Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
677
Views
4
Helpful
5
Replies

Guest Vlan setup

mo shea
Level 1
Level 1

‎06-11-2006 10:16 AM - edited ‎03-03-2019 03:35 AM

Hi..

I am in the process of setting up a guest vlan to be used by wired and/or wireless guest. I want the guest to have access to the internet only and not to any other vlan. I am kinda confused as to what ACL entries shall I include and where to place the ACL. We do not use a proxy server, the private IPs are PATted to our single public IP.

I have the following queries:

1- If the guest vlan is 10.10.10.0/24, shall I use an extended ACL on the outbound SVI allowing http access to any destination

2- Do I need to give access to our dns servers?

3- If I want to be more specific in the ACL, what specific destination can I use for http instead of 'any'

Thanks

Labels:
0 Helpful
5 Replies 5

devang_etcom
Level 7
Level 7

‎06-11-2006 10:40 AM

which switch you are using...and just give connectivity idea

0 Helpful

mo shea
Level 1
Level 1
In response to devang_etcom

‎06-11-2006 11:08 AM

We use a single core, 6500 sup720 IOS

There are several 2950 connected directly to the core switch.

Regards

0 Helpful

david.bradley
Level 1
Level 1
In response to mo shea

‎06-12-2006 01:20 AM

Where do you have your NAT? and how is your network linked to the internet?

0 Helpful

b.kokken
Level 1
Level 1
In response to mo shea

‎06-12-2006 07:14 AM

Your 6500 is the only layer 3: so make that's the easiest place to put the ACL;s. It would be possible to define inbound ACLs on the connecting switch ports, but that would mean that with multiple Accesspoints, you have ACLS on several switches.

I would recommend an ACL on the 6500

You can configure an DHCP pool with external DNS server options so that your guests do access the external DNS servers of your ISP.

In this way you can provide internet access to your quests on a separate VLAN that shares only the internet access with your own network.

Bas Kokken

Guana

mo shea
Level 1
Level 1
In response to b.kokken

‎06-12-2006 10:32 AM

Thanks for the reply,

Our core switch is connected to a router via PIX firewall, the latter performs natting.

I will try configuring a DHCP pool with ISP DNS, but our ISP uses a proxy server. I am thinking of having an outbound ACL on the guest vlan like,

permit (source is guest vlan) (destiation is ISP proxy)

permit (source is guest vlan) (destination is ISP DNS)

I hope this will pass traffic only to the ISP, and the implicit deny will block all other kinds of access.

Any comments?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card