we have a bare bones NAC solution in place and it allows us to quarantine hosts on a port based on criteria like windows updates, AV updates, patches, etc. and move them to a different VLAN. in this case we want to create a public internet only VLAN.
what would be the best way to implement this?
I do have a working setup where a vlan int was created on a cisco layer 3 stack (3850) and an acl applied to it to block all traffic to private ip ranges except the vlan gateway. Wondering if there are better methods out there though.. thanks!!
example config:
! vlan 100 name public-vlan ! interface vlan 100 description public-vlan ip address 192.168.100.1 255.255.255.0 ip access-group public-vlan in no shutdown ! interface GigabitEthernet1/0/1 switchport access vlan 100 switchport mode access ! ip route 192.168.100.0 255.255.255.0 [internet router IP] ! ip dhcp excluded-address 192.168.100.0 192.168.100.1 ! ip dhcp pool public-vlan network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 dns-server 1.1.1.1 8.8.8.8 ! ip access-list extended public-vlan 10 deny ip any 10.0.0.0 0.255.255.255 20 deny ip any 172.16.0.0 0.15.255.255 30 permit ip any host 192.168.199.1 40 deny ip any 192.168.0.0 0.0.255.255 50 permit ip any any !
The only caveat with the config now is that a host needs to be restarted in order to get a new IP address.
No comments:
Post a Comment