Wired Intelligent Edge (Campus Switching and Routing)

Contributor II

ACL advice

We have multiple small campus locations that have an S1500 MAS switch deployed. The switches have access back to our datacenter via an MPLS network. We have AP105’s deployed as well and we are installing local internet connections at each site.


On the MAS we have 3 VLANs configured. 1 VLAN is part of our MPLS network. The second VLAN is for some of our wireless traffic. And the 3rd VLAN is for future guest access to the internet as well as the local internet provider. All internet traffic on the 2nd vlan should go out the local internet provider all corporate access should be directed to the MPLS network.


I have enable PBR on the second VLAN that specifies all internet traffic should go out the local internet connection on the 3rd VLAN and all corporate access will go across the MPLS network. This works.


We would like to secure the port that is connected to the Local internet provider device ( DSL modem, Cable, 4G etc..) on the 3rd vlan without deploying a firewall. VIA ACL’s, basically allow all traffic out to the internet but deny all incoming traffic. It all sounds very simple but I am struggling to come up with the correct solution.




Re: ACL advice


You may want to check out this thread:




However that said, what device will be responsible for NAT? The upstream cable/dsl-modem or the MAS?


Best regards,



Contributor II

Re: ACL advice

Hi Madini,


Thanks for the link. I will take a look at the thread.


NAT  will depend on the device deployed that the location. In some cases it will be at the modem in others this will happen at the MAS.




Search Airheads
Showing results for 
Search instead for 
Did you mean: