LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Sandboxing a VLAN to disable internet traffic on 5406zl switch.

bigern314
Visitor

Sandboxing a VLAN to disable internet traffic on 5406zl switch.

Short form after the form logged me out and deleted my first attempt!

 

We have a 5406zl with a lot of 2920 and 2610 switches routing through it.  I need to sandbox a VLAN so traffic can only reach the internal 10.4.0.0/20 network range.

 

VLAN 82 is the vlan.  Its range is 10.4.8.128/25 and I want to only allow 10.4.0.0/20 traffic.

 

so is this my process?

 

ip access-list standard "Sandbox-82"

permit ip 10.4.0.0/20

 

vlan 82 ip access-group Sandbox-82 out

 

 

5 REPLIES
Vince-Whirlwind
Honored Contributor

Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.

"in"

bigern314
Visitor

Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.

Thank you!

bigern314
Visitor

Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.

Well it does not appear to be working. 

 

Here is my ACL entry in the running config

 

ip access-list standard "Sandbox-82"
10 permit 10.4.0.0 0.0.15.255
exit

 

So I applied to vlan82 and now that vlan entry has this

 

ip access-group "Sandbox-82" in

 

Doesn't that only allow traffic from 10.4.0.0/20 into the VLAN from outside?

 

 

Yet traffic is still coming in when I ping www.google.com.  What did I forget?  Or should this be an extended ACL with source and destination information?

 

More like this

 

ip access-list extended Sandbox-82

10 permit ip 10.4.0.0/20 10.4.8.128/25

exit

 

 

 

 

Vince-Whirlwind
Honored Contributor

Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.

Just to be clear, - when you apply that acl to the VLAN82 interface, hosts on VLAN82 can still ping Google?

 

If that's the case, please clarify:

 - what is the default GW address configured on the host you are pinging from?

 - what is the IP address configured on the VLAN82 interface where you have the acl applied?

Vince-Whirlwind
Honored Contributor

Re: Sandboxing a VLAN to disable internet traffic on 5406zl switch.

Actually, you are right, what you actually want to do is filter the traffic on destination subnet, so use an extended list, like:

 

ip access-list extended Sandbox-82

10 permit ip 10.4.8.128/25 10.4.0.0/20 

 

So traffic from the VLAN82 subnet will be permitted to those 10.4.0.0/20 addresses, with the implicit deny stopping anythign else.