Solved

ACL on Cisco 3550 switch that will allow users access to the internal LAN, but not the internet

Posted on 2013-11-11
4
929 Views
Last Modified: 2013-11-21
I have a VLAN configured on my Cisco 3550 switch like below.  I need to create an ACL that allows users to access the LAN, but denies access to the internet and all outside resources.  This VLAN needs to have complete unrestricted access to the LAN.  I do have web based applications on this LAN, so they will still need to be able to use port 80 and port 443 locally.  I just need to deny access to the internet.  What would this ACL look like?

interface Vlan3
 description Inside-Access-Only
 ip address 192.168.52.1 255.255.255.0
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Expert Comment

by:psychokraft
ID: 39638923
VLANs use what more looks like a policy or route map than just an ACL. The following is how it is done, however the actual ACL you will use may be different, I'm not 100% sure right this second and I don't ahve a free switch to check it on:

ip access-list extended local-traffic                             (creates the access list)
permit ip 192.168.52.0 0.0.0.255 192.168.0 0.0.0.255  (permit all traffic in your subnet
                                                                                   to all traffic in your subnet)
exit                                                                            (exit ACL config mode)
vlan access-map block-outside 10                                (first access map line with seq # 10)
match ip address local-traffic                                      (match the ACL from above)
action permit                                                              (permit that traffic)
vlan access-map block-outside 20                                (next access map line with seq # 20)
action drop                                                                 (drop all unmatched traffic)
exit                                                                            (exit access-map configuration)
vlan filter block-traffic vlan-list 3                                (associate globally the access map
                                                                                   to a list of vlans that only includes
                                                                                   your vlan number 3)

Resource: CCNP Switch 642-813 Official Certification Guide, pg.398 - 399
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39639091
Are other vlans being used? The devices that host web-based stuff, do they sit on this same vlan 3 or a different vlan? Need more information

If all lan traffic is only on this vlan and you don't want the traffic leaving this vlan than you would essentially put

ip access-list extended restrict_all
deny ip any any log

interface vlan 3
ip access-group restrict_all in  (or out)

Provide more info and we can do a more detailed ACL.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39639460
Another method if the switch supports it would be vrf, but I wouldn't do that unless you want to limit traffic to that vlan only.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39667177
Thanks
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question