Allow VLAN on sub interface internet access but block traffic to native VLAN
San Jose, California
August 21, 2013 3:35am CST
Question: I have a 2821 router WS-C3560V2-24TS-S WS-C3560V2-24TS-S w/ SLM 2024 switches. Native VLAN(default vlan) is my private network and VLAN 100 is my guest network. The following shows my interface config... interface GigabitEthernet0/1 description $ES_LAN$$ETH-LAN$ ip address 10.1.0.2 255.255.0.0 ip flow ingress ip nat inside ip virtual-reassembly duplex auto speed auto ! ! interface GigabitEthernet0/1.1 encapsulation dot1Q 100 ip address 10.3.1.254 255.255.255.0 ip flow ingress ip nat inside ip virtual-reassembly ! ip default-gateway xx.xxx.xxx.xxx ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 Default route is defined... ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx Access list are as follows... access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 access-list 175 permit ip 10.1.0.0 0.0.255.255 any access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255 access-list 175 permit ip 10.3.1.0 0.0.0.255 any I would like to continue to have access to the guest VLAN from the private VLAN in order to allow management of access points etc. I want to allow the guest newtork internet access but block it from accessing my private network. Not sure how to go about this. I've tried changing this acl (removing the 10.3.1.0 entries) and creating another acl for those entries and applying that to the VLAN 100 sub interface...so far no luck. Answer: From that standpoint should I leave the lines above and create another acl for the 10.3.1.0 network and apply inbound to gig0/1.1? I would go this way, as you cannot in a single ACL express all your needs. The ACL to be applied on gi0/1.1 will likely require additional statements then the ones I have suggested, but dividing the problem in manageable smaller parts is a good strategy. Also with this config would NAT be effected on either network by making this change? Until both internal network and guest network are on the same side (ip nat inside) there is no NAT triggered in communication between them so you shouldn't influence the NAT configuration with this change. WS-C3560X-48T-L WS-C3560X-48T-L
Cisco WS-C3560X-48T-L Price and Specification, 3Anetwork.com wholesales Cisco Catalyst 3560 switch, Catalyst 3560X 48 Port Data LAN Base, ship 3560X-48T-L to worldwide.