Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
898
Views
5
Helpful
4
Replies

Only allow subnet to internet

Go to solution
HamDawg
Level 1
Level 1

ā€Ž08-22-2022 08:39 AM

Hi all, hoping to get your guidance here... hopefully, i am in the correct forum.

how can i build an ACL to only allow a subnet to internet and no where else within the network?

i have a VLAN xxx that i would like to deny access to everywhere and only out to the internet.

what would be the deny statements?
ip access-list extended 172.x.x.0 0.0.0.255 deny
permit ??
how would apply this on the vlan interface?

do i also have a static route for that network to my internet interface?

thank you in advance,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

ā€Ž08-22-2022 08:59 AM - edited ā€Ž08-22-2022 09:08 AM

@HamDawg create an ACL with the first line as a deny from the local network to the rest of the local networks, then permit ip any any. Which would allow you internet access, whilst denying access to local resources.

Not knowing your full intentions, you may need to permit DHCP, DNS to local resources? If so, add these above the deny rule.

You would apply the ACL on the SVI.

Example:

ip access-list extended INTERNET-ACCESS-ACL
 deny ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.255.255
 permit ip any any
!
interface vlan X
 ip access-group INTERNET-ACCESS-ACL in

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

ā€Ž08-22-2022 08:59 AM - edited ā€Ž08-22-2022 09:08 AM

@HamDawg create an ACL with the first line as a deny from the local network to the rest of the local networks, then permit ip any any. Which would allow you internet access, whilst denying access to local resources.

Not knowing your full intentions, you may need to permit DHCP, DNS to local resources? If so, add these above the deny rule.

You would apply the ACL on the SVI.

Example:

ip access-list extended INTERNET-ACCESS-ACL
 deny ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.255.255
 permit ip any any
!
interface vlan X
 ip access-group INTERNET-ACCESS-ACL in

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž08-22-2022 09:10 AM

i have a VLAN xxx that i would like to deny access to everywhere and only out to the internet.??
the direction of ACL is IN 
but the Q here what you meaning of everywhere ?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

ā€Ž08-22-2022 03:03 PM

If you want to deny traffic to everything other than internet, then you will need to first deny traffic towards RFC1918 and then permit any.  Something like the following.

ip access-list extended INET_ONLY
deny ip 172.x.x.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.x.x.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.x.x.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.x.x.0 0.0.0.255 any

int vlan xxx
ip access-group INET_ONLY in

--
Please remember to select a correct answer and rate helpful posts

Go to solution
ammahend
VIP
VIP

ā€Ž08-22-2022 06:47 PM - edited ā€Ž08-22-2022 10:28 PM

with your subnet as source, you can deny access to RFP 1918 as destination which comprises of all private IP range  in the IN direction on SVI as suggested by Marius below, however keep in mind that some services are essential for endpoints to function like DHCP, DNS, NTP, Domain etc, so you can allow them at top, then deny RFP 1918, then permit all.

 

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card