I'm attempting to setup my wireless to allow guest access. I've gotten my AP setup with two VLANs 40 and 41. 40 will be used by internal users and 41 will be for vendors, consultants etc. I have a Cisco 3560 L3 switch that I'll be configuring. I'm wanting to block access to all my network servers and such for those users on the 41 subnent, however I do want them to have access to the Interent. I'm having some issue with putting together the correct ACL for this because the 41 users will need to use DNS, and obtain a DHCP address to get to the Internet. The network servers are on Vlan 36.
Subnets: 192.168.36.0, 192.168.40.0, and 192.168.41.1
I have exactly the same scenario, here is the access list and the interface that I have the list applied to. I am only allowing this subnet access to obtain a DHCP address, DNS resolution and web access. I am also performing rate limiting so that users cannot monopolize Internet bandwidth
ip access-list extended guestvlan
permit udp any any eq bootpc
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
description Guest VLAN
encapsulation isl 100
ip address 10.10.100.2 255.255.255.0
ip access-group guestvlan in
ip helper-address xxx.xxx.xxx.49
no ip redirects
rate-limit input 128000 256000 384000 conform-action transmit exceed-action drop
rate-limit output 128000 256000 384000 conform-action transmit exceed-action drop
Is this configuration from a router or a L3 switch. I'm a bit confused because I already have access to all network resources from my guest VLAN to my other vlans and I don't have any ACLs setup. Does the fact that I'm using a L3 switch make a difference? I've copied my current running config of my 3560 switch.
That doesn't make sense to me because my vlan 41 already has "permit" access to those items by default, It works now with out any ACL "Permit" statements, why would this change when I add "permits" and not "denys".
Anyway I added the ACL as shown in the fisrt post, I've listed it below and now I can not obtain a DHCP address and when I staticly assign an IP address I can not access the Interent, where as before the ACL was applied I could.
That seem to fix the DHCP issue, however I still can not access the Internet. I changed my other access list to match but still can not get out. I've copied the new config below. There is one thing to keep in mind, my Internet goes through a Proxy server, an ISA to be specfic. The IP is x.x.36.3 and when I attempt to ping that IP address from my laptop that has a 41.6 address I get dest. unreachable. If I do not apply the access-list to that vlan I can access the internet fine.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...