• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 626
  • Last Modified:

Block public wifi subnet/vlan from private network...Cisco3750

Hi,

I have a network setup as such

Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24

I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.

I have written an ACL that I believe accomplishes this;

#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any

int vlan 80
ip access-group 115 in


I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
0
BluJ
Asked:
BluJ
  • 2
  • 2
1 Solution
 
Jordan MedlenCommented:
This does look to accomplish what you are wanting. I have a very, very similar ACL configured for our public wifi as well.

As for VACL's I wouldn't worry about those so much here.
0
 
BluJAuthor Commented:
Thanks,

I need/want to get a different DHCP/DNS for this situation however I sort of inherited this network and need to accomplish this quickly. I am rusty as hell on ACL's. I had to dig deep to think about everything I needed to allow/deny for this to work. The VACL's are a bit confusing .
0
 
Jordan MedlenCommented:
VACL's can be confusing, and honestly I don't use them much at all. I have more played around with them from time to time, to keep them fresh in mind. However, I just more so go for the old faithful IP ACL.
0
 
BluJAuthor Commented:
confirmation on an ACL question.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now