09-23-2016 09:28 AM - edited 03-08-2019 07:33 AM
I have 2 Layer 2 wireless VLans 90 (users) and 98 (WAP management which terminate on ASA firewall
These vlan are present on all switches and on the core switch via trunk ports.
I would like to block these VLANs from accessing other VLAN accept the Internet VLAN 101.
I am using a cisco 6509 switch. What is the best way to do this.
10.90.1.x/24 Users
10.98.1.x24 WAP management
Internet 10.1.1.0/x
Thanks
09-23-2016 11:34 AM
Both VLANs, are they terminated at the ASA? Layer 2 wise? Then they should be seperated, and you need to set up rules on the ASA to allow them access to internet and other VLANs.
Of your VLANs terminate at the 6500 then you need some kind of VRFs to seperate the routing.
09-24-2016 08:12 PM
Is your gateway for VLAN 90 and VLAN 98 pointed to the Core switch (6500)? If so, you can configure a VACL that only permits to Internet 10.1.1.0/x and denies any other VLAN.
#ip access-list extended INTERNET
permit ip 10.1.1.0 <wildcard mask> any
#vlan access-map my_map 10
match ip address INTERNET
action forward
#vlan filter my_map vlan list 90,98
With the configuration above, you can only access to the INTERNET for vlan 90 and 98.
Please rate the post...ty
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide