Solved

Block public wifi subnet/vlan from private network...Cisco3750

Posted on 2014-04-23
4
601 Views
Last Modified: 2014-04-23
Hi,

I have a network setup as such

Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24

I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.

I have written an ACL that I believe accomplishes this;

#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any

int vlan 80
ip access-group 115 in


I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
0
Comment
Question by:BluJ
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 150 total points
ID: 40017723
This does look to accomplish what you are wanting. I have a very, very similar ACL configured for our public wifi as well.

As for VACL's I wouldn't worry about those so much here.
0
 

Author Comment

by:BluJ
ID: 40017738
Thanks,

I need/want to get a different DHCP/DNS for this situation however I sort of inherited this network and need to accomplish this quickly. I am rusty as hell on ACL's. I had to dig deep to think about everything I needed to allow/deny for this to work. The VACL's are a bit confusing .
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 40017748
VACL's can be confusing, and honestly I don't use them much at all. I have more played around with them from time to time, to keep them fresh in mind. However, I just more so go for the old faithful IP ACL.
0
 

Author Closing Comment

by:BluJ
ID: 40017757
confirmation on an ACL question.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now