Solved: Re: VLAN access-list

shawvoel · ‎06-01-2006

Hi All Expert,

I need to restrict VLAN access to VLAN but able to access internet, how can I do this?

Please help.

Thank you.

Rgds,

Au Yeong Shaw Voel

Roberto Salazar · ‎06-02-2006

Hello,

I think you meant you want to restrict traffic from one vla to another but from these vlans you want no traffic restrictoins to the Internet. You can create an access list prevetenting traffic from certain network to a vlan and allowing traffic to the internet. for example:

vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24

access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any

interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out

interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out

The point of the above example is to show on each vlan an access-list preventing certain network in accessing and allowing internet to and from the internet. Access-list above is a rough example a more refined one might be suited to your configuration depending on your requirement.

Please rate helpful posts.

View solution in original post

sridharvaidyanathan · ‎06-01-2006

Hi,

You can give IP addresses to VLAN interfaces and then configure default static routes from VLAN interfaces to the internet.

enable ip routing.

ip route 0.0.0.0 0.0.0.0 ip address where ip address is the ip address of the vlan interface.

regards,

sridhar.

vladrac-ccna · ‎06-02-2006

Hello,

The question would be, do you need to restrict the traffic inside the same vlan? or inter-vlan?

for intra-vlan (same vlan) traffic there're at least 2 solutions:

private vlans and VACL (vlan acls as your post title).

for inter-vlan you can use extended ACL to accomplish this task.

using something like:

access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq www

If you need more detailed configs, please give us more details on your set up.

"Securing Networks with Private VLANs and VLAN Access Control Lists"

http://www.cisco.com/warp/public/473/90.shtml

ACL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schacls.htm#wp1000913

HTH,

if it does, please rate this post.

Vlad

Roberto Salazar · ‎06-02-2006

Hello,

I think you meant you want to restrict traffic from one vla to another but from these vlans you want no traffic restrictoins to the Internet. You can create an access list prevetenting traffic from certain network to a vlan and allowing traffic to the internet. for example:

vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24

access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any

interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out

interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out

The point of the above example is to show on each vlan an access-list preventing certain network in accessing and allowing internet to and from the internet. Access-list above is a rough example a more refined one might be suited to your configuration depending on your requirement.

Please rate helpful posts.

devang_etcom · ‎06-02-2006

Hi,

normaly two vlan can not communicate directly with each other, to establish communication between two vlan you need layer3 device. as per you requirement u dont want communication between two different vlan which is by default. now when ever you are talking about internet access its best way to use static route for vlan interface. and if you want to restrict access of the user in the same vlan then you need to go for access list or you can go for private vlan.

rate this post if it helps.

regards

Devang