Cisco 4510R, has about 9 vlans on it. One vlan is going to be used by guests for internet access only...they cannot touch our production network because of security and iava compliance.
Would the best way to block them be an access-list? Would you need a permit for DNS and DHCP, or just DNS? The interface is configured with an ip helper-address...
permit ip 192.168.62.0 0.0.0.255 host 192.168.60.21
permit ip 192.168.62.0 0.0.0.255 host 192.168.60.74
Then block them from reaching any other vlans on the segment...
deny ip 192.168.62.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
Technically speaking, would you need to block the other segments from reaching the 62NET as well, or would this one sided acl be sufficient?
edit: also, is there any difference in the way an acl is handled between applying it to multiple physical interfaces or just applying it to a vlan that is assigned to multiple interfaces?
Would the best way to block them be an access-list? Would you need a permit for DNS and DHCP, or just DNS? The interface is configured with an ip helper-address...
permit ip 192.168.62.0 0.0.0.255 host 192.168.60.21
permit ip 192.168.62.0 0.0.0.255 host 192.168.60.74
Then block them from reaching any other vlans on the segment...
deny ip 192.168.62.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
Technically speaking, would you need to block the other segments from reaching the 62NET as well, or would this one sided acl be sufficient?
edit: also, is there any difference in the way an acl is handled between applying it to multiple physical interfaces or just applying it to a vlan that is assigned to multiple interfaces?
