I have a little problem here that how to create an external subnet be able to connect to the Internet without access directly to the main/core network (servers or files), and that subnet is used for other externals devices which not authorized yet (The customers' smartphones or some devices be able to connect to the Internet via Wireless)
It looks like this image below:
Those devices on the right image are external devices that want to connect to the Internet and not permitted to be able to access the inside network such as VLAN14 or VLAN15.
It sounds like a simple thing but when those devices that be infected by a virus or some dangerous things (DDoS etc.), it seems able to infect to the network inside that I don't want it to happen. And I'd like to prevent it before it is able to occur.
How things I should do the setting on the L3 Switch (in fact that is an N3024 device) or the AP, Please give me some advice!
By the way, this problem that I'd like to resolve is the same as the public wifi system that enforces the user must be authorized (email or phone number) before access to the Internet as I thought but how to do that is not an easy issue for some guys who not much experiences in Networking like me.
Therefore, I'm highly appreciated to get any help from you.
Thank you for your consideration,
Solved! Go to Solution.
Your best option would be to place a firewall in between the AP and the switch that handles the traffic filtering so you can blacklist sites. You can use ACLs to block ports and IP ranges, but that isn’t as effective and a web filter. Page 689 https://downloads.dell.com/manuals/all-products/esuprt_ser_stor_net/esuprt_networking/esuprt_net_fxd... You also should turn on BPDU guard.
Sorry about late feedback.
With your suggestion about adding a firewall device between the AP and the switch, but I think it's okay when replacing that AP by an AP Router or a specific AP with a Firewall feature, isn't it?
By the way, with a little change about the graph. I'd like to expand that issue more such as the new picture below
And I'd like to ask 2 points here:
① Regarding the picture, because I'd like to enhance the security level for these hosts inside (VLAN10~14), so I'd like to make all the hosts (192.168.16.0/23) directly connect to the Internet, and somehow enforcing them that could not be able to connect/ping to these VLAN10~14. Is it possible to make a setting such that? And which commands should I refer to setting on the switch?
② In another situation, I'd like to open a free port that not belongs to any VLAN and be able to direct to the AP while the rest of the ports are on the switch port access mode. But in this case, I wonder these connections (VLAN and non-VLAN) could connect normally via VLAN10 that is connecting directly to the Router such as before and have any vulnerability/weakness points for attacking because it's connected directly to the switch?
Finally, it's very helpful if I could receive more pieces of advice for both of those situations as above from you. I'm highly appreciated about that!
Thank you for your consideration,
I'm so sorry but could you please tell me something about my new inquiries?
I'd like to close this as soon as possible, please help me to solve it!
Your best option for this level of support is to contact sales for consulting services.