Hi All,
I new to this group so if I'm in the wrong place please direct me!
I have a standard class C LAN. I have a user wanting to get internet access but I dont want them accessing the nework.
My idea is to give them a 2 host subnet and then get a router to direct all traffic from that subnet to the internet gateway without viewing the LAN.
Is this possible?
Thanks
Gavin.
This would best be done with access lists. You can get your 2 host SN idea to work (though the user would need his own router interface or VLAN).
On the router you could set up an extended access list: (these done in router(config)#) access-list 101 deny tcp 0.0.0.0 access-list 101 permit 0.0.0.0 any
The LAN-network and LAN-wildcard must match all addresses on your LAN but no addresses on the internet. This could be done with multiple access-list statements - just remember that the permit "any" statement must be last in the list (and you cannot add new statements - the entire access-list must be removed from configuration and re-added because order matters).
Then, on the router interface (or VLAN subinterface) that this PC is connected to:
router(config-if)# access-group 101 in
I'm sure some of the more knowledgeable people will correct me or provide better ways of doing this? ;)
you could also apply the access-list to the switch interface that they plug into...
only if it's an L3 capable switch
Access-lists work at the IP level. An ARP access-list could be used instead of a VLAN, but this seems more messy.
Sorry your wrong...
You can apply an access-list on a layer 2 switch....
we are currently using this on Layer 2 2950's to seperate a school network from a cyber cafe
The switch has to have the capability. As far as I understand it, not all cisco switches support ip ACL because it's an L3/L4 process.
NO ... You are wrong...!!!!
Cisco 2950 Layer 2 Switch : nb: the security features
Now reasd this one for the 3560 : nb the high performance routing features
I too did'nt believe it at first.... but hey... I never thought that UTP would get to 100Mbps let alone 1000Mbps...
In addition to this check the other link in the post which details example configuration. I have applied this and further configurations on a Layer 2 device (2950) ..! Have you...!
Ju ;)
You configure access lists on a Layer 2 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at switch interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic.
Just to confirm...
:)
Is this also the case for CatIOS? I unfortunately haven't had much RL experience with switches (just standard configurations)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.