Announcement

Collapse
No announcement yet.

Internet Access Only

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Internet Access Only

    Hello, we are building a campus network for a retirement community and want folks to be able to access the internet and prevent them from getting into each other's computers. We have thought of configuring individual Vlans but have a nagging suspicion that there is an easier way to do this. There are ethernet appearances in each apartment and by consolidating with switches they all end up on one port of a Cisco router . Got any ideas? Thanks, Geezerguy

  • #2
    Re: Internet Access Only

    Are they managed or unmanaged switches?

    Are the computers 'managed' and owned by the company, or are they personal machines owned by the residents?

    Firewalls at the desktop would be the "simplest" way (while not actually being especially simple ) but I'm sure you'd agree that probably isn't the best option.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Internet Access Only

      We were hoping to come up with a way to do the job with unmanaged switches. The computers are all individually owned and can't be managed. We'll use managed switches if we have to but the problem is there's really nobody to do the management. the facility is a retirment complex with about 400 units.

      Comment


      • #4
        Re: Internet Access Only

        I'm assuming you could do it with ACL's on the router. If all the hosts are on different subnets then create an ACL that blocks traffic from one subnet to another. If all the hosts are on the same subnet then create ACL's that block traffic from one host ip address to another.

        Comment


        • #5
          Re: Internet Access Only

          The only way I see in your situation is to buy managed switches and use ACLs, something like this (I assumed that all hosts are in same network for example 192.168.0.x/24):
          1. permit all packets with Destination IP : Default Gateway
          2. deny all packets with Destination IP 192.168.0.0 and wildcard 0.0.0.255 (match only first 3 bytes)
          3. permit any any

          This ACL need to used on every port that connects to user workstation
          Last edited by cielo; 12th August 2009, 04:42.

          Comment


          • #6
            Re: Internet Access Only

            Originally posted by joeqwerty View Post
            If all the hosts are on the same subnet then create ACL's that block traffic from one host ip address to another.
            Would that not require managed switches though, since none of the traffic between two computers would be via the router if they're on the same subnet.

            Originally posted by geezerguy View Post
            We'll use managed switches if we have to but the problem is there's really nobody to do the managemen
            99% of the "management" is the initial setup. Once that's done, the only time someone would need to login to a switch would be to expand. Just document the configuration (and back it up) so that it can be recreated if a switch has to be replaced.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Internet Access Only

              Originally posted by gforceindustries View Post
              Would that not require managed switches though, since none of the traffic between two computers would be via the router if they're on the same subnet.
              You're right. I wasn't thinking for a minute. Sorry.

              Comment


              • #8
                Re: Internet Access Only

                We are newbies at networking. Can you help us out with a little info on ACL's. Also, is it the consensus that we do need managed switches? We've been looking at Cisco 2950 which we can pick up inepensively. Thanks for the input. Geezerguy

                Comment


                • #9
                  Re: Internet Access Only

                  The steps to setup the ACLs will vary slightly between different models (and more importantly, different manufacturers). Given your options, managed switches sound like the most manageable way of achieving this.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Internet Access Only

                    If we talk about Cisco a sample configuration may look like this :
                    Code:
                    access-list 101 permit ip any <Default_gateway_IP> 0.0.0.0 
                    access-list 101 deny ip any <your_IP_class> 0.0.0.255
                    access-list 101 permit ip any any
                    To apply the ACL to one interface :
                    Code:
                    interface Ethernet0/1 
                    ip access-group 101 in
                    Last edited by cielo; 13th August 2009, 16:38.

                    Comment


                    • #11
                      Re: Internet Access Only

                      Many thanks. All the suggestions and info have made our job easier. We'll probably go with Cisco 2950's. Geezerguy

                      Comment


                      • #12
                        Re: Internet Access Only

                        You may also want to look into HP's ProCurve line of switches. They're usually less expensive than Cisco products and most models come with a lifetime warranty. Also, their tech support is top notch and free. Unless you need gigabit, their 2600 line is great, E.g. the 2610. The 2600 models also have POE counterparts if you need that.
                        Wesley David
                        LinkedIn | Careers 2.0
                        -------------------------------
                        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                        Vendor Neutral Certifications: CWNA
                        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                        Comment


                        • #13
                          Re: Internet Access Only

                          HP and 3Com kit also tends to outperform Cisco's offerings - and has been pointed out, is usually cheaper.
                          Gareth Howells

                          BSc (Hons), MBCS, MCP, MCDST, ICCE

                          Any advice is given in good faith and without warranty.

                          Please give reputation points if somebody has helped you.

                          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                          Comment

                          Working...
                          X