cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
304
Views
3
Helpful
4
Replies

Restrict access to internet traffic

d_monague
Level 1
Level 1

We are currently running 2950 and 4506 switches with multiple VLANs. I was hoping to find away to restrict access to select computers allowing access only to the internet without the ability to view or access any of the LAN resources. Is this possible? If so, how do accomplish? Any help is greatly appreciated.

4 Replies 4

jaregalado
Level 1
Level 1

Hi,

Without knowing much about your specific requirements I would suggest using a proxy server (Microsoft ISA server, Squid, etc.) and then restricting internet access to that specific server with access lists.

This way the responsabilities of granting access to the internet would fall upon that proxy server and your router/switch configurations would remain the same in case you need to grant access to more computers on your LAN.

Please post a diagram of your current network if you need more specific information about possible implementation scenarios.

Have a nice day.

Regards.

Hi,

thanks for your quick response and suggestion. before i go that route let me get a little more specific and hopefully you might have some ideas for me.

we are planning on leasing some internet bandwidth to outside agencies via our LAN. is there a way to allow only http traffic to the ports they are connected to? they will be connecting to a catalyst 2950G.

they are currently leasing space in our building and our link is the only available broadband internet connection.

ideally, we do not want them to see any of our network, but at the same time be able to access the internet, is that possible?

You could create a separate vlan for your client only. This would need to have a separate l3 interface connected to the vlan where you could apply access-lists to restrict access from your client subnet to your network and allow http to everything else.

If you have limited l3 interfaces, you may need to trunk on a l3 interface.

You could also consider policy-routing or tunneling. There are probably more solutions, but more information would be required like would the client be using the same address space as your network?

Hope this helps,

Mark

Hi Mark,

thanks for all the options. can you give me some more details on tunneling and policy-routing. or maybe direct me to a website that could explain more indepth for me?

here is the general idea. client would be connected to a catalyst 2950 and more than likely using the same address space.

Dan.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco