Configuring ACLs for filtering IP packets

By Amy61166
Mar 10, 2011
Post New Reply
  1. I am using Packet Tracer 5.0 with Windows XP Pro. I have designed a small network with 2 departments seperated by a router. Off that router is another router simulating the "Internet". I am using EIGRP. Each department can transfer packets and they can each reach the "Internet" router. I am trying to implement ACL filtering so the 2 departments (directly connected to the router) can NOT transfer packets to each other. I do not want to use VLANs. I am able to succeed that task, however; then they can't reach the "Internet" router.

    I would appreciate any ideas

  2. jobeard

    jobeard TS Ambassador Posts: 9,145   +597

    hmm; can't you manipulate the routing so that an attempt for A->B is not reachable and conversely?
  3. Amy61166

    Amy61166 TS Rookie Topic Starter

    Thanks for your help. Im not sure what you mean? I am new with this stuff.
  4. jobeard

    jobeard TS Ambassador Posts: 9,145   +597

    I'll assume you have a Domain Controller (DC) environment - - if not, please correct that assumption :)

    With the DC, you have your own DHCP, DNS, Active Directory and Email services,
    and the client systems get IP addresses assigned via the DHCP service.

    With a DC setup, we usually see primarily switches and few routers in the network,
    as the switch requires less configuration - - but that's all just choices for the admin to make.

    I'll discuss using this layout;
    gateway router/firewall = = = primary router#A ----- Infrastructure servers
                                     + ----- dummy honeypot address (x.x.x.254)
                                     + ------ department#1 router (x.x.10.* )---- dept#1 clients
                                     + ------ department#2 router (x.x.20.* )---- dept#2 clients
    in router#1(x.x.10.1 ), set a static route directing all (x.x.20.*) to x.x.x.254

    in router#2(x.x.20.1 ), set a static route directing all (x.x.10.*) to x.x.x.254

    NEVER connect anything to x.x.x.254 (the honeypot dead-end)

    All default routes go up thru x.x.x.1 and either out the gateway or into the infrastructure servers.

    Any attempt from dept#1 to access dept#2 (or conversely), go to the honeypot and die as Unreachable.

    For anything 'held in common' to all subnets, those resources are moved to the Infrastructure servers; if not there, then by definition they are not 'held in common nor shared'

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...