Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Creating a GUEST vlan

I am tasked with creating a VLAN on our CISCO lan that will allow vendors and other non-employees to access the internet. It will need to block all LAN-LAN communication, while only allowing for internet connectivity to allow for VPN or WEB use. I realize I will use an ACL to accomplish this, but I was wondering if anyone had created such a vlan, and what their experience has been. Thanks!

2 REPLIES
Gold

Re: Creating a GUEST vlan

Create special VLAN for guests and on the router or on the L3 switch permit or block traffic from this VLAN

Re: Creating a GUEST vlan

A simple sample:

Assume you created the vlan on layer-2 switch and you're planning to use subnet: 192.168.5.0/24. You created a subif on the router or layer-3 switch (assume with ip 192.168.5.1). Then you can write an access-list:

access-list 102 permit ip 192.168.5.0 0.0.0.255 host X.X.X.X

X.X.X.X.: Internal leg of your proxy or firewall connected to internet. (hosts on the guest vlan should have configured internet browsers with this proxy). In the ACL you don't have to deny anything because of implicit deny.

You can apply this ACL to the 192.168.5.1 interface inbound direction:

ip access-group 102 in

These hosts can't reach other vlans and even if other vlans try to reach hosts on this vlan there will be no answer back . To improve securtiy an additional outbound ACL can be applied:

access-list 103 permit host X.X.X.X 192.168.5.0 0.0.0.255

Under the interface ipaccess-group 103 out.

This example assumes only internet connectivity.

Hope this helps,Regards.

260
Views
1
Helpful
2
Replies
CreatePlease to create content