Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
3
Replies

Guest Vlan - newbie

npagadua69
Level 1
Level 1

‎10-14-2005 06:29 PM - edited ‎03-03-2019 12:26 AM

i would like to implement a guest vlan that would have access to the internet only. this guest vlan will not have visibility to my internal network other

than getting its ip from my DHCP server. i also configured this segment in my dhcp server to point to an external dns. The problem that i am

currently having is i am able to ping my dhcp address and able to telnet to my switches.

please advise

here is my access list configuration below:

interface Vlan790

description Guest Vlan

ip address 192.168.190.1 255.255.255.0

ip access-group 101 in

ip helper-address 192.168.0.13

no ip mroute-cache

!

access-list 101 permit ip any host 192.168.0.13 (my dhcp server)

access-list 101 deny ip 192.168.190.0 0.0.0.255 192.0.0.0 0.255.255.255

access-list 101 deny icmp any any echo

access-list 101 permit ip any any

Labels:
0 Helpful
3 Replies 3

szahid
Level 3
Level 3

‎10-14-2005 10:14 PM

Hi :

Do you have a Hybrid Cat6k with CatOS on switch side and IOS on the MSFC side ? Please check to make sure the ports are set for vlan-based acls instead of port-based acls. That is the most common issue with this platform . You define an ACL on a vlan and since the port is in port-based acl state , the acl on a vlan does not work. Unfortunately , you have not given any details about the platform , that is why I am taking a guess here based on what I have seen in the past.

set port security-acl vlan-based

Thanks

Salman Z.

0 Helpful

npagadua69
Level 1
Level 1
In response to szahid

‎10-15-2005 06:47 AM

i am running this on an IOS 4506 with SupIV.

0 Helpful

noran01
Level 3
Level 3

‎10-17-2005 09:38 AM

I would change the access list to allow only dhcp packets to hit the dhcp server then allow port 53 (dns) to hit whatever dns server you want the guest pc's to access and then add access to allow all port 80/443 traffic outbound. Then by default there is a deny ip any any that will block all other traffic after that.

The reason they can ping your dhcp server is because you have permit ip any any statement. Then the line 'access-list 101 permit ip any any' basically makes your access-list useless because you are allowing all ip traffic throughout your network.

0 Helpful
Customers Also Viewed These Support Documents