The whole steps and procedures to restrict internet access (http & https) for employees from a Cisco 3750 switch.

15 pts.
Tags:
Cisco
Cisco 3750 configuration
Cisco Catalyst 3750
Switch configuration
VLAN
Hello there, How can I restrict internet access to my employees around (30) and what I mean by internet access are protocols http and https but allow them at the same time from connecting to the server and thus, being able to open their emial (I have an exchange server on another netowrk in another country) The goal of all of this is to restrict them from using the internet but allow them to manage their email on outlook. The switch is a Cisco catalyst 3750 series POE -48. I have a modem connected to ASA. I maybe have to create access lists and/or vlans. How about do I do that? let's say I want to block a certain port as a test first what is the proper configeration for the entire process? Please I'm not a hight tech person. HELP ME!!

Software/Hardware used:
Cisco catalyst 3750 series POE -48.
ASKED: March 17, 2011  2:27 PM
UPDATED: March 25, 2011  4:08 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Being a multi-layer Switch, your 3750 is more than capable of doing what you need it to.
For starters, VLANs would be a great idea – one for management, one for users you dont want to have Web access (so you dont lock EVERYONE out)

- Create the VLANs – like VLAN 10 for your “users”
- Make an ACL to block web traffic for VLAN 10, allow it access to anything in its subnet and allow it access to the exchange server
- Apply the ACL to the interfaces you need filtered.

A great place to start would be <a href=”http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html”>Cisco.com</a>

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Zack1983
    So helpful so far Sixball, thanks for answering my question. Let's say I created Vlan 10 for Sales. How do I create a ACL for VLAN 10 to block web traffic for sales but allow it access to anything in its subnet and especially the exchange server? What are the commands to do all that? even if these commands were just an example, it's ok at least I get an idea. I am not a teksavvy person and my business is suffering financially so I can't afford a private network admin or a company to do the job and for me, it's a good knowledge. Many thanks.
    15 pointsBadges:
    report
  • Sixball
    Not a problem my friend: A good way to apply this type of ACL is as follows: VLAN 10: 10.1.10.x /24 (255.255.255.0) network: Router#conf t Router(config)# ip access-list 101 deny ip 10.1.10.0 0.0.0.255 any eq 80 (blocks ony packets destined for port 80 (http) from anything in the VLAN 10 IP range) Router(config)# ip access-list 101 permit ip any any (allows all other traffic through the interface - without this, ALL traffic would be denied) And a great place to put this would be on the router interface closest to, or on, the VLAN 10 trunk link and have it filter Incoming traffic (to prevent drop-bound packets from trversing the network / router unnecessarily) For Example: Router#conf t Router(config)# interface fa0/0.10 Router(config-sub-int)# ip access-group 101 in Router(config-sub-int)# exit Router(config)# This will block HTTP traffic coming into the router from VLAN 10, but allow VLAN 10 users to access anything else...
    8,515 pointsBadges:
    report
  • Zack1983
    [...] The whole steps and procedures to restrict internet access (http … [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following