I am tasked with creating a VLAN on our CISCO lan that will allow vendors and other non-employees to access the internet. It will need to block all LAN-LAN communication, while only allowing for internet connectivity to allow for VPN or WEB use. I realize I will use an ACL to accomplish this, but I was wondering if anyone had created such a vlan, and what their experience has been. Thanks!
Assume you created the vlan on layer-2 switch and you're planning to use subnet: 192.168.5.0/24. You created a subif on the router or layer-3 switch (assume with ip 192.168.5.1). Then you can write an access-list:
access-list 102 permit ip 192.168.5.0 0.0.0.255 host X.X.X.X
X.X.X.X.: Internal leg of your proxy or firewall connected to internet. (hosts on the guest vlan should have configured internet browsers with this proxy). In the ACL you don't have to deny anything because of implicit deny.
You can apply this ACL to the 192.168.5.1 interface inbound direction:
ip access-group 102 in
These hosts can't reach other vlans and even if other vlans try to reach hosts on this vlan there will be no answer back . To improve securtiy an additional outbound ACL can be applied:
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...