Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN access-list

Hi All Expert,

I need to restrict VLAN access to VLAN but able to access internet, how can I do this?

Please help.

Thank you.

Rgds,

Au Yeong Shaw Voel

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VLAN access-list

Hello,

I think you meant you want to restrict traffic from one vla to another but from these vlans you want no traffic restrictoins to the Internet. You can create an access list prevetenting traffic from certain network to a vlan and allowing traffic to the internet. for example:

vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24

access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any

interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out

interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out

The point of the above example is to show on each vlan an access-list preventing certain network in accessing and allowing internet to and from the internet. Access-list above is a rough example a more refined one might be suited to your configuration depending on your requirement.

Please rate helpful posts.

4 REPLIES

Re: VLAN access-list

Hi,

You can give IP addresses to VLAN interfaces and then configure default static routes from VLAN interfaces to the internet.

enable ip routing.

ip route 0.0.0.0 0.0.0.0 ip address where ip address is the ip address of the vlan interface.

regards,

sridhar.

Re: VLAN access-list

Hello,

The question would be, do you need to restrict the traffic inside the same vlan? or inter-vlan?

for intra-vlan (same vlan) traffic there're at least 2 solutions:

private vlans and VACL (vlan acls as your post title).

for inter-vlan you can use extended ACL to accomplish this task.

using something like:

access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq www

If you need more detailed configs, please give us more details on your set up.

"Securing Networks with Private VLANs and VLAN Access Control Lists"

http://www.cisco.com/warp/public/473/90.shtml

ACL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schacls.htm#wp1000913

HTH,

if it does, please rate this post.

Vlad

Re: VLAN access-list

Hello,

I think you meant you want to restrict traffic from one vla to another but from these vlans you want no traffic restrictoins to the Internet. You can create an access list prevetenting traffic from certain network to a vlan and allowing traffic to the internet. for example:

vlan x - 1.1.1.0/24

vlan y - 1.1.2.0/24

access-list x deny 1.1.1.0 0.0.0.255

access-list x permit any

access-list y deny 1.1.2.0 0.0.0.255

access-list y permit any

interface vlan x

ip address 1.1.1.1 255.255.255.0

ip access-group y out

interface vlan y

ip address 1.1.2.1 255.255.255.0

ip access-group x out

The point of the above example is to show on each vlan an access-list preventing certain network in accessing and allowing internet to and from the internet. Access-list above is a rough example a more refined one might be suited to your configuration depending on your requirement.

Please rate helpful posts.

Re: VLAN access-list

Hi,

normaly two vlan can not communicate directly with each other, to establish communication between two vlan you need layer3 device. as per you requirement u dont want communication between two different vlan which is by default. now when ever you are talking about internet access its best way to use static route for vlan interface. and if you want to restrict access of the user in the same vlan then you need to go for access list or you can go for private vlan.

rate this post if it helps.

regards

Devang

1128
Views
0
Helpful
4
Replies