ACL just for internet, and nothing else

Futura

So I want to make a vlan just for guest users to access the internet that goes out through a shared gateway. I dont want these users to be able to access anything on the LAN,

I was thinking

something like

permit tcp any any eq 80

but if I have any web servers on my network then the guests will be able to access them!.

Any thoughts how I can just allow internet access but strictly nothing else?

Thank you:):)

networker050184

You can just deny access to any internal subnets. For example you use 192.168/16 on your internal network then you just deny access to that and permit anything else. You will need to punch holes if there are some internal stuff they need to access.

Futura

superb, So I could

deny tcp any 172.16.0.0 0.0.255.255 eq www
deny tcp any 172.16.0.0 0.0.255.255 eq www
permit tcp any any eq www

thanks:)

networker050184

I wouldn't even worry about the eq www part personally. Then you will get bugged often to let stuff like https, ftp, vpn protocols etc through. Just make sure they have no IP connectivity to your stuff and let the rest go.

NetworkVeteran

A few ideas--

You could block all traffic (on the ingress) destined for your external LAN IPs
You could block all traffic (on the egress) sourced from the guest LAN IPs
Use PBR to forward all packets from the guest LAN towards the Internet

drkat

so on the guest vlan you apply an acl denying traffic to your internal subnets and permit everything else

MickQ

You might want to deny ip rather than just tcp traffic. I'm sure you don't want UDP being able to get past

Michael2

Why not just create an ACL that would block all inbound traffic and place it on the gateways to your internal LAN with the guest terminals on the other side? Why create a VLAN?

drkat

Michael, given that theory how would you define the difference between guest and employee?

Michael2

Oh, so I need a VLAN to differentiate between guests and employees. I thought you could just implement a User Access Control policy, but I guess I need to go out and get network switches and set up a whole VLAN to keep guest users from accessing the internal network.

drkat

You dont NEED to do anything. Every network is a unique snowflake. You will want to look at your network and determine how the guests are going to be accessing the network and then determine the best access control for the job. Given the OP's original post utilizing a vlan method - maybe they dont have any type of authentication policy in place or maybe they have guest pods that only guests can use?? the possibilities are endless.

However I sense your response as much sarcastic as it is arrogant. Only the OP and in this case YOU would know how your network is configured and best practice for that scenario.

From this scenario he is using a SHARED gateway so both networks will have equal access to it. So sure.. he can write an ACL that is egress on his internal subnet interface to not allow access from the guest subnet.. this would be his best option. It really depends how he is setup and since we dont have any configuration it's all hear-say at this point.