Restricting Access to a Specific VLAN

  • 1
  • Question
  • Updated 1 year ago
I've run into a problem at my school where students have begun broadcasting to our chromecasts. Shockingly, Google has not implemented any kind of password protection/access restrictions to their chromecast devices.

I have 2 SSIDs configured in my hive--a faculty SSID and a student SSID.
Each SSID has multiple VLANS with unique dhcp addresses (for instance: faculty owned personal devices are on vlan 50, school owned chromebooks are on vlans 31, 32, 33, 34, 35 depending on which computer cart they belong to, etc).
My chromecasts currently live on VLAN 60.

Is there a way to prevent any devices in the student vlans (or the whole student SSID) from accessing VLAN 60?

Thanks for your help,

Christopher Tawes
Network Administrator
BART Charter Public School
Adams, MA 01220
christopher.tawes@bartcharter.org
Photo of Christopher Tawes

Christopher Tawes

  • 14 Posts
  • 2 Reply Likes

Posted 2 years ago

  • 1
Photo of Devin

Devin

  • 17 Posts
  • 1 Reply Like
That sounds like something to be implemented at the firewall rather than at the access point.  What do you have for a router at that school?  It should be fairly simple to configure a policy or ACL to deny access from VLANs 31-25 to VLAN 60 rather than having all access permitted between all VLANs.
Photo of Christopher Tawes

Christopher Tawes

  • 14 Posts
  • 2 Reply Likes
Devin,

All of my vlans are configured in switch (HP) which is acting as the internal router. I'm not that familiar with switch programming, but if that's where I should look I'll start digging into the documentation.

Thanks!
Photo of j

j

  • 24 Posts
  • 7 Reply Likes
For reference, in Aerohive, you edit a User Profile and apply an IP Firewall Policy in which the action is deny for the VLANs in question.

Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
I would tend to agree with what has been said above (especially the configuration example) - also, in the defence of the Chromecast, they aren't enterprise devices and as a result don't behave as such i.e. no 802.1x support, poor VLAN awareness etc.