cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
5
Helpful
9
Replies
Highlighted
Beginner

permit IP single address

I have a guest vlan configured for 512 addresses. The I want to block all traffic to the 10.xx.xx.xx network except for the helper-address.  How do I change the following to deny all traffic to the 10.xx.xx.xx netwrok except for the helper-address of 10.1.aaa.bbb

 

interface Vlan4

description Guest

ip address 10.xx.8.1 255.255.254.0

ip access-group blockguest in

ip helper-address 10.1.aaa.bbb

 

ip access-list extended blockguest

deny   ip any 10.0.0.0 0.255.255.255

permit ip any any

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: permit IP single address

If you change line to to 

 

permit udp any eq bootpc any eq bootps

 

does that work?

***Please Mark and Rate helpful posts***
9 REPLIES 9
VIP Advisor

Re: permit IP single address

instead deny any, permit only host and deny any any sould be reasonable approach my point of view.

 

again where is the DHCP Server in the network ?

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: permit IP single address

the DHCP server is on the 10.1.xx.xx network.

I don't want them to access anything else on the 10.0.0.0 network.
VIP Advisor

Re: permit IP single address

Allow only 1 ip and deny is good to go my point of view

 

BB
*** Rate All Helpful Responses ***
Advocate

Re: permit IP single address

Hi @bstrubeTD3 ,

 

In your case, you could leave the guest network on a different vlan, using an ACL to filter the traffic to that vlan.

With this, you could limit the reach of the guest network.

 

Regards

Beginner

Re: permit IP single address

You need to permit the DHCP request to the DHCP Server at minimum.

 

ip access-list extended blockguest

permit udp any eq bootpc host <dhcp server> eq bootps

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

 

Thanks, Kevin

***Please Mark and Rate helpful posts***
Beginner

Re: permit IP single address

My  guest lan is using a 10.2xx.x.x address (ex 10.253.3.3) and I am using my WLC as the DHCP server and it is on 10.1.X.X network (ex 10.1.123.123) 

 

How do I protect my 10.x.x.x network and allow the guest lan to communicate with my DHCP server ?

Beginner

Re: permit IP single address

You'll want to permit DHCP request to the DHCP server then deny all other 10.x.x.x traffic then permit ip any any. However if your DNS server also resides in the 10.x.x.x, you'll need to permit that as well. The access-list line I added to yours "permit udp any eq bootpc host eq bootps" should be line 1 in the access-list.

 

Thanks,

Kevin

 

***Please Mark and Rate helpful posts***
Beginner

Re: permit IP single address

This does not work. If I use the following as you suggest:

 

ip access-list extended blockguest

permit udp any eq bootpc host 10.1.123.123 eq bootps

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

 

My Guest lan is set up as:

 

interface Vlan4

description Guest

ip address 10.2xx.8.1 255.255.254.0

ip access-group blockguest in

ip helper-address 10.1.123.123

 

The DHCP server it is using is 10.1.123.123  

Beginner

Re: permit IP single address

If you change line to to 

 

permit udp any eq bootpc any eq bootps

 

does that work?

***Please Mark and Rate helpful posts***