cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
1
Replies

Guest SSID VLAN to ISE guest service portal IP when guest VLANs are distributed in many countries

nmourtzi
Cisco Employee
Cisco Employee

Is there a best practice or design doc that discusses how to open communication from Guest SSID VLAN to ISE guest service portal IP? That can be challenging when guest VLANs are distributed in many countries.

Do you open that to go through the internet? Or do you use VPN, VRF etc ?

1 Reply 1

hslai
Cisco Employee
Cisco Employee

I would suggest to have an ACL not relying on the guest IP address ranges. For example,

                      Source                        Destination                Source Port  Dest Port

Index  Dir      IP Address/Netmask              IP Address/Netmask      Prot    Range      Range    DSCP  Action      Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

    1  In        0.0.0.0/0.0.0.0            10.1.100.21/255.255.255.255  Any    0-65535    0-65535  Any Permit          0

    2 Out    10.1.100.21/255.255.255.255        0.0.0.0/0.0.0.0          Any    0-65535    0-65535  Any Permit          0

    3  In        0.0.0.0/0.0.0.0            10.1.100.10/255.255.255.255  17    0-65535    53-53    Any Permit          0

    4 Out    10.1.100.10/255.255.255.255        0.0.0.0/0.0.0.0          17    53-53        0-65535  Any Permit          0

    5 Any        0.0.0.0/0.0.0.0                0.0.0.0/0.0.0.0            1    0-65535    0-65535  Any Permit          0

    6 Any        0.0.0.0/0.0.0.0                0.0.0.0/0.0.0.0          Any    0-65535    0-65535  Any  Deny          0

where 10.1.100.21 is the ISE IP address and 10.1.100.10 is the DNS IP address.