Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Vlan - newbie

i would like to implement a guest vlan that would have access to the internet only. this guest vlan will not have visibility to my internal network other

than getting its ip from my DHCP server. i also configured this segment in my dhcp server to point to an external dns. The problem that i am

currently having is i am able to ping my dhcp address and able to telnet to my switches.

please advise

here is my access list configuration below:

interface Vlan790

description Guest Vlan

ip address

ip access-group 101 in

ip helper-address

no ip mroute-cache


access-list 101 permit ip any host (my dhcp server)

access-list 101 deny ip

access-list 101 deny icmp any any echo

access-list 101 permit ip any any


Re: Guest Vlan - newbie

Hi :

Do you have a Hybrid Cat6k with CatOS on switch side and IOS on the MSFC side ? Please check to make sure the ports are set for vlan-based acls instead of port-based acls. That is the most common issue with this platform . You define an ACL on a vlan and since the port is in port-based acl state , the acl on a vlan does not work. Unfortunately , you have not given any details about the platform , that is why I am taking a guess here based on what I have seen in the past.

set port security-acl vlan-based


Salman Z.

New Member

Re: Guest Vlan - newbie

i am running this on an IOS 4506 with SupIV.

New Member

Re: Guest Vlan - newbie

I would change the access list to allow only dhcp packets to hit the dhcp server then allow port 53 (dns) to hit whatever dns server you want the guest pc's to access and then add access to allow all port 80/443 traffic outbound. Then by default there is a deny ip any any that will block all other traffic after that.

The reason they can ping your dhcp server is because you have permit ip any any statement. Then the line 'access-list 101 permit ip any any' basically makes your access-list useless because you are allowing all ip traffic throughout your network.