Restricting internet access for staff

Unanswered Question
Sep 13th, 2011

Hi Experts,

We had implemented  internet access for the students in college campus. Perhaps, recently we've noted the college staffs bring up their laptops and connect to Wifi and get internet access. Consuming the bandwith for non-business purposes.

Summary for Network Scenario:

We had cisco router 857,connected to cisco switch 3560 and wireless aironet access points connected to this switch and  distributed over the floor.

please kindly help me in restricting the internet access for staffs.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 09/13/2011 - 06:27

You can also do the restriction on the APs/controllers. I too would create a non-approved device vlan and police it down.

Abdul Samir Shaikh Tue, 09/13/2011 - 12:28

Thank you experts for your responses.

However, creating vlans would not solve my issues ? How do I only  make sure our staff use thi internet service as it is dedicated only  for students.

Is there can be mac-address restriction ?


Collin Clark Tue, 09/13/2011 - 12:35

Port Security is your best option, but it can get expensive. How many approved wireless devices do you have?

Collin Clark Tue, 09/13/2011 - 12:48

I should have clarified. How many devices; laptops, tablets, phones do you have on the network that are trusted by IT?

Abdul Samir Shaikh Tue, 09/13/2011 - 12:53

We have no trusted IT devices.

Why? because the students bring up there lappy and mobile phones to get access.

But our staff are taking advantage of this service by bringing there peronal devices This what I want to retrict.

Thank for your help.

Collin Clark Tue, 09/13/2011 - 12:56

There is no way to determine what is student and what is staff devices then right?

Abdul Samir Shaikh Tue, 09/13/2011 - 13:06

However, one idea has came to my mind.

I'll run the third party utility called as Angry IP Scanner. For a week I'll montior and record the mac & computer. later block those mac.

It can be ??

Collin Clark Tue, 09/13/2011 - 13:07

I don't think there is. About the only thing I can think of is if you require them to "login" and you have them specify student or staff, then restrict. Even then though the staff could select student and have full bandwidth.

Abdul Samir Shaikh Tue, 09/13/2011 - 13:11

Yes. But that was just a thought.

"About the only thing I can think of is if you require them to "login" and you have them specify student or staff, then restrict." How could I achieve this ? can you provide me config guide.


lonix1977 Mon, 10/03/2011 - 02:13

hi shamir, mac address blocking or whitelisting may not be scalable as the network grows or as the number of unauthorized terminals increase. It would be better to do it in layer 3 as suggested above. You may either blocklist VLAN assigned for uncontrolled terminals (wi-fi and classroom/library ports), or whitelist a VLAN for your authorized devices, whichever is more convenient for you.


This Discussion