- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 03:51 PM
I am working to create templates for access list from particular VLAN to all internet and internet traffic so need to understand how efficient way to create access list. for example, if we will need to allow 1.0.0.0 - 9.255.255.255 range with one command with particular AV vlan subnet than what is command? (Assuming that my AV VLAN subnet is 10.15.59.0)
Solved! Go to Solution.
- Labels:
-
LAN Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 04:26 PM - edited 01-15-2025 04:27 PM
Access-list 100 permit ip 10.15.59.0 255.255.255.0 any
There is no better way to allow traffic to internet then using any.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 04:48 PM
Exactly.
If need the other way around, meaning, all the internet to access your vlan you can use this
access-list 100 permit ip any 10.15.59.0 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 04:26 PM - edited 01-15-2025 04:27 PM
Access-list 100 permit ip 10.15.59.0 255.255.255.0 any
There is no better way to allow traffic to internet then using any.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 04:44 PM
That means all traffic allow for internet access for subnet 10.15.59.0/24 correct ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 04:48 PM
Exactly.
If need the other way around, meaning, all the internet to access your vlan you can use this
access-list 100 permit ip any 10.15.59.0 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 04:54 PM
If i want to allow expect private ip address network range than?
1.0.0.0 - 9.255.255.255
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2025 05:30 PM
In one line I dont believe is possible. It would be easy with multiple lines like this
Access-list 100 permit ip 10.15.59.0 255.255.255.0 1.0.0.0 0.255.255.255.
Access-list 100 permit ip 10.15.59.0 255.255.255.0 2.0.0.0 0.255.255.255.
Access-list 100 permit ip 10.15.59.0 255.255.255.0 3.0.0.0 0.255.255.255.
up to 9
You can also use one ACL with multiple entry
ip access-list standard blockacl
permit ip 10.15.59.0 255.255.255.0 1.0.0.0 0.255.255.255
permit ip 10.15.59.0 255.255.255.0 2.0.0.0 0.255.255.255.
up to 9
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 02:22 PM
Can i create in and out both access list or just one and attached with VLAN interface ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 02:23 PM
Is there any easiest way to allow all internet access except private subnet range in out bound access list ? if yes than let me know how with command ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 03:01 PM
To access all internet access use the "any".
You can apply access-group in and out for the same access-list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 03:11 PM
Thank you i really appreciate it for helping me.
For example, from subnet 10.20.23.0 we allowed inbound traffic 10.100.2.98 ip address (internal) and we will need to add to vlan interface in.
ip access-list extended Permit-AV-VLAN_IN
permit ip 10.100.2.98 0.0.0.0 10.20.23.0 0.0.0.255
for out bound access from my internal network to internet we will need to create out bound access list as per below correct me do i need one access list?
deny ip 10.20.23.0 0.0.0.255 0.0.0.0 0.255.255.255
permit ip 10.20.23.0 any (for internet)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2025 03:56 PM
First ACL seems to be correct
What do you intend with this "deny ip 10.20.23.0 0.0.0.255 0.0.0.0 0.255.255.255" ?
This one seems correct
permit ip 10.20.23.0 any (for internet)
