02-21-2005 06:25 AM - edited 03-02-2019 09:47 PM
We are currently running 2950 and 4506 switches with multiple VLANs. I was hoping to find away to restrict access to select computers allowing access only to the internet without the ability to view or access any of the LAN resources. Is this possible? If so, how do accomplish? Any help is greatly appreciated.
02-21-2005 11:02 AM
Hi,
Without knowing much about your specific requirements I would suggest using a proxy server (Microsoft ISA server, Squid, etc.) and then restricting internet access to that specific server with access lists.
This way the responsabilities of granting access to the internet would fall upon that proxy server and your router/switch configurations would remain the same in case you need to grant access to more computers on your LAN.
Please post a diagram of your current network if you need more specific information about possible implementation scenarios.
Have a nice day.
Regards.
02-21-2005 11:15 AM
Hi,
thanks for your quick response and suggestion. before i go that route let me get a little more specific and hopefully you might have some ideas for me.
we are planning on leasing some internet bandwidth to outside agencies via our LAN. is there a way to allow only http traffic to the ports they are connected to? they will be connecting to a catalyst 2950G.
they are currently leasing space in our building and our link is the only available broadband internet connection.
ideally, we do not want them to see any of our network, but at the same time be able to access the internet, is that possible?
02-21-2005 06:41 PM
You could create a separate vlan for your client only. This would need to have a separate l3 interface connected to the vlan where you could apply access-lists to restrict access from your client subnet to your network and allow http to everything else.
If you have limited l3 interfaces, you may need to trunk on a l3 interface.
You could also consider policy-routing or tunneling. There are probably more solutions, but more information would be required like would the client be using the same address space as your network?
Hope this helps,
Mark
02-23-2005 07:13 AM
Hi Mark,
thanks for all the options. can you give me some more details on tunneling and policy-routing. or maybe direct me to a website that could explain more indepth for me?
here is the general idea. client would be connected to a catalyst 2950 and more than likely using the same address space.
Dan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: