Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
0
Helpful
7
Replies

Guest Traffic

melwin.uk
Level 1
Level 1

‎03-27-2010 06:19 AM - edited ‎03-04-2019 07:56 AM

Hello Netpro

I want to isolate Guest user traffic from LAN traffic and allow them internet only. All internet browsing traffic is through Microsoft ISA Server.

Guest can connect using Wireless Access Point which is also shared with Data Network.

Microsoft ISA Server is in server vlan?  How to isolate Guest traffic?

Labels:
0 Helpful
7 Replies 7

pompeychimes
Level 4
Level 4

‎03-27-2010 07:20 AM

The simple answer is to setup a Guest VLAN.

0 Helpful

melwin.uk
Level 1
Level 1
In response to pompeychimes

‎03-27-2010 07:44 AM

Hello

creating guest vlan is ok, but how do I restrict traffic communicating with other vlan on L3.

I did test by aplying ACL but doesnt seems to work.

0 Helpful

sean_evershed
Level 7
Level 7
In response to melwin.uk

‎03-27-2010 08:32 PM

Hi,

Can you share the ACL that you applied to Guest traffic?

Do you have a firewall in your network that you can use for securing traffic?

0 Helpful

melwin.uk
Level 1
Level 1
In response to sean_evershed

‎03-28-2010 03:19 AM


guests: vlan 99 (192.168.25.0)
server: vlan 5 (192.168.1.0)
user : vlan 6 ( 10.10.10.0)
dns/dhcp: 192.168.1.111
proxy: 192.168.1.99:8080


ip access-group Guests_in in

Inbound ACL

ip access-list extended Guests_in
permit tcp 192.168.25.0 0.0.0.255 host 192.168.1.99 eq 8080
permit udp 192.168.25.0 0.0.0.255 host 192.168.1.99 eq domain
permit udp any any eq bootps

ip access-group Guests_out out

Outbound ACL
ip access-list extended Guests_out
permit ip host 192.168.1.99 192.168.25.0 0.0.0.255
permit ip host 192.168.1.99 any

0 Helpful

SamMcGeown
Level 1
Level 1
In response to melwin.uk

‎06-29-2011 03:42 AM

Hi - did you solve this? I have a very similar problem - guests are assigned to a VLAN correctly, but the ACLs don't seem to apply to them?

Sam

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to SamMcGeown

‎06-29-2011 04:06 AM

Hi,

Make sure you have associated the correct vlan (#switchport access vlan guests) to port to which the wireless access pint (WAP) or a Guest PC is connected.

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

krishan.saran
Level 1
Level 1

‎06-30-2011 11:13 PM

Hi this is my working access lists ACL 101 is for NAT and 110 is to restrict  any traffic in between 10.0.10.0/24 and 10.0.12.0/24 We have only two VLANs and 10.0.12.0/24 is my guest network this network can only access internet,

access-list 101 deny   ip 10.0.10.0 0.0.0.255 10.0.11.0 0.0.0.255

access-list 101 permit ip 10.0.10.0 0.0.0.255 any

access-list 101 permit ip 10.0.12.0 0.0.0.255 any

access-list 110 deny   ip 10.0.12.0 0.0.0.255 10.0.10.0 0.0.0.255 log

access-list 110 deny   tcp 10.0.12.0 0.0.0.255 eq telnet host 10.0.12.1 eq telnet

access-list 110 permit ip any any

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.0.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

Description Guest VLAN

ip address 10.0.12.1 255.255.255.0

ip access-group 110 in

ip access-group 110 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

Regards

Krishan Saran

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card