Access Control Lists Help 1

[trmg]

Hey Guys,

I work for a school district and I'm in the process of testing a public WiFi network for use by parents and other guests at one of our school sites. We have HP ProCurve 420 WAPs which do VLAN tagging beautifully. I have the VLAN configured for the public network and everything works as expected.

Now, I need to set up ACL's so that any users on the public WiFi network (10.42.x.x) can only access the Internet. We do not want them to be able to access any other network resources. The path web (port 80) traffic will take out to the Internet is 10.42.x.x > 10.255.255.1 > 10.1.1.3 (our Squidguard filter). The path all other traffic will take out to the Internet is 10.42.x.x > 10.255.255.1 > 10.1.1.1 (our PIX)

What would be the best way to approach this?

 

[unclerico]

I'm going to assume the Cisco is a L3 switch.

access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 deny ip any 172.16.0.0 0.15.255.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 permit ip any any

int vlan <wlan_vlan>
  ip access-group 101 in

This will deny all traffic generated on vlan <wlan_vlan> from contacting any other RFC 1918 addresses, but it will allow it to traverse the network out to the Internet. You can obviously fine tune it to permit only http/s or whatever protocols you want allowed outbound.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[trmg]

I was thinking about this on a much more complicated level! The setup above makes PERFECT sense!

I will definitely give this a try tomorrow and report back.

Thanks!!

 

[trmg]

Works beautifully. Thank you very much!

 

[burtsbees]

So give him a star!

/

 

[trmg]

Done!