ip nat inside source list 2 pool warehouse overload ip nat inside source static udp 10.0.0.254 5060 12.87xx.xx5060 extendable ip nat inside source static udp 192.168.0.235 4326 12.87.xx.xx4326 extendable ip nat inside source static tcp 192.168.0.235 4326 12.87.xxxx4326 extendable ip nat inside source static tcp 10.0.0.254 6600 12.87.xx.xx6600 extendable ip nat inside source static udp 10.0.0.254 6600 12.87.xx.xx6600 extendable ip nat inside source static tcp 192.168.0.3 3389 12.170.xx.xx3389 extendable ip nat inside source static tcp 192.168.0.199 443 12.170.xx.xx443 extendable ip nat inside source static udp 192.168.0.199 4500 12.170xx.x4500 extendable ip nat inside source static udp 192.168.0.199 500 12.170.xx.xx500 extendable ip nat inside source static tcp 192.168.0.111 22 12.170.xx.xx 22 extendable ip nat inside source static tcp 192.168.0.111 80 12.170.xx.xx80 extendable ip nat inside source static tcp 10.0.0.254 22 12.87.xx.xx22 extendable ip nat inside source static tcp 10.0.0.254 80 12.87.xxxx 80 extendable ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 12.87.xxxxname at&t ip route 192.168.1.0 255.255.255.0 Serial0/1 10.1.1.1 permanent no ip http server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 permit 192.168.1.0 0.0.0.255 access-list 105 remark VOIP (SIP/IAX/IAX2) traffic gets top priority (5) access-list 105 permit udp any any eq 4569 access-list 105 permit udp any any eq 5004 access-list 105 permit udp any any eq 5036 access-list 105 permit udp any any eq 5060 access-list 105 permit ip host 10.0.0.254 any access-list 105 permit ip any host 10.0.0.254 access-list 112 remark egress access-list 112 deny ip host 192.168.1.188 any access-list 112 deny ip host 192.168.1.101 any access-list 112 deny ip host 192.168.1.5 any access-list 112 deny ip host 192.168.1.13 any access-list 112 permit ip any any access-list 125 deny tcp any any eq telnet access-list 125 deny tcp any any eq chargen access-list 125 deny tcp any any eq ident access-list 125 deny tcp any any eq nntp access-list 125 deny tcp any any eq hostname access-list 125 deny tcp any any eq exec access-list 125 deny tcp any any eq cmd access-list 125 permit ip any any access-list 142 remark for-out-ftp access-list 142 permit tcp any any eq ftp access-list 142 permit tcp any any eq ftp-data dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit no cdp run ! line con 0 transport input none line aux 0 line vty 0 4 password 7 12170A223F2A2D45 login ! ntp clock-period 17179990 ntp server 10.0.0.254 end

router 2:

 Current configuration : 1356 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log uptime no service password-encryption ! hostname warehouse ! enable secret 5 $1$O2wX$niQv028P0Dpe33e2PrFr21 ! ip subnet-zero no ip source-route ! ! no ip domain-lookup ! no ip bootp server ! ! class-map match-all voip-traffic   match access-group 105 ! ! policy-map voip   class voip-traffic     priority 256   class class-default    fair-queue ! ! ! interface Ethernet0/0  description Maintains LAN IP connectivity  ip address 192.168.1.252 255.255.255.0  ip helper-address 192.168.0.111  half-duplex  no cdp enable ! interface Serial0/0  ip address 10.1.1.1 255.255.255.0  service-policy output voip  encapsulation ppp  service-module t1 timeslots 1-24  service-module t1 remote-alarm-enable  no cdp enable ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 10.1.1.2 permanent no ip http server ! access-list 105 remark VOIP (SIP/IAX/IAX2) traffic gets top priority (5) access-list 105 permit udp any any eq 4569 access-list 105 permit udp any any eq 5004 access-list 105 permit udp any any eq 5036 access-list 105 permit udp any any eq 5060 access-list 105 permit ip any host 10.0.0.254 no cdp run snmp-server community public RO snmp-server enable traps tty snmp-server enable traps syslog ! line con 0  exec-timeout 0 0 line aux 0 line vty 0 4  password tantor  login ! end

warehouse#

now the problem, I need to filter 4 PC's from reaching the internet via MAC address..

