01-15-2025 03:51 PM
I am working to create templates for access list from particular VLAN to all internet and internet traffic so need to understand how efficient way to create access list. for example, if we will need to allow 1.0.0.0 - 9.255.255.255 range with one command with particular AV vlan subnet than what is command? (Assuming that my AV VLAN subnet is 10.15.59.0)
Solved! Go to Solution.
01-15-2025 04:26 PM - edited 01-15-2025 04:27 PM
Access-list 100 permit ip 10.15.59.0 255.255.255.0 any
There is no better way to allow traffic to internet then using any.
01-15-2025 04:48 PM
Exactly.
If need the other way around, meaning, all the internet to access your vlan you can use this
access-list 100 permit ip any 10.15.59.0 255.255.255.0
01-15-2025 04:26 PM - edited 01-15-2025 04:27 PM
Access-list 100 permit ip 10.15.59.0 255.255.255.0 any
There is no better way to allow traffic to internet then using any.
01-15-2025 04:44 PM
That means all traffic allow for internet access for subnet 10.15.59.0/24 correct ?
01-15-2025 04:48 PM
Exactly.
If need the other way around, meaning, all the internet to access your vlan you can use this
access-list 100 permit ip any 10.15.59.0 255.255.255.0
01-15-2025 04:54 PM
If i want to allow expect private ip address network range than?
1.0.0.0 - 9.255.255.255
01-15-2025 05:30 PM
In one line I dont believe is possible. It would be easy with multiple lines like this
Access-list 100 permit ip 10.15.59.0 255.255.255.0 1.0.0.0 0.255.255.255.
Access-list 100 permit ip 10.15.59.0 255.255.255.0 2.0.0.0 0.255.255.255.
Access-list 100 permit ip 10.15.59.0 255.255.255.0 3.0.0.0 0.255.255.255.
up to 9
You can also use one ACL with multiple entry
ip access-list standard blockacl
permit ip 10.15.59.0 255.255.255.0 1.0.0.0 0.255.255.255
permit ip 10.15.59.0 255.255.255.0 2.0.0.0 0.255.255.255.
up to 9
01-16-2025 02:22 PM
Can i create in and out both access list or just one and attached with VLAN interface ?
01-16-2025 02:23 PM
Is there any easiest way to allow all internet access except private subnet range in out bound access list ? if yes than let me know how with command ?
01-16-2025 03:01 PM
To access all internet access use the "any".
You can apply access-group in and out for the same access-list
01-16-2025 03:11 PM
Thank you i really appreciate it for helping me.
For example, from subnet 10.20.23.0 we allowed inbound traffic 10.100.2.98 ip address (internal) and we will need to add to vlan interface in.
ip access-list extended Permit-AV-VLAN_IN
permit ip 10.100.2.98 0.0.0.0 10.20.23.0 0.0.0.255
for out bound access from my internal network to internet we will need to create out bound access list as per below correct me do i need one access list?
deny ip 10.20.23.0 0.0.0.255 0.0.0.0 0.255.255.255
permit ip 10.20.23.0 any (for internet)