Guest Traffic

Unanswered Question
Mar 27th, 2010

Hello Netpro

I want to isolate Guest user traffic from LAN traffic and allow them internet only. All internet browsing traffic is through Microsoft ISA Server.

Guest can connect using Wireless Access Point which is also shared with Data Network.

Microsoft ISA Server is in server vlan?  How to isolate Guest traffic?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
melwin.uk Sat, 03/27/2010 - 07:44

Hello

creating guest vlan is ok, but how do I restrict traffic communicating with other vlan on L3.

I did test by aplying ACL but doesnt seems to work.

sean_evershed Sat, 03/27/2010 - 20:32

Hi,

Can you share the ACL that you applied to Guest traffic?

Do you have a firewall in your network that you can use for securing traffic?

melwin.uk Sun, 03/28/2010 - 03:19


guests: vlan 99 (192.168.25.0)
server: vlan 5 (192.168.1.0)
user : vlan 6 ( 10.10.10.0)
dns/dhcp: 192.168.1.111
proxy: 192.168.1.99:8080


ip access-group Guests_in in

Inbound ACL

ip access-list extended Guests_in
permit tcp 192.168.25.0 0.0.0.255 host 192.168.1.99 eq 8080
permit udp 192.168.25.0 0.0.0.255 host 192.168.1.99 eq domain
permit udp any any eq bootps

ip access-group Guests_out out

Outbound ACL
ip access-list extended Guests_out
permit ip host 192.168.1.99 192.168.25.0 0.0.0.255
permit ip host 192.168.1.99 any

SamMcGeown Wed, 06/29/2011 - 03:42

Hi - did you solve this? I have a very similar problem - guests are assigned to a VLAN correctly, but the ACLs don't seem to apply to them?

Sam

Latchum Naidu Wed, 06/29/2011 - 04:06

Hi,

Make sure you have associated the correct vlan (#switchport access vlan guests) to port to which the wireless access pint (WAP) or a Guest PC is connected.

Please rate the helpfull posts.
Regards,
Naidu.

krishan.saran Thu, 06/30/2011 - 23:13

Hi this is my working access lists ACL 101 is for NAT and 110 is to restrict  any traffic in between 10.0.10.0/24 and 10.0.12.0/24 We have only two VLANs and 10.0.12.0/24 is my guest network this network can only access internet,

access-list 101 deny   ip 10.0.10.0 0.0.0.255 10.0.11.0 0.0.0.255

access-list 101 permit ip 10.0.10.0 0.0.0.255 any

access-list 101 permit ip 10.0.12.0 0.0.0.255 any

access-list 110 deny   ip 10.0.12.0 0.0.0.255 10.0.10.0 0.0.0.255 log

access-list 110 deny   tcp 10.0.12.0 0.0.0.255 eq telnet host 10.0.12.1 eq telnet

access-list 110 permit ip any any

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.0.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

Description Guest VLAN

ip address 10.0.12.1 255.255.255.0

ip access-group 110 in

ip access-group 110 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

Regards

Krishan Saran

Actions

This Discussion