04-21-2008 06:43 AM - edited 03-05-2019 10:30 PM
Configuring a Guest Subnet on a Remote Office Router:
Have Interface on Router Gig 0/0 with 3 Sub ints...
0/0.17 --> for Guests
0/0.31 --> for Prod Hosts
0/0.32 --> for Voice Hosts
Applied these list to 0/0.17
interface GigabitEthernet0/0.17
encapsulation dot1Q 17
ip address 172.17.10.1 255.255.255.0
ip access-group GuestIN in
ip access-group GuestOUT out
ip access-list extended GuestIN
remark Permit DHCP
permit udp any any eq bootps
permit udp any any eq bootpc
permit icmp any any
ip access-list extended GuestOUT
remark Permit DHCP & DMZ HTTP & HTTPS
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any 10.200.12.0 0.0.0.255 eq www reflect OUTportfilter
permit tcp any 10.200.12.0 0.0.0.255 eq 443 reflect OUTportfilter
permit tcp any 10.200.10.0 0.0.0.255 eq www reflect OUTportfilter
permit tcp any 10.200.10.0 0.0.0.255 eq 443 reflect OUTportfilter
deny ip any 10.0.0.0 0.255.255.255
permit ip any any reflect OUTportfilter
After applying these 2 lists.
I can still telnet to hosts in the 10.221.40.0 network and or ping hosts in the 10.221.40.0 network. Am I missing something?
04-21-2008 11:44 AM
Hi, I do believe you will have to deny telnet on port 23 for the network 10.0.0.0 and ping uses ICMP echo response which I dont see a entry to deny ICMP. You have denied IP traffic on the 10.0.0.0 network. So the guest should not receive any IP traffic from that network.
D
04-22-2008 08:20 PM
Hi Jacob-Harris
As you said you can telnet and ping, you telnet and ping by used router or any other host from other subnet ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide