Support
Community

jtphoneman wrote: I have a 1335 I have vlan 1,3,4 and 24 programmed in. I need to block access from vlan 3 to all other subnets but still allow it out to the internet. I do not want these ACL's to disrupt other intervlan traffic vlan, networks for vlan 1 and 4 need to have no interuption. Here is the config I have programmed does it look correct? ! interface vlan 1   description Customer_Lan   ip address  192.168.2.1  255.255.255.0   ip dhcp relay destination 192.168.2.5   ip access-policy Private   ip route-cache express   no shutdown ! interface vlan 3   description Guest-Wireless   ip address  192.168.3.1  255.255.255.0   ip access-policy Private   ip route-cache express   no shutdown ! interface vlan 4   description Voice   ip address  192.168.4.1  255.255.255.0   ip route-cache express   no shutdown ! interface vlan 24   description INET   ip address  XX.XX.XX.XX  255.255.255.248   ip access-policy Public   ip route-cache express   no shutdown ! ! ! ! ! ! ! ip access-list standard PUBLIC   permit any ! ! ip access-list extended Block_Vlan_3   deny   ip 192.168.3.0 0.0.0.255  192.168.1.0 0.0.0.255   deny   ip 192.168.3.0 0.0.0.255  192.168.2.0 0.0.0.255   deny   ip 192.168.3.0 0.0.0.255  192.168.4.0 0.0.0.255   permit ip any  any ! ip access-list extended self   remark Traffic to NetVanta   permit ip any  any     log ! ip policy-class Private   allow list Block_3   nat source list wizard-ics interface vlan 24 overload   allow list self self ! ip policy-class Public   allow list PUBLIC ! ! Thanks!

You're making t a bit more difficult than it needs to be.

ip access-list extended restrict-3-list

  deny ip any 192.168.1.0 0.0.0.255

  deny ip any 192.168.2.0 0.0.0.255

  deny ip any 192.168.4.0 0.0.0.255

  permit ip any any

Alternatively, if you'll be adding other 192.168.x.x subnets in the future...

  deny ip any 192.168.0.0 0.0.255.255

  permit ip any any

ip policy-class vlan-3-policy

  allow list restrict-3-list

  nat source list wizard-ics interface vlan 24 overload

!

interface vlan 3

  description Guest-Wireless

  ip address  192.168.3.1  255.255.255.0

  ip access-policy vlan-3-policy

  ip route-cache express

  no shutdown

!

I'd leave off the "allow list self self" unless you want to grant access to the Adtran device to your guest wireless users.

You can probably get away with just putting VLAN 3 in a separate policy-class than "Private" with no ACL at all, as traffic between classes is denied by default but adding the ACL gives additional security.