Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN pool need to deny access to LAN

Hi,

I am creating a VLAN pool, for guest users to access internet only.

How can i deny access to all the local lan VLANs?

My Guest VLAN subnet is 192.168.9.0

So i need to deny access to all the VLANs:

192.168.1.0

192.168.2.0

192.168.3.0

192.168.4.0

192.168.5.0

192.168.6.0

192.168.7.0

192.168.8.0

I have tried the following access-list configuration:

access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.7

access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 127 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 127 permit ip any any

But it didnt work, as i couldnt ping any local lan ips, nor browse any website.

Thanks

15 REPLIES

Re: VLAN pool need to deny access to LAN

Well if you have an SVI created for this vlan you can do the following. I'm assuming all unknown routes go out your

Internet default gateway?

int vlan x

ip address 192.168.9.1 255.255.255.0 (I'm just using .1 as an example, I don't know what your gateway is numbered)

access-group in 111

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 extended permit ip any any

EDIT:

---------

Is this an ASA by any chance? Also, what direction and interface do you have this associated with?

hahaha, sorry I had brainfart with my config... Freakin monday mornings.

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 log

The poster below is correct as well.

New Member

VLAN pool need to deny access to LAN

Thanks John,

My Internet Gateway is 192.168.1.6 (my firewall)

This is a switch 4503.

I will update you after tring these rules

New Member

VLAN pool need to deny access to LAN

Its only deny access to 192.168.8.0 subnet, but i can access all other subnets

So should i repeat the second command for all other subnets

VLAN pool need to deny access to LAN

Hi,

You need to denay all the required subnets and in last give permit any any like below...


ip access-list exte Guest_access
deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
permit ip any any

Like above if you need to add any other subnets those should not be accessible from Guest vlan can do like above by adding deny ip any xxxxx command. But make sure you keep that permit ip any any at last.


int vlan Guest
ip access-group Guest_access in

Please rate the helpfull posts.
Regards,
Naidu.

New Member

VLAN pool need to deny access to LAN

Cant we reduce the list,

Like deny any, and give access to the internet gateway and access the same subnet (192.168.9.0)

Re: VLAN pool need to deny access to LAN

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 log

access-list 111 extended deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 extended permit ip any any

Try again again, I messed up my earlier config

Re: VLAN pool need to deny access to LAN

Hi,

Yeah, you can use subnet...

deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
permit ip any any


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Re: VLAN pool need to deny access to LAN

So I just need to add the following rule:

deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255

permit ip any any

But its giving error at 192.168.9.0 after any.

and if i give the following rules, there is no changes on my vlan access:

Extended IP access list 127

    10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log

    20 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255 (14 matches)

    30 permit ip any any (1 match)

VLAN pool need to deny access to LAN

Hi,

Sorry it was typo.
The rule should be like below...

deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255
permit ip any any

Please rate the helpfull posts.
Regards,
Naidu.

New Member

VLAN pool need to deny access to LAN

Its like totally bloacked all accesses

I cant get the internet access.

Re: VLAN pool need to deny access to LAN

Are you putting this ACL in the inbound direction on that VLAN?

FE

-----

int vlan 200

access-group 10 in

Can you ping the default gateway for 192.168.9.0/24 network?

deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.15.255

This statement will block access for the 192.168.9.0/24 network to 192.168.1.0 up to 192.168.15.254.

New Member

VLAN pool need to deny access to LAN

Yes, its blocking 192.168.9.1 (default gateway)

But perivously i tried:

Extended IP access list 127

    10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.0.7 log

    20 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.8.255 (14 matches)

    30 permit ip any any (1 match)

It didnt block anything.

Re: VLAN pool need to deny access to LAN

Yeah that was incorrect on my part. Try the following.

access-list 111 extended deny 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 111 extended deny 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 extended permit ip any any

That should block everything from 192.168.0.0 - 192.168.8.255

Everything else it permitted.

So it will block the 192.168.0.0/24 network (I don't know if that's a problem for you or not)

ip access-list exte Guest_access

deny ip any 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255

deny ip any 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

permit ip any any

What Latchum saida will work as well, but I know you want to cut down

on list size.

VLAN pool need to deny access to LAN

Hi,


When you want few of the networks block then you have to follow what I suggested. Because if you want cut it down by using subnet then the main network (192.168.9.0) will fall under that subnet.

Please rate the helpfull posts.
Regards,
Naidu.

New Member

VLAN pool need to deny access to LAN

Ok,

I am not getting any where, this is wat is tried:

Extended IP access list 127

    10 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255 (26 matches)

    20 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

    30 permit ip any any

But this is denying access to the firewall (192.168.1.6)  also, So i cannot browser the internet.

So should it be as the following:

Extended IP access list 127

    10 permit ip 192.168.9.0 0.0.0.255 host 192.168.1.6

    20 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255

    30 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

    40 permit ip any any

688
Views
0
Helpful
15
Replies