×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

About sites restriction using a CISCO Switch

Unanswered Question
Nov 29th, 2002
User Badges:

Good Morning ...

Hi friends I have a pendent for solving request at my job, let me explain you:


1) I have switch Catalyst 2924 XL-EN, it has 24 ethernet ports(Fa0/x), 4 Fiber Optic ports(Fa1/x), and 1 ATM module(Fa2).

2) every ethernet port has a hub attached to it.

3) every hub has at least 6 PCs attached to it.

4) One of FiberOptic port is connect to communications office, where proxy-internet server is installed.

5) Not all PCs must get into internet, just authorized PCs, but proxy is open so we try to control access to that proxy-server using switch.


Does anybaody could help me to set up tjhat block process on switch ?

Thanks

Fernando







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daniel.bowen Fri, 11/29/2002 - 09:46
User Badges:

Your really gonna need a router involved. then you can set up an access-list to prevent the unauthorized pc's from reaching the proxy server.


Other than this, I cannot see a way


Daniel,

olazcano Fri, 11/29/2002 - 10:51
User Badges:

Hi !


The first step is to define perfectly which PC's must have internet access and which don't. I guess it could be easier to configure using your proxy's properties, but if u want to achieve this with ur switch, i recommend you to define vlans if your switch support it. One vlan for adminitration, one vlan including all pc's with internet access, and obviously the proxy server machine, and the other with all the rest.



Note: if you do not have any layer 3 equipment, you wont be able to stablish communication between vlans. Anyway, i will search for another solution.



revenger98 Tue, 12/03/2002 - 06:36
User Badges:

Hey man .. thanks for advice ...

May I do a question ?


Access list can be managed in my switch to solve this problem, I was planning to create a PERMIT access list an assigned it to the port wher proxy hub is connected, so it will come tons of traffic from rest of ports, but only will pass the ones I've enlisted in that PERMIT list.


Some comments?

thanks

Fernando



Bradley Littlejohn Tue, 12/03/2002 - 13:05
User Badges:
  • Cisco Employee,

Fernando,


Yes, you can with a 2900xl only.



This feature is not avail on any other switch.

It is called multi vlan (no, it is not the samething as trunking). You MUST assign pcs that can go to the internet and the intranet to one hub. And the other pc that can only go to the intranet on a different hub. Then assign vlan 2 to the proxy server and vlan 2 and 3 to the port with the hub that can go to the internet and intranet. Then assign vlan 3 only to the ports with the hubs that can go to the intranet.


http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc6/cli/clicmds.htm#xtocid157



You will use the same subnet in both vlans. You WILL NOT be able to trunk to

any other switches in the future. Make sure that the people that have access to the internet are not running servers that the other people can jump on to.


It is not very scalable, so the idea of multi-vlans on a port never got off the ground. But, you asked!

Actions

This Discussion