05-29-2007 12:34 PM - edited 03-05-2019 04:21 PM
I'm looking to create a VLAN on my network that will give users attached to it access only to the Internet and to only 1 IP Printer that is located on my printer VLAN.
My internal network is setup in the following manner:
10.140.0.0 is carved up into multiple class C subnets, one class C for each VLAN.
10.140.3.0 /24 is the VLAN that will have hosts on it that I want only to get to the internet and to 10.140.44.2 (IP Printer)
Can anyone provide some insight on how to do this with a sample config?
Thanks..
05-29-2007 12:43 PM
What device is routing your vlans?
05-29-2007 12:44 PM
It's a Cat4510 with the Enhanced L3 image.
05-29-2007 12:44 PM
Configure an extended access list to allow traffic to the printer, deny traffic to your internal network(s) and allow all other traffic. Apply the access list to the layer 3 interface of the newly created VLAN.
You need a config similar to this one.
int vlan 3
ip access-group 150 in
access-list 150 permit ip any host 10.140.44.22
access-list 150 deny ip any 10.140.0.0 0.0.255.255
access-list 150 permit ip any any
HTH
Sundar
05-29-2007 12:50 PM
Hi Sundar, so this access-list will enable a host on VLAN 3 to access the internet, which is a default route on my Cat4510 which is:
ip route 0.0.0.0 0.0.0.0 10.147.1.253
(inside int on PIX) and access to 10.140.44.2 but not allow it to access hosts on any other VLANs such as VLAN 2, 10, 15, 20, etc (10.140.2.x, 10.140.10.x, 10.140.15.x, etc... ?
05-29-2007 12:58 PM
Yes, that's correct.
05-29-2007 12:50 PM
05-29-2007 12:50 PM
ip access-list extended internetonly
permit tcp any any eq www
permit tcp any any eq domain
permit tcp any host 10.140.44.2 eq 9100
permit tcp any any eq 443
deny ip any any
(Port 9100 is HP JetDirect)
Then, apply that access list to the vlan interface with this command:
ip access-group internetonly out
HTH
Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: