Re: Blocking Internet for specific Subnet with ACL

CISCOTUMBA · ‎05-01-2024

Hello All,

I work for a large (enterprise company). We have a location where we want to block internet access though ACL on our core. I have created a New VLAN with subnet 10.40.94.0/24 and moved all computers that should disconnected from internet. This subnet still need to talk all the inside VLANs but no need internet access. Can you help me how to write my ACL to not interrupt the rest of VLAN.

core model: cisco WS-C6509-E

MHM Cisco World · ‎05-01-2024

Ip access-list extended vlan x

Permit ip <vlan x> <vlan y>

Deny ip <vlan x> <any>

Then

Interface vlan x

Ip access-group vlan x IN

That what you need

MHM

CISCOTUMBA · ‎05-02-2024

Thank you for reply, can you please take look at this and let me know if I need to add anything else.

ip access-list extended vlan 94

permit ip vlan 94 vlan 10

permit ip vlan 94 vlan 15

permit ip vlan 94 vlan 20

Deny ip vlan 94 any

interface vlan 94

ip access group vlan 94

CISCOTUMBA · ‎05-02-2024

Thank you for quick reply. Can you check my work and let me know if I need to add anything else?

ip access-list extended vlan 94
permit ip vlan 94 vlan 10
permit ip vlan 94 vlan 15
permit ip vlan 94 vlan 20
Deny ip vlan 94 any
interface vlan 94
ip access group vlan 94

MHM Cisco World · ‎05-02-2024

That work but friend you need to use subnet of vlan not vlan name' I usenvlan name as example

Also

ip access group vlan 94 IN

MHM

CISCOTUMBA · ‎05-02-2024

Thank you!

MHM Cisco World · ‎05-02-2024

Friend you are welcome

MHM

Joseph W. Doherty · ‎05-01-2024

On SVI have an ingress ACL with ACEs to permit all valid destination address ranges, perhaps starting with the private class A, B and C address blocks (e.g. 10.0.0.0/8). Last ACE, implicit or explicit, to block all else.

Another approach would be to place this subnet into its own VRF and control what routes it's allowed to "know" (perhaps as simple to suppress a default route).