Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
1
Helpful
5
Replies

block users in Vlan from access internal company sites

awabalhassan
Level 1
Level 1

‎03-20-2024 03:24 AM - edited ‎03-20-2024 03:29 AM

Hi guys!

 

I have a use-case where I’m using a L3 core switch (IP services)  and i have 5 Vlans their names are 10,20,30,40,50 

from Vlan 10-40 are for staff and number 50 is for guests with the range for Guests ( 172.16.160.x to 172.16.191.x).

and i have Wi-Fi devices for each Vlan. 

 

my question is how can i prevent every user that in Vlan 50 ( Guests ) from accessing internal company sites  and allowing them to use just internet (google, youtube etc..)

i know i should use ACL but how??

kind regards

Labels:
5 Replies 5

Martin L
VIP
VIP

‎03-20-2024 06:22 AM

ACL is one way but I think most ppl will recommend using VLAN ACL -vlan access maps. 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful

awabalhassan
Level 1
Level 1
In response to Martin L

‎03-21-2024 12:23 AM

thank you i'll read about it

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-20-2024 07:11 AM

One possible method would be to have both in and out ACLs on your guest gateways (likely the SVI for VLAN 50) blocking IPs in your internal IP address range(s).

The forgoing answers the conceptional how but if the concept is unclear or you need help on actual config, let us know.

0 Helpful

awabalhassan
Level 1
Level 1
In response to Joseph W. Doherty

‎03-21-2024 12:31 AM

yes i need the configuration, for example lets say i have this subnets

192.168.1.x/24 vlan 10

192.168.2.x/24 vlan 20

192.168.3.x/24 vlan 30

192.168.4.x/24 vlan 40

192.168.5.x/24 vlan 50

192.168.6.x/24 vlan 60

192.168.7.x/24 vlan 70

i want to prevent 192.168.7.x/24 vlan 70 users from accessing internal company sites and accessing other vlans, just the allowed to use internet 

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to awabalhassan

‎03-21-2024 08:27 AM 

ip access-list extended BlockIn
 deny ip any 192.168.1.0 0.0.0.255
 deny ip any 192.168.2.0 0.0.0.255
 deny ip any 192.168.3.0 0.0.0.255
 deny ip any 192.168.4.0 0.0.0.255
 deny ip any 192.168.5.0 0.0.0.255
 deny ip any 192.168.6.0 0.0.0.255
 permit ip any any

ip access-list extended BlockOut
 deny ip 192.168.1.0 0.0.0.255 any
 deny ip 192.168.2.0 0.0.0.255 any
 deny ip 192.168.3.0 0.0.0.255 any
 deny ip 192.168.4.0 0.0.0.255 any
 deny ip 192.168.5.0 0.0.0.255 any
 deny ip 192.168.6.0 0.0.0.255 any
 permit ip any any

interface Vlan70
 ip access-group BlockIn in
 ip access-group BlockOut out
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card