the PC s are hung off router 2, which is just a point to point link to serial 0/1 on router 1... I need to give all pc's (even those 4) lan access for central dhcp server management.

i've tried.

bridge irb ! s0/0 no ip address bridge group 1 ! BV1 ip address 12.xx......... ip nat outside ! ! bridge 1 protocol ieee bridge 1 route ip

I was unable to route out the main T1 from that set up (on s0/0).. Anyway I need to ban 4 MAC's (not by IP), cant do it on the s0/0 interface, they are already nat'd by then, the dhcp server is hung off the e0/0 interface.... sooo any suggestions please ? I have no idea how to appily a access-list in the 700 range..

Reply to
turnip
Loading thread data ...

Would this work ?

bridge 1 protocol ieee bridge 1 route ip

interface Ethernet0/0 no ip address 192.168.1.252 255.255.255.0 no ip helper-address 192.168.0.111 bridge-group 1 access-group 701 in

interface BVI 1 ip address 192.168.1.252 255.255.255.0 ip helper-address 192.168.0.111 ip nat inside

BTW ip helper address forwards a number of UDP broadcast types in additional to DHCP (bootp)

Do You have NETBIOS traffic ? Do you have WINS ?

Reply to
Merv

We do need to forward NETBIOS traffic and WINS, our wins server is across the point to point link.. here is a diagram

formatting link
bridges teh interface on the remote location side, and will let me filter based on MAC. However they need to be able to get over to the 192.168.0.0/24 and 10.0.0.0/24 networks.. Just not out

WINS, The Domain Controller, and Exchange are all hung off the

192.168.0.0 network, the remote side is 192.168.1.0/24 I did manage to bridge the ethernet IFACE like you suggested, Maybe I can come up with some sane ACLs to let them to the other private networks but not out, based on MAC

TYVM for teh reply

Reply to
turnip

diagram

formatting link
That bridges teh interface on the remote location side, and will let

take a look at Cisco TAC article

formatting link
All NETBIOS broadcast traffic will be forwarded. If you have WINS you probably do not want this to occur

You can disable this by using the no ip forward-protocol udp command.

Test off hours to verify affect.

you can see how much traffic is being forwarded by

issueing the commands

show clock show ip traffic

at say 15 minute intervals and then subtracting the forwarded broaddcast shown in the UDP section of the output.

Reply to
Merv

diagram

formatting link
> That bridges teh interface on the remote location side, and will let

article

formatting link

I am using the helper address just to insure the DHCP request goes through, that much works just fine. We did have some browsing issues until I turned up a WINS server, that much is also fine. Maybe I am looking at this the wrong way here. In order to really use the MAC filter list, Id have to put the serial 0/0 on our main router into bridging mode, since its the default route to the internet (a t1).

mainlocation(router a, those 4 machines must be able to access the two networks off this router but not get out to the inet) < ----- >

(warehouse router b) ->> (4 machines here I cant allow onto the internet)..

Since I cant seem to put the serial interface into bridging mode and still have it work as a T1, I will use some ACL's on the warehouse router and statically address those 4 machines via DHCP and allow intranet browsing but deny internet browsing

something like

access-list 131 permit ip 192.168.1.10 255.255.255.0 192.168.0.0

255.255.255.0 access-list 131 permit ip 192.168.1.11 255.255.255.0 192.168.0.0 255.255.255.0 access-list 131 permit ip 192.168.1.12 255.255.255.0 192.168.0.0 255.255.255.0 access-list 131 permit ip 192.168.1.13 255.255.255.0 192.168.0.0 255.255.255.0

access-list 131 deny ip 192.168.1.10 255.255.255.0 0.0.0.0 0.0.0.0 access-list 131 deny ip 192.168.1.11 255.255.255.0 0.0.0.0 0.0.0.0 access-list 131 deny ip 192.168.1.12 255.255.255.0 0.0.0.0 0.0.0.0 access-list 131 deny ip 192.168.1.13 255.255.255.0 0.0.0.0 0.0.0.0 access-list 131 permit ip any any

serial 0/0 (remote) ip access-group 131 out

unless someone has a better idea

Reply to
turnip

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.