Blocking internet access to 1 vlan

Lets say that theres an organisation which uses one Cisco 4507 layer 3 switch with separate VLANs for every block. Eacn block has 2 Cisco 2950 switches, separate VLAN and full access to internet. Some servers are in a separate VLAN.

Now we need to create a new VLAN for some users (new switch). We need to block internet access, but users should be able to access atleast one server (say ip 172.17.17.4)

Can anybody give an idea how to go on with this? Commands used ?

Find more posts tagged with

Comments

tech-airman

snake eyes wrote:

Lets say that theres an organisation which uses one Cisco 4507 layer 3 switch with separate VLANs for every block. Eacn block has 2 Cisco 2950 switches, separate VLAN and full access to internet. Some servers are in a separate VLAN.

Now we need to create a new VLAN for some users (new switch). We need to block internet access, but users should be able to access atleast one server (say ip 172.17.17.4)

Can anybody give an idea how to go on with this? Commands used ?

snake eyes,

What is the physical topology of:

The Internet connection
The clients
The servers
The networking devices in between
Other devices involved

jason_lunde

Well, depending on your topology I would create an access list that permits traffic destined for the server vlan or IP's you want to allow. Then deny traffic to everything else. Then assign the access group in or out on the proper VLAN interface on your core. This depends entirely on your topology type however. Hope this helps...post your core config if possible.

snake eyes

Hello

Let me try explaining.

There is one leased line for internet that is connected to router. After that there is a Pix Firewall and a Layer 3 4507 Switch. After that there are different departments in different buildings with a single VLAN for each building. Each VLAN spans on 2 switches (2950).
Some servers including a SQUID Proxy,DHCP, PDC, DNS, Web and Mail are placed in a separate VLAN.
Every PC in the network obtains IP from DHCP server and can access internet.
Now there is a new block coming up in which some PCs need to have only local networking and permissions to access a couple of servers.Internet access is to be blocked.
Thats what I am wondering about. Its possible to block internet access using Proxy for that subnet, but can it be done in switch?
And what are the commands used?

mamono

This is heavily dependent on your network infrastructure. There are so many details that need to be known that it would be difficult to give an answer that best fits that business' needs. By posting under a Cisco forum, the standard answer here would be to block the subnet or VLAN using ACL's as mentioned earlier. If it were a Microsoft Active Directory network, then you would create a GPO that disables all access to the prohibited resources and apply it to all those unprivileged users. It all really depends. There is no straight answer.

dtlokee

Create an ACL that allows traffic to the stuff you want to allow (the Internet traffic will hit the implicit deny) and apply it inbound on the L3 SVI on the 4507. Alternately you can remove that subnet from the firewall allowed list, or NAT translations.

If that doesn't make any sense then you shouldn't be playing with a production box, seriously. Try it in a lab.