Locking down guest wireless vlan

We're in the early stages of students bringing in their own devices and connecting to a VMWare View infrastructure. One hiccup we are running into is locking down the guest wireless VLAN. We're aware that Cisco NAC would be the best solution to verify student owned devices are running certain antivirus programs/updates/etc (If not let me know). However, for the pilot purchasing a NAC isn't in are budget.

We have Cisco WCS as are wireless solution. Would there be a way to lock down the guest wireless VLAN so that students could just login to:

1) Login to the guest wireless VLAN
2) Use the VMWare client to connect to use view connect servers
3) Deny all other traffic

Are concerns are not in the VMWare infrastructure once they login but in the guest wireless VLAN. So students to mess with other computers in the VLAN.

I'll also mention we have a Cisco adsm 6.1, with IPS.. but I'm not sure if that will help.
Thanks Experts!
PapaSmurffAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick_O_ShayCommented:
Wouldn't a simple ACL to allow access to the resources you want and specifically deny acces to other local devices on the WLAN subnet work?
PapaSmurffAuthor Commented:
Would that be an ACL IP range with allowed rule and an explicit deny after?
How and where would that be applied.
Thank-you.
amprantiCommented:
You may use a VACL; you should apply this to the switch doing intervaln routing.
PapaSmurffAuthor Commented:
OK. Thank-you.

I've never done this before... Quickly going over some cisco documentation it looks confusing.
So if I'm in our 6509, conf mode, I'm going into the VLAN "name" and applying the VACL there or.. I guess what I'm asking is just for a starting point (starting command)

Sorry if that's confusing. Thanks for your help.
amprantiCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.