- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic Restriction!
Dear Members;
I have define a subnet 172.168.0.0/16 with VLAN 200 and assign this vlan to multiple ports. I want to restrict some users to do not browse internet but to access the corporate servers and data.
- Labels:
-
ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Security Appliance --> Configure --> Firewall you could add a layer 7 rule that denies any traffic from 172.168.0.0./16 to 0.0.0.0
You may need a rule before it that allows traffic from 172.168.0.0/16 to other subnets that have corporate servers if there are other subnets.
Traffic from a device in the 172.168.0.0/16 should be able to contact another device in the same subnet without being routed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to provide internet on same subnet IPs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the clients are not already in a group policy then you could put them in one that has custom network firewall and shaping rules with a firewall rule that denies any traffic to any. Or you could block by default and instead add the devices that are allowed on the internet into a group policy that allows internet traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Network wide --> Configure --> Group policy you add a group. In that group you give it a name, select Custom network firewall and shaping rules in the Firewall and traffic shaping section, then you add a firewall rule with a deny policy with any protocol to any destination. Save that. Then you go into Network wide --> Monitor --> Clients. Check the box on the clients you want to block from the internet and click on the policy drop down and select group and select the group you just made.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@khurram wrote:I have to provide internet on same subnet IPs.
If I understand you correctly, no problem
Using supernetting, you could, for example set up
192.168.2.0/24
and
192.168.3.0/24
both of which may be addressed using 192.168.2.0/23.
So 192.168.2.0/24 and 192.168.3.0/24 are part of the same supernet 192.168.2.0/23.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@khurram wrote:Dear Members;
I have define a subnet 172.168.0.0/16 with VLAN 200 and assign this vlan to multiple ports. I want to restrict some users to do not browse internet but to access the corporate servers and data.
From a management point of view, the simplest thing to do is split the VLAN into 2 groups, one of which cannot access the internet and the other which can. Otherwise, if there is an identifying attribute you could use to sort the sheep from the goats you could apply a rule.
Or give the users with no internet access a DHCP server that only handles the corporate servers.