Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
0
Helpful
3
Replies

ACL Command help for Guest users

Go to solution
utawakevou
Level 4
Level 4

‎03-31-2011 05:29 PM - edited ‎03-04-2019 11:56 AM

Got a remote site connected via lease line. Got VLAN’s at the site in operation. We are going to deploy 2 access points both with multiple SSID’s. One for the staff and one for our guest. Guest shouldn’t be allowed to access our network while staff can. We have set this up here at our HQ and is working fine. Our remote site users connect to our HQ for internet connection. I have already created another VLAN for our guest and at the router end (1841) created sub interface. DHCP is supplied by the DHCP server at the remote site and routing within the VLAN’s at the remote site, to and fro HQ works perfectly. What I want to do now make sure that our guest users connected via the guest VLAN won’t be able to access our internal network but get through to the internet via lease line to the HQ. I will sort out the firewall part at the HQ.

I just need help in ACL commands on the remote site router, on the routed sub-interface for that new vlan, along the lines of

· Permit ICMP any any 192.168.1.0 /30 – my WAN link address range – so that MTU discovery and traceroutes work properly

· Deny ip any to or from 192.168.0.0/16

· Deny ip any to or from 172.16.0.0/14

· Deny ip any to or from 10.0.0.0/8

· (i.e. all the rfc 1918 we could possibly use)

· Permit ip any any

Hope someone helps

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Salazar
Level 1
Level 1

‎04-03-2011 09:37 PM

Hi, utawakevou

If you want permit traffic to the internet through the lease line to the HQ, you can use a extended ACL on the sub-interface of the Guest User like this:

ip access-list ext ACL-Guest-Access

  permit udp 0.0.0.0 0.0.0.0 eq bootpc any

  permit icmp any

  deny ip 

  permit tcp any eq 80 443

  permit udp any eq 53 (or DNS server host address)

  deny ip any any log (for test time only)

HTH

David Salazar

View solution in original post

0 Helpful
3 Replies 3

Go to solution
utawakevou
Level 4
Level 4

‎04-03-2011 04:47 PM

Any helpers out there ?

0 Helpful

Go to solution
David Salazar
Level 1
Level 1

‎04-03-2011 09:37 PM

Hi, utawakevou

If you want permit traffic to the internet through the lease line to the HQ, you can use a extended ACL on the sub-interface of the Guest User like this:

ip access-list ext ACL-Guest-Access

  permit udp 0.0.0.0 0.0.0.0 eq bootpc any

  permit icmp any

  deny ip 

  permit tcp any eq 80 443

  permit udp any eq 53 (or DNS server host address)

  deny ip any any log (for test time only)

HTH

David Salazar

0 Helpful

Go to solution
utawakevou
Level 4
Level 4
In response to David Salazar

‎04-05-2011 05:38 PM

Thanks David. Have configured this on the router and applied it outward bound on the sub-interface. I have tested remotely and notice that it gets a network address from the DHCP. Will go over to the site and do a thorough test. Will let you know and will rate your answer as well.

Thanks

0 Helpful
Customers Also Viewed These Support Documents