Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
1
Replies

VLAN isolation to just Internet, no local accessibility

annedunkelberger
Level 4
Level 4

‎09-19-2007 05:22 AM - edited ‎03-05-2019 06:34 PM

I have a VLAN I want isolated to just Internet access. I have a pix 515, Catalyst 4006 with Layer 3 routing module. Is there an easy way to do this with access-lists?

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎09-19-2007 08:57 AM

Hi

Assuming the vlan interface for the isolated vlan is on the 4006 you need to create an access-list that denies traffic from any other vlan in your network and then permits from any other ie. the Internet

So lets assume you have 3 other subnets on your 4006

192.168.5.0/24

192.168.6.0/24

192.168.7.0/24

The isolated subnet is

192.168.8.0/24

Also lets assume the isolated vlan interface is vlan 10

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 101 permit ip any 192.168.8.0 0.0.0.255

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 102 permit 192.168.8.0 0.0.0.255 any

interface vlan 10

ip access-group 101 out

ip access-group 102 in

HTH

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card