We have a NV4430 where gig 0/1 is connected to the Internet and gig 0/2 has many sub-interfaces (VLANs). I would like to configure each VLAN to only allow specific traffic OUT while denying/discarding all other traffic. For example, on one VLAN I may allow only HTTP and HTTPS traffic outbound but on another VLAN we may allow HTTP, HTTPS, SSH and RDP. What is the best way to configure this solution? My initial thought was to create an ACL for each VLAN placing the permits at the top and then deny ip any any at the end. I read about using an access-group but I've only used access-policy on interfaces to control traffic.
Any guidance is greatly appreciated!
They way you're thinking to solve this I think is correct you will need to create ACL for each VLAN and placing in the correct subinterface of the gig 0/2. The access-policy is also the right choice to put work the ACL's.
However, I you set the allow statements at the beginning of the ACL you won't need the deny ip at the end (is implicit).
Hope this helps.
I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.