Guest VLAN - Access

Answered Question
Apr 13th, 2010
User Badges:

Hello,

Please comment for the mentioned config is it correct for GUEST VLAN.
I need to block communication between user/server VLAN to Guest VLAN
Are the Acl correct ; any other recommendation for security and routing


On 4506

vlan 2
description "User VLAN"
IP address 10.10.10.1 255.255.255.0


vlan 3
description "Server VLAN"
IP address 192.168.1.1 255.255.255.0


vlan 4
description "User Voice"
IP address 192.168.10.1 255.255.255.0


vlan 5
description "GUEST"
IP address 172.16.1.1 255.255.255.0
ip access-group DENY out
ip access-group DENY in


router ospf 1
network 10.10.10.1 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0


ip route 0.0.0.0 0.0.0.0 192.168.1.100
ip route 172.16.1.0 255.255.255.0 172.16.1.2


ip access-list extended DENY
deny   ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 172.16.1.0 0.0.0.255 10.10.10.0 0 0.0.0.255
permit ip any any

Correct Answer by Jon Marshall about 7 years 2 months ago

melwin.uk wrote:




Melwin


You only need to apply this acl inbound on the vlan 5 interface and not outbound ie.


int vlan 5

ip access-group DENY in


But apart from that your acl is fine.


Jon


Please rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 04/13/2010 - 07:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

melwin.uk wrote:




Melwin


You only need to apply this acl inbound on the vlan 5 interface and not outbound ie.


int vlan 5

ip access-group DENY in


But apart from that your acl is fine.


Jon


Please rate helpful posts

Actions

This Discussion