Solved

ACL on Cisco 3550 switch that will allow users access to the internal LAN, but not the internet

Posted on 2013-11-11
4
912 Views
Last Modified: 2013-11-21
I have a VLAN configured on my Cisco 3550 switch like below.  I need to create an ACL that allows users to access the LAN, but denies access to the internet and all outside resources.  This VLAN needs to have complete unrestricted access to the LAN.  I do have web based applications on this LAN, so they will still need to be able to use port 80 and port 443 locally.  I just need to deny access to the internet.  What would this ACL look like?

interface Vlan3
 description Inside-Access-Only
 ip address 192.168.52.1 255.255.255.0
0
Comment
Question by:denver218
4 Comments
 
LVL 2

Expert Comment

by:psychokraft
ID: 39638923
VLANs use what more looks like a policy or route map than just an ACL. The following is how it is done, however the actual ACL you will use may be different, I'm not 100% sure right this second and I don't ahve a free switch to check it on:

ip access-list extended local-traffic                             (creates the access list)
permit ip 192.168.52.0 0.0.0.255 192.168.0 0.0.0.255  (permit all traffic in your subnet
                                                                                   to all traffic in your subnet)
exit                                                                            (exit ACL config mode)
vlan access-map block-outside 10                                (first access map line with seq # 10)
match ip address local-traffic                                      (match the ACL from above)
action permit                                                              (permit that traffic)
vlan access-map block-outside 20                                (next access map line with seq # 20)
action drop                                                                 (drop all unmatched traffic)
exit                                                                            (exit access-map configuration)
vlan filter block-traffic vlan-list 3                                (associate globally the access map
                                                                                   to a list of vlans that only includes
                                                                                   your vlan number 3)

Resource: CCNP Switch 642-813 Official Certification Guide, pg.398 - 399
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39639091
Are other vlans being used? The devices that host web-based stuff, do they sit on this same vlan 3 or a different vlan? Need more information

If all lan traffic is only on this vlan and you don't want the traffic leaving this vlan than you would essentially put

ip access-list extended restrict_all
deny ip any any log

interface vlan 3
ip access-group restrict_all in  (or out)

Provide more info and we can do a more detailed ACL.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39639460
Another method if the switch supports it would be vrf, but I wouldn't do that unless you want to limit traffic to that vlan only.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39667177
Thanks
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question