Guest VLAN - Access

Answered Question
Apr 13th, 2010

Hello,

Please comment for the mentioned config is it correct for GUEST VLAN.
I need to block communication between user/server VLAN to Guest VLAN
Are the Acl correct ; any other recommendation for security and routing


On 4506

vlan 2
description "User VLAN"
IP address 10.10.10.1 255.255.255.0

vlan 3
description "Server VLAN"
IP address 192.168.1.1 255.255.255.0

vlan 4
description "User Voice"
IP address 192.168.10.1 255.255.255.0

vlan 5
description "GUEST"
IP address 172.16.1.1 255.255.255.0
ip access-group DENY out
ip access-group DENY in

router ospf 1
network 10.10.10.1 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 192.168.1.100
ip route 172.16.1.0 255.255.255.0 172.16.1.2

ip access-list extended DENY
deny   ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny   ip 172.16.1.0 0.0.0.255 10.10.10.0 0 0.0.0.255
permit ip any any

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

melwin.uk wrote:


Melwin

You only need to apply this acl inbound on the vlan 5 interface and not outbound ie.

int vlan 5

ip access-group DENY in

But apart from that your acl is fine.

Jon

Please rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 04/13/2010 - 07:33

melwin.uk wrote:


Melwin

You only need to apply this acl inbound on the vlan 5 interface and not outbound ie.

int vlan 5

ip access-group DENY in

But apart from that your acl is fine.

Jon

Please rate helpful posts

Actions

This Discussion