Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
1
Replies

GUEST VLAN ACL

b.withrow
Level 1
Level 1

‎01-07-2004 07:52 AM - edited ‎03-02-2019 12:43 PM

Situation: I created a 'guest vlan' on our network that will be used by NON-employees. This VLAN hands the user a DNS server and through a standard ACL allows all web browsing (to the internet) and all DNS lookups to that supplied DNS server.

Problem: What happens if a GUEST USER wants to VPN to his/her corporate network? How do I allow that without opening my network up any more than it is? When a guest VPN's to their corporate net they will get DNS and may need to connect to resources on their net that I am not allow access to in my ACL.

Any ideas are much appreciated. Thanks in advance.

Labels:
0 Helpful
1 Reply 1

mark-obrien
Level 4
Level 4

‎01-07-2004 10:23 AM

You will need to change your standard ACL to an extended ACL. Here is a guideline:

access-list 101 permit udp (guest-VLAN-network) host (DNS server) eq domain

acess-list 101 deny ip (guest-VLAN-network) (internal-network)

access-list 101 per ip (guest-VLAN-network) any

This will give specific access to the DNS server, deny all other access to your internal network, and permit any access, including VPN tunnels, to the Internet.

If your internal network can not be summarized with a single IP address, repeat the second command as many times as you need to in order to block access to all of your network space.

HTH

Mark

0 Helpful
Customers Also Viewed These Support Documents