user6 may potentially unplug user5's cable and plug it into his PC to get Internet access.this still allows user6 to use user5's PC to access the Internet this is still device based, not user based, i.e.if your current setup has all users connected to a switch (or set of switches) connected to Eth0/1, then unplug those 5 users and plug them into ports Eth0/2-6 and configure those as vlan 3, configure an interface vlan3 etc., put a blocking ACL in vlan1 and a permissive ACL on vlan3. Physically separate the users' PCs in 2 different (V)LANs. when user6 sees that user5's PC is powered off, user6 can configure user5's IP address on his PC and hence get Internet access. So user6 can still access the Internet from user5's PC. This allows the 5 PCs access, not the 5 users.Note that this is the most basic solution, but: Then on the ASA you can simply put an ACL on the inside interface allowing only traffic from those 5 ip addresses. I can think of a few possible strategies to achieve the desired result of allowing 5 users Internet access and blocking all others:Ĭonfigure static IP addresses on the PCs of the 5 users or configure the DHCP server with IP address reservations for those 5 (based on their MAC address, always assign them the same IP address).
0 kommentar(er)
