12-05-2011 04:27 AM - edited 03-07-2019 03:44 AM
Hi,
I am creating a VLAN pool, for guest users to access internet only.
How can i deny access to all the local lan VLANs?
My Guest VLAN subnet is 192.168.9.0
So i need to deny access to all the VLANs:
192.168.1.0
192.168.2.0
192.168.3.0
192.168.4.0
192.168.5.0
192.168.6.0
192.168.7.0
192.168.8.0
I have tried the following access-list configuration:
access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.7
access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 127 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 127 permit ip any any
But it didnt work, as i couldnt ping any local lan ips, nor browse any website.
Thanks
12-05-2011 04:36 AM
Well if you have an SVI created for this vlan you can do the following. I'm assuming all unknown routes go out your
Internet default gateway?
int vlan x
ip address 192.168.9.1 255.255.255.0 (I'm just using .1 as an example, I don't know what your gateway is numbered)
access-group in 111
access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log
access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 extended permit ip any any
EDIT:
---------
Is this an ASA by any chance? Also, what direction and interface do you have this associated with?
hahaha, sorry I had brainfart with my config... Freakin monday mornings.
access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 log
The poster below is correct as well.
12-05-2011 04:40 AM
Thanks John,
My Internet Gateway is 192.168.1.6 (my firewall)
This is a switch 4503.
I will update you after tring these rules
12-05-2011 04:48 AM
Its only deny access to 192.168.8.0 subnet, but i can access all other subnets
So should i repeat the second command for all other subnets
12-05-2011 04:57 AM
Hi,
You need to denay all the required subnets and in last give permit any any like below...
ip access-list exte Guest_access
deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip any any
Like above if you need to add any other subnets those should not be accessible from Guest vlan can do like above by adding deny ip any xxxxx command. But make sure you keep that permit ip any any at last.
int vlan Guest
ip access-group Guest_access in
Please rate the helpfull posts.
Regards,
Naidu.
12-05-2011 05:00 AM
Cant we reduce the list,
Like deny any, and give access to the internet gateway and access the same subnet (192.168.9.0)
12-05-2011 05:06 AM
access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 log
access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 extended permit ip any any
Try again again, I messed up my earlier config
12-05-2011 05:07 AM
Hi,
Yeah, you can use subnet...
deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
permit ip any any
Please rate the helpfull posts.
Regards,
Naidu.
12-05-2011 10:03 PM
So I just need to add the following rule:
deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255
permit ip any any
But its giving error at 192.168.9.0 after any.
and if i give the following rules, there is no changes on my vlan access:
Extended IP access list 127
10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log
20 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255 (14 matches)
30 permit ip any any (1 match)
12-05-2011 11:16 PM
Hi,
Sorry it was typo.
The rule should be like below...
deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
permit ip any any
Please rate the helpfull posts.
Regards,
Naidu.
12-06-2011 04:30 AM
Its like totally bloacked all accesses
I cant get the internet access.
12-06-2011 04:38 AM
Are you putting this ACL in the inbound direction on that VLAN?
FE
-----
int vlan 200
access-group 10 in
Can you ping the default gateway for 192.168.9.0/24 network?
deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
This statement will block access for the 192.168.9.0/24 network to 192.168.1.0 up to 192.168.15.254.
12-06-2011 04:43 AM
Yes, its blocking 192.168.9.1 (default gateway)
But perivously i tried:
Extended IP access list 127
10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log
20 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255 (14 matches)
30 permit ip any any (1 match)
It didnt block anything.
12-06-2011 05:10 AM
Yeah that was incorrect on my part. Try the following.
access-list 111 extended deny 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 111 extended deny 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 extended permit ip any any
That should block everything from 192.168.0.0 - 192.168.8.255
Everything else it permitted.
So it will block the 192.168.0.0/24 network (I don't know if that's a problem for you or not)
ip access-list exte Guest_access
deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip any any
What Latchum saida will work as well, but I know you want to cut down
on list size.
12-06-2011 05:54 AM
Hi,
When you want few of the networks block then you have to follow what I suggested. Because if you want cut it down by using subnet then the main network (192.168.9.0) will fall under that subnet.
Please rate the helpfull posts.
Regards,
Naidu.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: