InterVLAN routing and ACL's 1

[NettableWalker]

What's the best way to restrict traffic into certain VLAN's from the rest of the network? and what is the best way to allow guest users to connect but disallow any network access apart from internet access?

I've got a "guest" VLAN but without additional configs i can't see how it will work.

Has anyone got any examples?

MCP,CCA, Net+, Half CCNP...

 

[vipergg]

Like you said use acl's to block them . If you have a guest vlan then you decide where you want to let them go and block everything else . Use an ACL inbound on the particular vlan.

 

[NettableWalker]

So just treat them entirely like subnets?

MCP,CCA, Net+, Half CCNP...

 

[vipergg]

Thats up to you to determine , where do the guest vlans have access to ? You can restrict it to subnets or right down to particular addresses , that has to be determined by yourself or the network engineer.

 

[NettableWalker]

Thanks Vipergg,

I have a tricky ACL to write though.

I need to allow access to VLAN 99: 10.0.99.x /24 to the internet but disallow access to all other VLANs

the default gateway of that VLAN is 10.0.99.1 and the NAT router is on 10.0.0.204 the same subnet as all my servers, (which is suspect is not a great idea but too much hassle to change)

How can i write an ACL that allows access to only part of a subnet? eg the numbers 192 upwards?



MCP,CCA, Net+, Half CCNP...

 

[vipergg]

Something like this might work.


access-list 100 permit ip 10.0.99.0 0.0.0.255 10.0.0.192 0.0.0.63 eq www

 

[NettableWalker]

Excellent,

Just what I was looking for.

Thanks vipergg.

MCP,CCA, Net+, Half CCNP...