Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest Vlan setup


I am in the process of setting up a guest vlan to be used by wired and/or wireless guest. I want the guest to have access to the internet only and not to any other vlan. I am kinda confused as to what ACL entries shall I include and where to place the ACL. We do not use a proxy server, the private IPs are PATted to our single public IP.

I have the following queries:

1- If the guest vlan is, shall I use an extended ACL on the outbound SVI allowing http access to any destination

2- Do I need to give access to our dns servers?

3- If I want to be more specific in the ACL, what specific destination can I use for http instead of 'any'



Re: Guest Vlan setup

which switch you are using...and just give connectivity idea

New Member

Re: Guest Vlan setup

We use a single core, 6500 sup720 IOS

There are several 2950 connected directly to the core switch.


New Member

Re: Guest Vlan setup

Where do you have your NAT? and how is your network linked to the internet?

New Member

Re: Guest Vlan setup

Your 6500 is the only layer 3: so make that's the easiest place to put the ACL;s. It would be possible to define inbound ACLs on the connecting switch ports, but that would mean that with multiple Accesspoints, you have ACLS on several switches.

I would recommend an ACL on the 6500

You can configure an DHCP pool with external DNS server options so that your guests do access the external DNS servers of your ISP.

In this way you can provide internet access to your quests on a separate VLAN that shares only the internet access with your own network.

Bas Kokken


New Member

Re: Guest Vlan setup

Thanks for the reply,

Our core switch is connected to a router via PIX firewall, the latter performs natting.

I will try configuring a DHCP pool with ISP DNS, but our ISP uses a proxy server. I am thinking of having an outbound ACL on the guest vlan like,

permit (source is guest vlan) (destiation is ISP proxy)

permit (source is guest vlan) (destination is ISP DNS)

I hope this will pass traffic only to the ISP, and the implicit deny will block all other kinds of access.

Any comments?