Traffic Restriction!

khurram
Here to help

Traffic Restriction!

Dear Members;

 

I have define a subnet 172.168.0.0/16 with VLAN 200 and assign this vlan to multiple ports. I want to restrict some users to do not browse internet but to access the corporate servers and data.

7 Replies 7
mmmmmmark
Building a reputation

In Security Appliance --> Configure --> Firewall you could add a layer 7 rule that denies any traffic from 172.168.0.0./16 to 0.0.0.0

 

You may need a rule before it that allows traffic from 172.168.0.0/16 to other subnets that have corporate servers if there are other subnets.

 

Traffic from a device in the 172.168.0.0/16 should be able to contact another device in the same subnet without being routed.

khurram
Here to help

I have to provide internet on same subnet IPs.

mmmmmmark
Building a reputation

If the clients are not already in a group policy then you could put them in one that has custom network firewall and shaping rules with a firewall rule that denies any traffic to any. Or you could block by default and instead add the devices that are allowed on the internet into a group policy that allows internet traffic.

khurram
Here to help

How?

mmmmmmark
Building a reputation

In Network wide --> Configure --> Group policy you add a group. In that group you give it a name, select Custom network firewall and shaping rules in the Firewall and traffic shaping section, then you add a firewall rule with a deny policy with any protocol to any destination. Save that. Then you go into Network wide --> Monitor --> Clients. Check the box on the clients you want to block from the internet and click on the policy drop down and select group and select the group you just made.

Uberseehandel
Kind of a big deal


@khurram wrote:

I have to provide internet on same subnet IPs.

 


If I understand you correctly, no problem

 

Using supernetting, you could, for example set up

192.168.2.0/24

and

192.168.3.0/24

both of which may be addressed using 192.168.2.0/23.

 

So 192.168.2.0/24 and 192.168.3.0/24 are part of the same supernet 192.168.2.0/23.

 

Supernetting.jpg

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Uberseehandel
Kind of a big deal


@khurram wrote:

Dear Members;

 

I have define a subnet 172.168.0.0/16 with VLAN 200 and assign this vlan to multiple ports. I want to restrict some users to do not browse internet but to access the corporate servers and data.


From a management point of view, the simplest thing to do is split the VLAN into 2 groups, one of which cannot access the internet and the other which can. Otherwise, if there is an identifying attribute you could use to sort the sheep from the goats you could apply a rule.

Or give the users with no internet access a DHCP server that only handles the corporate servers.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels