Announcement

Collapse
No announcement yet.

prevent vlan from accessing network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • prevent vlan from accessing network

    I have been given a task to create a vlan in a remote office which can only access the Internet. The office is connected by a vendor managed MPLS circuit. The decision was made not to place a firewall between the offices.
    I have been attempting to prevent access by using access lists however they dont seem to actually catch any traffic, the rules get ignored. I spent 2 weeks with Cisco support but they were not much help, Cisco thought it was due to the MPLS circuit.
    If anybody has any ideas it would be appreaciated. I am includeing a network diagram. The idea is to allow Vlan 601 to access everything on the internet while preventing access to any internal vlan's.

    Thanks in advance!
    Attached Files

  • #2
    Re: prevent vlan from accessing network

    Look into setting up VMPS. You can then use MAC filltering to only allow specific hosts to access VLAN 601. VMPS is a Cisco technology and their support should have mentioned it. I use it in my infrastructure to segment visitors to our offices from accessing corporate networks. Instead, they only get access to the Internet via a visitor VLAN. That then keep corporate users in the Corporate VLAN. Just a thought!

    Comment


    • #3
      Re: prevent vlan from accessing network

      I have very similar problem. With MPLS regional offices are accessed by private address. Thus it maybe possible to assign VLAN range to a remote network and from there you could configure vlan access acccess lists?

      I am not sure in what I am writing. Maybe as an idea?

      Comment


      • #4
        Re: prevent vlan from accessing network

        Do you need VMPS for that? Can it be solved but not creating VMPS? Vlan filtering instead of mac filtering?

        Comment


        • #5
          Re: prevent vlan from accessing network

          VMPS essentially does mac filtering / vlan filtering due to dynamic vlans. If the MAC address is listed in the VLAN database, then the switch is configured to "update vmps" it will download the known MAC addresses to place those hosts into the appropriate vlans. I typically only place my known MAC's into a Corporate VLAN. All others are forced into a visitor vlan. You can specify several VLANs and then just set what VLAN they are to go into.

          Comment


          • #6
            Re: prevent vlan from accessing network

            cdhjrt,

            I have a couple questions:

            1) In your network diagram you have two devices labeled as 'hubs' Then below near them you have boxes with Cisco models . Are they actually hubs, or is the one on the left a Cisco 6506 and the one on the right a Cisco 3750?

            2) On what device are you configuring the Access lists?

            3) Are you using any Network Address Translation (NAT), or do you preserve the original IP addresses on both sides of the MPLS network?
            Last edited by robrien; 15th April 2009, 22:02.

            Comment

            Working...
            X