Internet Access only VLAN

Unanswered Question
May 29th, 2007

I'm looking to create a VLAN on my network that will give users attached to it access only to the Internet and to only 1 IP Printer that is located on my printer VLAN.

My internal network is setup in the following manner:

10.140.0.0 is carved up into multiple class C subnets, one class C for each VLAN.

10.140.3.0 /24 is the VLAN that will have hosts on it that I want only to get to the internet and to 10.140.44.2 (IP Printer)

Can anyone provide some insight on how to do this with a sample config?

Thanks..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 05/29/2007 - 12:44

It's a Cat4510 with the Enhanced L3 image.

sundar.palaniappan Tue, 05/29/2007 - 12:44

Configure an extended access list to allow traffic to the printer, deny traffic to your internal network(s) and allow all other traffic. Apply the access list to the layer 3 interface of the newly created VLAN.

You need a config similar to this one.

int vlan 3

ip access-group 150 in

access-list 150 permit ip any host 10.140.44.22

access-list 150 deny ip any 10.140.0.0 0.0.255.255

access-list 150 permit ip any any

HTH

Sundar

Anonymous (not verified) Tue, 05/29/2007 - 12:50

Hi Sundar, so this access-list will enable a host on VLAN 3 to access the internet, which is a default route on my Cat4510 which is:

ip route 0.0.0.0 0.0.0.0 10.147.1.253

(inside int on PIX) and access to 10.140.44.2 but not allow it to access hosts on any other VLANs such as VLAN 2, 10, 15, 20, etc (10.140.2.x, 10.140.10.x, 10.140.15.x, etc... ?

Anonymous (not verified) Tue, 05/29/2007 - 12:50

andrewdykes Tue, 05/29/2007 - 12:50

ip access-list extended internetonly

permit tcp any any eq www

permit tcp any any eq domain

permit tcp any host 10.140.44.2 eq 9100

permit tcp any any eq 443

deny ip any any

(Port 9100 is HP JetDirect)

Then, apply that access list to the vlan interface with this command:

ip access-group internetonly out

HTH

Andrew

Actions

This Discussion