ACL on Cisco 3550 switch that will allow users access to the internal LAN, but not the internet

Posted on 2013-11-11
Medium Priority
Last Modified: 2013-11-21
I have a VLAN configured on my Cisco 3550 switch like below.  I need to create an ACL that allows users to access the LAN, but denies access to the internet and all outside resources.  This VLAN needs to have complete unrestricted access to the LAN.  I do have web based applications on this LAN, so they will still need to be able to use port 80 and port 443 locally.  I just need to deny access to the internet.  What would this ACL look like?

interface Vlan3
 description Inside-Access-Only
 ip address
Question by:denver218

Expert Comment

ID: 39638923
VLANs use what more looks like a policy or route map than just an ACL. The following is how it is done, however the actual ACL you will use may be different, I'm not 100% sure right this second and I don't ahve a free switch to check it on:

ip access-list extended local-traffic                             (creates the access list)
permit ip 192.168.0  (permit all traffic in your subnet
                                                                                   to all traffic in your subnet)
exit                                                                            (exit ACL config mode)
vlan access-map block-outside 10                                (first access map line with seq # 10)
match ip address local-traffic                                      (match the ACL from above)
action permit                                                              (permit that traffic)
vlan access-map block-outside 20                                (next access map line with seq # 20)
action drop                                                                 (drop all unmatched traffic)
exit                                                                            (exit access-map configuration)
vlan filter block-traffic vlan-list 3                                (associate globally the access map
                                                                                   to a list of vlans that only includes
                                                                                   your vlan number 3)

Resource: CCNP Switch 642-813 Official Certification Guide, pg.398 - 399
LVL 26

Accepted Solution

Soulja earned 2000 total points
ID: 39639091
Are other vlans being used? The devices that host web-based stuff, do they sit on this same vlan 3 or a different vlan? Need more information

If all lan traffic is only on this vlan and you don't want the traffic leaving this vlan than you would essentially put

ip access-list extended restrict_all
deny ip any any log

interface vlan 3
ip access-group restrict_all in  (or out)

Provide more info and we can do a more detailed ACL.
LVL 20

Expert Comment

ID: 39639460
Another method if the switch supports it would be vrf, but I wouldn't do that unless you want to limit traffic to that vlan only.

Author Closing Comment

ID: 39667177

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question