Solved: Re: permit IP single address

bstrubeTD3 · ‎07-31-2019

I have a guest vlan configured for 512 addresses. The I want to block all traffic to the 10.xx.xx.xx network except for the helper-address. How do I change the following to deny all traffic to the 10.xx.xx.xx netwrok except for the helper-address of 10.1.aaa.bbb

interface Vlan4

description Guest

ip address 10.xx.8.1 255.255.254.0

ip access-group blockguest in

ip helper-address 10.1.aaa.bbb

ip access-list extended blockguest

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

Kevin Martin · ‎07-31-2019

If you change line to to

permit udp any eq bootpc any eq bootps

does that work?

***Please Mark and Rate helpful posts***

View solution in original post

balaji.bandi · ‎07-31-2019

instead deny any, permit only host and deny any any sould be reasonable approach my point of view.

again where is the DHCP Server in the network ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bstrubeTD3 · ‎07-31-2019

the DHCP server is on the 10.1.xx.xx network.

I don't want them to access anything else on the 10.0.0.0 network.

balaji.bandi · ‎07-31-2019

Allow only 1 ip and deny is good to go my point of view

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

luis_cordova · ‎07-31-2019

Hi @bstrubeTD3 ,

In your case, you could leave the guest network on a different vlan, using an ACL to filter the traffic to that vlan.

With this, you could limit the reach of the guest network.

Regards

Kevin Martin · ‎07-31-2019

You need to permit the DHCP request to the DHCP Server at minimum.

ip access-list extended blockguest

permit udp any eq bootpc host <dhcp server> eq bootps

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

Thanks, Kevin

***Please Mark and Rate helpful posts***

bstrubeTD3 · ‎07-31-2019

My guest lan is using a 10.2xx.x.x address (ex 10.253.3.3) and I am using my WLC as the DHCP server and it is on 10.1.X.X network (ex 10.1.123.123)

How do I protect my 10.x.x.x network and allow the guest lan to communicate with my DHCP server ?

Kevin Martin · ‎07-31-2019

You'll want to permit DHCP request to the DHCP server then deny all other 10.x.x.x traffic then permit ip any any. However if your DNS server also resides in the 10.x.x.x, you'll need to permit that as well. The access-list line I added to yours "permit udp any eq bootpc host eq bootps" should be line 1 in the access-list.

Thanks,

Kevin

***Please Mark and Rate helpful posts***

bstrubeTD3 · ‎07-31-2019

This does not work. If I use the following as you suggest:

ip access-list extended blockguest

permit udp any eq bootpc host 10.1.123.123 eq bootps

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

My Guest lan is set up as:

interface Vlan4

description Guest

ip address 10.2xx.8.1 255.255.254.0

ip access-group blockguest in

ip helper-address 10.1.123.123

The DHCP server it is using is 10.1.123.123

Kevin Martin · ‎07-31-2019

If you change line to to

permit udp any eq bootpc any eq bootps

does that work?

***Please Mark and Rate helpful posts***