Announcement

Collapse
No announcement yet.

VLAN pool deny access to LAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VLAN pool deny access to LAN

    Hi,

    I am creating a VLAN pool, for guest users to access internet only.

    How can i deny access to all the local lan VLANs?

    My internet VLAN subnet is 192.168.9.0
    So i need to deny access to 192.168.1.0 - 192.168.8.0

    Thanks

  • #2
    Re: VLAN pool deny access to LAN

    access control lists.

    Or, simply ensure there's no route?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: VLAN pool deny access to LAN

      access control list.

      Comment


      • #4
        Re: VLAN pool deny access to LAN

        yep, that's what I said.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: VLAN pool deny access to LAN

          tehcamel: So how can add the access rules and the deny rules in the access control list for the subnet mentioned

          Comment


          • #6
            Re: VLAN pool deny access to LAN

            I have tried the following access-list configuration:

            access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.7
            access-list 127 permit ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255
            access-list 127 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.7.255
            access-list 127 permit ip any any

            But it didnt work, as i couldnt ping any local lan ips, nor browse any website.

            Where am i mistaken here?

            Comment


            • #7
              Re: VLAN pool deny access to LAN

              I have tried the following:

              Extended IP access list 127
              10 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
              20 deny ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
              30 deny ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
              40 deny ip 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255
              50 deny ip 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255
              60 deny ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
              70 deny ip 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
              90 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
              100 permit ip any any

              But this blocks me from the internet, along with all other subnets.
              I tried to permit my internet gateway ip (192.168.1.6 = Firewall), but didnt work.

              So how can i permit my firewall IP, get access to the internet.

              Comment


              • #8
                Re: VLAN pool deny access to LAN

                If your firewall is on the 192.168.1.0/24 subnet that ACL blocks access to it. Why not put your firewall on a different subnet. Create SVI on the switch for the new vlan and add a static route to the firewall.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X