Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet Access only VLAN

I'm looking to create a VLAN on my network that will give users attached to it access only to the Internet and to only 1 IP Printer that is located on my printer VLAN.

My internal network is setup in the following manner:

10.140.0.0 is carved up into multiple class C subnets, one class C for each VLAN.

10.140.3.0 /24 is the VLAN that will have hosts on it that I want only to get to the internet and to 10.140.44.2 (IP Printer)

Can anyone provide some insight on how to do this with a sample config?

Thanks..

7 REPLIES
Green

Re: Internet Access only VLAN

What device is routing your vlans?

Anonymous
N/A

Re: Internet Access only VLAN

It's a Cat4510 with the Enhanced L3 image.

Re: Internet Access only VLAN

Configure an extended access list to allow traffic to the printer, deny traffic to your internal network(s) and allow all other traffic. Apply the access list to the layer 3 interface of the newly created VLAN.

You need a config similar to this one.

int vlan 3

ip access-group 150 in

access-list 150 permit ip any host 10.140.44.22

access-list 150 deny ip any 10.140.0.0 0.0.255.255

access-list 150 permit ip any any

HTH

Sundar

Anonymous
N/A

Re: Internet Access only VLAN

Hi Sundar, so this access-list will enable a host on VLAN 3 to access the internet, which is a default route on my Cat4510 which is:

ip route 0.0.0.0 0.0.0.0 10.147.1.253

(inside int on PIX) and access to 10.140.44.2 but not allow it to access hosts on any other VLANs such as VLAN 2, 10, 15, 20, etc (10.140.2.x, 10.140.10.x, 10.140.15.x, etc... ?

Re: Internet Access only VLAN

Yes, that's correct.

Anonymous
N/A

Re: Internet Access only VLAN

New Member

Re: Internet Access only VLAN

ip access-list extended internetonly

permit tcp any any eq www

permit tcp any any eq domain

permit tcp any host 10.140.44.2 eq 9100

permit tcp any any eq 443

deny ip any any

(Port 9100 is HP JetDirect)

Then, apply that access list to the vlan interface with this command:

ip access-group internetonly out

HTH

Andrew

1584
Views
0
Helpful
7
Replies