Solved

ACL on Cisco 3550 switch that will allow users access to the internal LAN, but not the internet

Posted on 2013-11-11
4
888 Views
Last Modified: 2013-11-21
I have a VLAN configured on my Cisco 3550 switch like below.  I need to create an ACL that allows users to access the LAN, but denies access to the internet and all outside resources.  This VLAN needs to have complete unrestricted access to the LAN.  I do have web based applications on this LAN, so they will still need to be able to use port 80 and port 443 locally.  I just need to deny access to the internet.  What would this ACL look like?

interface Vlan3
 description Inside-Access-Only
 ip address 192.168.52.1 255.255.255.0
0
Comment
Question by:denver218
4 Comments
 
LVL 2

Expert Comment

by:psychokraft
ID: 39638923
VLANs use what more looks like a policy or route map than just an ACL. The following is how it is done, however the actual ACL you will use may be different, I'm not 100% sure right this second and I don't ahve a free switch to check it on:

ip access-list extended local-traffic                             (creates the access list)
permit ip 192.168.52.0 0.0.0.255 192.168.0 0.0.0.255  (permit all traffic in your subnet
                                                                                   to all traffic in your subnet)
exit                                                                            (exit ACL config mode)
vlan access-map block-outside 10                                (first access map line with seq # 10)
match ip address local-traffic                                      (match the ACL from above)
action permit                                                              (permit that traffic)
vlan access-map block-outside 20                                (next access map line with seq # 20)
action drop                                                                 (drop all unmatched traffic)
exit                                                                            (exit access-map configuration)
vlan filter block-traffic vlan-list 3                                (associate globally the access map
                                                                                   to a list of vlans that only includes
                                                                                   your vlan number 3)

Resource: CCNP Switch 642-813 Official Certification Guide, pg.398 - 399
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39639091
Are other vlans being used? The devices that host web-based stuff, do they sit on this same vlan 3 or a different vlan? Need more information

If all lan traffic is only on this vlan and you don't want the traffic leaving this vlan than you would essentially put

ip access-list extended restrict_all
deny ip any any log

interface vlan 3
ip access-group restrict_all in  (or out)

Provide more info and we can do a more detailed ACL.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39639460
Another method if the switch supports it would be vrf, but I wouldn't do that unless you want to limit traffic to that vlan only.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39667177
Thanks
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MPLS Network Question 2 35
Cisco NBAR 6 17
Gateway Resilience 4 20
How to setup PLEX PLUS on 2 computers 2 15
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now