Need help on wildacard masking

security33security33
edited October 2005 in Science & Tech
Hello, I have setup a cisco router and cisco switch

we have 2 depts management and production all hosts are connected to the switch. switch connected to the router which is connected to another router.

I'm using IGRP 5 protocol

gateway is 192.168.11.81

subnet address - 192.168.11.80 255.255.255.240

7 hosts in production, lowest address 192.168.11.82 highest 192.168.11.88

6 hosts in management, lowest address 192.168.11.89 highest 192.168.11.94

intranet web server 172.16.0.1

Basically I want all hosts to have access to 172.16.0.1 with only HTTP access

all management hosts access to everything using all ip protocols

all production hosts to have no access to management hosts using all ip protocols

Also I want deny all hosts to an internet web server 198.0.0.1

Can someone help with the extended access-list that I should put on the router on the ethernet interface e 0
:scratch:

Comments

  • RobRob Detroit, MI
    edited October 2005
    I have a policy to never filter on our routing equipment. If/when you start moving large amounts of traffic every packet has to be inspected against every rule. This isn't a problem on larger hardware and short lists, but still bad policy. You will see this in a few organizations.

    I would use a host based firewall rule set. Also, you may want to consider adding some VLan policys to your switch ports otherwise a creative user could jump subnets and start breaking the users up more. Also, creating a transparent bridge can take the load off of the router and still do what you are looking for.

    Also, remember that users in the same subnet are going to layer 2 switch to these hosts and not route. This would bypass your ACL's in your routing layer.
Sign In or Register to comment.