cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
0
Helpful
10
Replies

Access list for network segmentation

ddesai
Level 1
Level 1

I am working to create templates for access list from particular VLAN to all internet and internet traffic so need to understand how efficient way to create access list.  for example, if we will need to allow 1.0.0.0 - 9.255.255.255 range with one command with particular AV vlan subnet than what is command? (Assuming that my AV VLAN subnet is 10.15.59.0)

2 Accepted Solutions

Accepted Solutions

@ddesai 

  Access-list 100 permit ip 10.15.59.0 255.255.255.0 any

There is no better way to allow traffic to internet then using any. 

View solution in original post

Exactly.

If need the other way around, meaning, all the internet to access your vlan you can use this

access-list 100 permit ip any  10.15.59.0 255.255.255.0

View solution in original post

10 Replies 10

@ddesai 

  Access-list 100 permit ip 10.15.59.0 255.255.255.0 any

There is no better way to allow traffic to internet then using any. 

That means all traffic allow for internet access for subnet 10.15.59.0/24 correct ?

Exactly.

If need the other way around, meaning, all the internet to access your vlan you can use this

access-list 100 permit ip any  10.15.59.0 255.255.255.0

If i want to allow expect private ip address network range than? 

1.0.0.0 - 9.255.255.255

In one line I dont believe is possible.  It would be easy with multiple lines like this

Access-list 100 permit ip 10.15.59.0 255.255.255.0  1.0.0.0  0.255.255.255.

Access-list 100 permit ip 10.15.59.0 255.255.255.0  2.0.0.0  0.255.255.255.

Access-list 100 permit ip 10.15.59.0 255.255.255.0  3.0.0.0  0.255.255.255.

up to 9

 

You can also use one ACL with multiple entry

ip access-list standard blockacl

    permit ip 10.15.59.0 255.255.255.0  1.0.0.0  0.255.255.255

    permit ip 10.15.59.0 255.255.255.0  2.0.0.0  0.255.255.255.

    up to 9

Can i create in and out both access list or just one and attached with VLAN interface ?

 

 

Is there any easiest way to allow all internet access except private subnet range in out bound access list  ? if yes than let me know how with command ?

@ddesai 

  To access all internet access use the "any". 

You can apply access-group in and out for the same access-list

Thank you i really appreciate it for helping me.

For example, from subnet 10.20.23.0 we allowed inbound traffic 10.100.2.98 ip address (internal) and we will need to add to vlan interface in.

ip access-list extended Permit-AV-VLAN_IN
permit ip 10.100.2.98 0.0.0.0 10.20.23.0 0.0.0.255

for out bound access from my internal network to internet we will need to create out bound access list as per below correct me do i need one access list?

deny ip 10.20.23.0 0.0.0.255 0.0.0.0 0.255.255.255
permit ip 10.20.23.0 any (for internet)