?
Solved

Block public wifi subnet/vlan from private network...Cisco3750

Posted on 2014-04-23
4
Medium Priority
?
612 Views
Last Modified: 2014-04-23
Hi,

I have a network setup as such

Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24

I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.

I have written an ACL that I believe accomplishes this;

#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any

int vlan 80
ip access-group 115 in


I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
0
Comment
Question by:BluJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 600 total points
ID: 40017723
This does look to accomplish what you are wanting. I have a very, very similar ACL configured for our public wifi as well.

As for VACL's I wouldn't worry about those so much here.
0
 

Author Comment

by:BluJ
ID: 40017738
Thanks,

I need/want to get a different DHCP/DNS for this situation however I sort of inherited this network and need to accomplish this quickly. I am rusty as hell on ACL's. I had to dig deep to think about everything I needed to allow/deny for this to work. The VACL's are a bit confusing .
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 40017748
VACL's can be confusing, and honestly I don't use them much at all. I have more played around with them from time to time, to keep them fresh in mind. However, I just more so go for the old faithful IP ACL.
0
 

Author Closing Comment

by:BluJ
ID: 40017757
confirmation on an ACL question.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This program is used to assist in finding and resolving common problems with wireless connections.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question