I have a client who has asked me to block internet traffic from a few PCs on the LAN. The setup is two Cisco 877s: one providing internet access (and is the LAN default GW), the other providing the VPN link to the head office.
These PCs should be allowed to browse the local network, traverse the VPN to get resources from the head office systems, but are denied access to any resources on the internet.
If possible, I would like to do this without having to reserve a block of IP addresses on the DHCP server and then restricting access from those IPs.
Would MAC access-lists be the solution? If so, how do I configure it without restricting access to LAN/VPN resources?
Sanitized config attached.