Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
978
Views
5
Helpful
7
Replies

Restrict Internet Access

cigalahgroup
Level 1
Level 1

ā€Ž05-15-2019 12:52 AM

Hello,

        We have a small network with 30 Users and I would like to block the internet access for the 10 Users. We have DHCP running and all the network is on VLAN1, your help will be appreciated.

 

Thanks

 

0 Helpful
7 Replies 7

Seb Rupik
VIP Alumni
VIP Alumni

ā€Ž05-15-2019 01:04 AM

Hi there,
First find the MAC addresses of these 10 users and allocate them DHCP reservations from a contiguous block in the subnet.

Say you have the VLAN subnet 10.10.1.0/24, then allocate them IPs from the subnet range 10.10.1.0/28 which will give you the IPs:
10.10.1.0 -> 10.10.1.15

 

Then on the router interface (or SVI) for your one VLAN, place an ACL in the inbound direction:

!
ip access-list 100 deny ip 10.10.1.0 0.0.0.15 any
ip access-list 100 permit ip any any
!
int vlan1
  ip access-group 100 in
!

 

If you ever create new routed VLANs you will need to revisit the ACL, but for purely blocking internet access it will work.


cheers,
Seb.

cigalahgroup
Level 1
Level 1
In response to Seb Rupik

ā€Ž05-15-2019 01:12 AM - edited ā€Ž05-15-2019 01:12 AM

The above configuration meant that I am blocking ips from 10.10.1.0 -> 10.10.1.15. To achieve this first I have to collect the Mac-Addresses for the know users to which I  have to block.

 

Can you give me the mac address binding commands as well

 

 

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to cigalahgroup

ā€Ž05-15-2019 01:30 AM

Is the DHCP service running on the router?

If so the command is:

sh ip dhcp server binding

 

cheers,

Seb.

0 Helpful

cigalahgroup
Level 1
Level 1
In response to Seb Rupik

ā€Ž05-15-2019 01:34 AM

Yes Running

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to cigalahgroup

ā€Ž05-15-2019 01:38 AM

To create a DHCP reservation, assuming you have a DHCP pool like this:

 

!
ip dhcp pool DHCP_VLAN01
network 10.10.1.0 255.255.255.0
domain-name domain.local
default-router 10.10.1.254
dns-server 8.8.8.8
!

 

 

If you have a device with a MAC address aaaa.bbbb.cccc, the client-identifer must be append with '01' and the hex shifted to the right, so aaaa.bbbb.cccc becomes 01aa.aabb.bbcc.cc

 

A reservation would look like this:

 

!
ip dhcp pool DHCP_VLAN01-01
  host 10.10.1.1 255.255.255.0
  client-identifier 01aa.aabb.bbcc.cc
!

 

 

cheers,

Seb.

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

ā€Ž05-15-2019 01:34 AM

alternatively put a dud proxy pac file on the 10 users machine to go direct for all internal but use a dud proxy ip  for all else.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

cigalahgroup
Level 1
Level 1
In response to Dennis Mink

ā€Ž05-15-2019 01:37 AM

How do I achieve this 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card