Solved

ACL on Cisco 3550 switch that will allow users access to the internal LAN, but not the internet

Posted on 2013-11-11
4
915 Views
Last Modified: 2013-11-21
I have a VLAN configured on my Cisco 3550 switch like below.  I need to create an ACL that allows users to access the LAN, but denies access to the internet and all outside resources.  This VLAN needs to have complete unrestricted access to the LAN.  I do have web based applications on this LAN, so they will still need to be able to use port 80 and port 443 locally.  I just need to deny access to the internet.  What would this ACL look like?

interface Vlan3
 description Inside-Access-Only
 ip address 192.168.52.1 255.255.255.0
0
Comment
Question by:denver218
4 Comments
 
LVL 2

Expert Comment

by:psychokraft
ID: 39638923
VLANs use what more looks like a policy or route map than just an ACL. The following is how it is done, however the actual ACL you will use may be different, I'm not 100% sure right this second and I don't ahve a free switch to check it on:

ip access-list extended local-traffic                             (creates the access list)
permit ip 192.168.52.0 0.0.0.255 192.168.0 0.0.0.255  (permit all traffic in your subnet
                                                                                   to all traffic in your subnet)
exit                                                                            (exit ACL config mode)
vlan access-map block-outside 10                                (first access map line with seq # 10)
match ip address local-traffic                                      (match the ACL from above)
action permit                                                              (permit that traffic)
vlan access-map block-outside 20                                (next access map line with seq # 20)
action drop                                                                 (drop all unmatched traffic)
exit                                                                            (exit access-map configuration)
vlan filter block-traffic vlan-list 3                                (associate globally the access map
                                                                                   to a list of vlans that only includes
                                                                                   your vlan number 3)

Resource: CCNP Switch 642-813 Official Certification Guide, pg.398 - 399
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39639091
Are other vlans being used? The devices that host web-based stuff, do they sit on this same vlan 3 or a different vlan? Need more information

If all lan traffic is only on this vlan and you don't want the traffic leaving this vlan than you would essentially put

ip access-list extended restrict_all
deny ip any any log

interface vlan 3
ip access-group restrict_all in  (or out)

Provide more info and we can do a more detailed ACL.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39639460
Another method if the switch supports it would be vrf, but I wouldn't do that unless you want to limit traffic to that vlan only.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39667177
Thanks
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Draytek (Site to Site VPN using IPSec) 6 61
creating SVI on layer 3 switch 1 51
Router question 6 196
Cisco IOS upgrade c3560_backup and deletion of drwx 7 43
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question