Solved

Block public wifi subnet/vlan from private network...Cisco3750

Posted on 2014-04-23
4
608 Views
Last Modified: 2014-04-23
Hi,

I have a network setup as such

Vlan 80 - Public WiFi // 192.168.15.0/24
Vlan 60 - Company WiFi // 192.168.11.0/24
Vlan 40 - Phones // 192.168.1.0/24
Vlan 30 - Private internal machines // 192.168.10.0/24
Vlan 20 - servers 10.1.2.0/24
Vlan 10 - more servers 10.1.1.0/24

I want to deny the Public WiFi from everything except the DNS server on Vlan 30 and the DHCP server on Vlan 30 and getting out to the internet.

I have written an ACL that I believe accomplishes this;

#Allow access to dhcp
access-list 115 permit udp any eq bootpc any eq bootps
#Allow access to dns
access-list 115 permit udp any host 192.168.10.237 eq domain
#Allow access to default gateway
access-list 115 permit ip 192.168.15.0 0.0.0.255 host 192.168.15.254
#deny to all other subnets
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 115 deny   ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255
#permit everything else
access-list 115 permit ip any any

int vlan 80
ip access-group 115 in


I believe this accomplishes what I want to do, is this accurate? I have read up on VACL's but I don't feel comfortable with them yet.
0
Comment
Question by:BluJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 150 total points
ID: 40017723
This does look to accomplish what you are wanting. I have a very, very similar ACL configured for our public wifi as well.

As for VACL's I wouldn't worry about those so much here.
0
 

Author Comment

by:BluJ
ID: 40017738
Thanks,

I need/want to get a different DHCP/DNS for this situation however I sort of inherited this network and need to accomplish this quickly. I am rusty as hell on ACL's. I had to dig deep to think about everything I needed to allow/deny for this to work. The VACL's are a bit confusing .
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 40017748
VACL's can be confusing, and honestly I don't use them much at all. I have more played around with them from time to time, to keep them fresh in mind. However, I just more so go for the old faithful IP ACL.
0
 

Author Closing Comment

by:BluJ
ID: 40017757
confirmation on an ACL question.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question