Announcement

Collapse
No announcement yet.

Blocking internet for 1 VLAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Blocking internet for 1 VLAN

    Hello people
    I'm working in an organisation which uses one Cisco 4507 layer 3 switch with separate VLANs for every block. Each block has 2 Cisco 2950 switches and full access to internet and some servers in a separate VLAN. Each block has one VLAN only.

    Now we need to create a new VLAN for some users (new switch). We need to block internet access, but users should be able to access atleast one server (say ip 172.17.17.4)
    There is a SQUID proxy, PIX Firewall and a 2600 router with NAT enabled. But its preferable to not to make any changes there.
    Can anybody give an idea how to go on with this? Commands used ?

  • #2
    Re: Blocking internet for 1 VLAN

    I can't imagine why you don't want to make changes at the proxy, firewall, or router but if that's the case then simply don't assign a default gateway to the hosts on the vlan in question.

    Comment


    • #3
      Re: Blocking internet for 1 VLAN

      I'm going to assume you need to have the VLAN that doesnt need access to the internet, it will need access to other VLANS?

      IF that is the case then you can't just simply remove the default gateway.

      Im pretty certain you can setup an ACL to stop that subnet(VLAN) from accessing the external IP address.

      Comment


      • #4
        Re: Blocking internet for 1 VLAN

        I run into this type of design requirement all the time with these walk up Kiosk's that we deploy at each of our branches. In my case the requirement is just opposite of yours. I do NOT want the Kiosk to have access to our internal LAN, just the internet. I meet this requirement by creating a separate vlan for the Kiosk and then attaching a restrictive ACL to the vlan that denies access to network 10.0.0.0/8, but then permits all other traffic. In your case, you could do the same, just reverse the logic of the ACL.

        Example: (i'm assuming the new switch is configured as layer 2 and connected to 4507 via trunk port)

        On the 4507, create a new vlan
        Code:
        int vlan 66
         description resitricted access vlan for company widget inc. employees
         ip address 10.66.66.1 255.255.255.0
         ip access-group RestrictWidgetInc in
         
        ip access-list extended RestrictWidgetInc
         remark permit access to the following internal servers
         permit ip 10.66.66.0 0.0.0.255 host 172.17.17.4
         permit ip 10.66.66.0 0.0.0.255 host 172.17.17.10
         remark Deny all other access and log any attempts
         deny ip any any log
        On the new switch, set all ports to vlan 66
        Code:
        int range f0/1 - 24
         switchport access vlan 66
         end
        NOTE: The above example is from memory, but I think I'm close on syntax. You will probably run into some problems that will require ACL modifications. I know I ran into permitting access to DNS, DHCP, HSRP, Routing protocols, etc... that I had to account for in the restrictive ACL definition. Adding logging on the last ACL will help determine how to modify the ACL. Use "term mon" on the 4507 to see which packets are being denied and then adjust the ACL to meet requirements. Use sequence numbers in the ACL and you will be fine.

        Comment


        • #5
          Re: Blocking internet for 1 VLAN

          Originally posted by scowles View Post
          I run into this type of design requirement all the time with these walk up Kiosk's that we deploy at each of our branches. In my case the requirement is just opposite of yours. I do NOT want the Kiosk to have access to our internal LAN, just the internet. I meet this requirement by creating a separate vlan for the Kiosk and then attaching a restrictive ACL to the vlan that denies access to network 10.0.0.0/8, but then permits all other traffic. In your case, you could do the same, just reverse the logic of the ACL.

          Example: (i'm assuming the new switch is configured as layer 2 and connected to 4507 via trunk port)

          On the 4507, create a new vlan
          Code:
          int vlan 66
           description resitricted access vlan for company widget inc. employees
           ip address 10.66.66.1 255.255.255.0
           ip access-group RestrictWidgetInc in
           
          ip access-list extended RestrictWidgetInc
           remark permit access to the following internal servers
           permit ip 10.66.66.0 0.0.0.255 host 172.17.17.4
           permit ip 10.66.66.0 0.0.0.255 host 172.17.17.10
           remark Deny all other access and log any attempts
           deny ip any any log
          On the new switch, set all ports to vlan 66
          Code:
          int range f0/1 - 24
           switchport access vlan 66
           end
          NOTE: The above example is from memory, but I think I'm close on syntax. You will probably run into some problems that will require ACL modifications. I know I ran into permitting access to DNS, DHCP, HSRP, Routing protocols, etc... that I had to account for in the restrictive ACL definition. Adding logging on the last ACL will help determine how to modify the ACL. Use "term mon" on the 4507 to see which packets are being denied and then adjust the ACL to meet requirements. Use sequence numbers in the ACL and you will be fine.
          Scowles;

          even though this wasn't my thread it was helpful thanks !!! I wasnt for sure how to set up an ACL to block 1 vlan but i'm pretty sure I can deploy our kiosks now with similar ideas, however I just want them to have intranet and not internet access.

          Comment

          Working...
          X