Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Access, ONLY can communicate with Internet

Hey Guys,

I am implementing guest access on my AP and I want guest to only access the internet. Guest are not able to see other Guest, I had asked this question to Other forum and seems like If I configure Private vlan(Isolated) port on the interface that achieve my goal. 

I would like to know is there anyway I can do it with out Private VLAN or any functions on AP

Any help will be appreciated

 

Model = Cisco IOS Software, C3600 Software (AP3G2-K9W7-M), Version 15.2(4)JB4

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi,In order to block traffic

Hi,

In order to block traffic between guests you have to enable Public Secure Packet Forwarding under Services->Vlan.

Via cli try the command "bridge-group x port-protected".

 

Regards,

Christos

Stefan great reply VIP

Stefan great reply VIP endorsed my friend. 

 

As for DHCP you could apply an ACL on the SVI interface to allow bootp (DHCP) and block all internal IPs. Also keep in mind DNS. I assume you are using an outside DNS like 8.8.8.8 or 4.2.2.2.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
7 REPLIES

Hi,In order to block traffic

Hi,

In order to block traffic between guests you have to enable Public Secure Packet Forwarding under Services->Vlan.

Via cli try the command "bridge-group x port-protected".

 

Regards,

Christos

New Member

Perfect, I also would like

Perfect, I also would like guest to block the internal network and only access DHCP. Could you tell me how to do that.

Thanks

Stefan great reply VIP

Stefan great reply VIP endorsed my friend. 

 

As for DHCP you could apply an ACL on the SVI interface to allow bootp (DHCP) and block all internal IPs. Also keep in mind DNS. I assume you are using an outside DNS like 8.8.8.8 or 4.2.2.2.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

There is no way on the AP

There is no way on the AP side ?

An autonomous AP has a few

An autonomous AP has a few interfaces ..

 

1) Ethernet

2) Radios 0/1

3) Bridge

 

On the bridge interface there is an ip address for the AP. You could apply the ACL there as well. 

 

We do this for our Cisco 7925 configuration phones / access point ..  It says your only allowed to talk to wavelink and DHCP server, nothing else. 

 

Example: 

 

interface Dot11Radio1
 no ip address
 ip access-group wavelink-acl in
 no ip route-cache
 !
 ssid cisco
 !
 speed  basic-48.0 54.0
 power local -1
 power client -1
 channel 5180
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled

 

ip access-list extended wavelink-acl
 permit udp any eq bootpc host 255.255.255.255
 permit tcp any host 10.XX.XX.XX eq 1777
 deny   ip any any 
 
make sense?
__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Just to add to George's

Just to add to George's comment,you can use a generic ACL that blocks traffic to private subnets and permits all other traffic to internet.

 

 ip access-list extended GUESTS
 permit udp any eq bootpc host 255.255.255.255
 permit udp any host 8.8.8.8 eq domain
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.0.31.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any

Depending on your needs you can change the above ACL.

 

Regards,

Christos

Yes, it is possible through

Yes, it is possible through private VLAN configuration. It can be done with isolated VLAN.

233
Views
0
Helpful
7
Replies
CreatePlease to create content