Internet Access only VLAN

admin_2 · ‎05-29-2007

I'm looking to create a VLAN on my network that will give users attached to it access only to the Internet and to only 1 IP Printer that is located on my printer VLAN.

My internal network is setup in the following manner:

10.140.0.0 is carved up into multiple class C subnets, one class C for each VLAN.

10.140.3.0 /24 is the VLAN that will have hosts on it that I want only to get to the internet and to 10.140.44.2 (IP Printer)

Can anyone provide some insight on how to do this with a sample config?

Thanks..

acomiskey · ‎05-29-2007

What device is routing your vlans?

Report Inappropriate Content · ‎05-29-2007

It's a Cat4510 with the Enhanced L3 image.

sundar.palaniappan · ‎05-29-2007

Configure an extended access list to allow traffic to the printer, deny traffic to your internal network(s) and allow all other traffic. Apply the access list to the layer 3 interface of the newly created VLAN.

You need a config similar to this one.

int vlan 3

ip access-group 150 in

access-list 150 permit ip any host 10.140.44.22

access-list 150 deny ip any 10.140.0.0 0.0.255.255

access-list 150 permit ip any any

HTH

Sundar

Report Inappropriate Content · ‎05-29-2007

Hi Sundar, so this access-list will enable a host on VLAN 3 to access the internet, which is a default route on my Cat4510 which is:

ip route 0.0.0.0 0.0.0.0 10.147.1.253

(inside int on PIX) and access to 10.140.44.2 but not allow it to access hosts on any other VLANs such as VLAN 2, 10, 15, 20, etc (10.140.2.x, 10.140.10.x, 10.140.15.x, etc... ?

sundar.palaniappan · ‎05-29-2007

Yes, that's correct.

Report Inappropriate Content · ‎05-29-2007

andrewdykes · ‎05-29-2007

ip access-list extended internetonly

permit tcp any any eq www

permit tcp any any eq domain

permit tcp any host 10.140.44.2 eq 9100

permit tcp any any eq 443

deny ip any any

(Port 9100 is HP JetDirect)

Then, apply that access list to the vlan interface with this command:

ip access-group internetonly out

HTH

Andrew