Hello Muhammed,You can create

MUHAMMED SHAFI · ‎03-26-2015

Dear All,

I am facing some problem in creating VLAN access-list we have all vlan in core switch also i have configured vlan ip address (SVI) below is vlan details

1. Vlan 1 : 172.16.1.0

2. Vlan 2 : 172.16.2.0

3. Vlan 3 : 172.16.3.0

4. Vlan 4 : 172.16.4.0

5. Vlan 5 : 172.16.5.0 (Guest Vlan)

My requirement is guest vlan should not communicate with other vlan except internet

Kindly help me for a configuring access-list for my issue

i need to allow 172.16.5.0 only internet should not communicate with other vlan

Waiting for your reply

Regards

Muhammed

Bilal Nawaz · ‎03-26-2015

Hello Muhammed,

You can create an inbound ACL on the SVI to block traffic to all internal RFC1918 addressing and permit everything else to the internet. But maybe you have to permit traffic to things like any internal DNS or default GW first? if not then you can remove line 1.

We can do this like below:

ip access-list extended BLK-RFC1918

1 permit ip any host 172.16.5.1

10 deny ip any 10.0.0.0 0.255.255.255

20 deny ip any 192.168.0.0 0.0.255.255

30 deny ip any 172.16.0.0 0.15.255.255

100 permit ip any any

!

interface vlan 5

ip access-group BLK-RFC1918 in

Hope this helps

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

VLAN_Access-List