Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Block public wifi subnet/vlan from private network...Cisco3750

Posted on 2014-04-23
4
Medium Priority
?
622 Views
Last Modified: 2014-04-23
Hi,

I have a network setup as such

Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24

I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.

I have written an ACL that I believe accomplishes this;

#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any

int vlan 80
ip access-group 115 in


I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
0
Comment
Question by:BluJ
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 600 total points
ID: 40017723
This does look to accomplish what you are wanting. I have a very, very similar ACL configured for our public wifi as well.

As for VACL's I wouldn't worry about those so much here.
0
 

Author Comment

by:BluJ
ID: 40017738
Thanks,

I need/want to get a different DHCP/DNS for this situation however I sort of inherited this network and need to accomplish this quickly. I am rusty as hell on ACL's. I had to dig deep to think about everything I needed to allow/deny for this to work. The VACL's are a bit confusing .
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 40017748
VACL's can be confusing, and honestly I don't use them much at all. I have more played around with them from time to time, to keep them fresh in mind. However, I just more so go for the old faithful IP ACL.
0
 

Author Closing Comment

by:BluJ
ID: 40017757
confirmation on an ACL question.
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question