03-27-2010 06:19 AM - edited 03-04-2019 07:56 AM
Hello Netpro
I want to isolate Guest user traffic from LAN traffic and allow them internet only. All internet browsing traffic is through Microsoft ISA Server.
Guest can connect using Wireless Access Point which is also shared with Data Network.
Microsoft ISA Server is in server vlan? How to isolate Guest traffic?
03-27-2010 07:20 AM
The simple answer is to setup a Guest VLAN.
03-27-2010 07:44 AM
Hello
creating guest vlan is ok, but how do I restrict traffic communicating with other vlan on L3.
I did test by aplying ACL but doesnt seems to work.
03-27-2010 08:32 PM
Hi,
Can you share the ACL that you applied to Guest traffic?
Do you have a firewall in your network that you can use for securing traffic?
03-28-2010 03:19 AM
guests: vlan 99 (192.168.25.0)
server: vlan 5 (192.168.1.0)
user : vlan 6 ( 10.10.10.0)
dns/dhcp: 192.168.1.111
proxy: 192.168.1.99:8080
ip access-group Guests_in in
Inbound ACL
ip access-list extended Guests_in
permit tcp 192.168.25.0 0.0.0.255 host 192.168.1.99 eq 8080
permit udp 192.168.25.0 0.0.0.255 host 192.168.1.99 eq domain
permit udp any any eq bootps
ip access-group Guests_out out
Outbound ACL
ip access-list extended Guests_out
permit ip host 192.168.1.99 192.168.25.0 0.0.0.255
permit ip host 192.168.1.99 any
06-29-2011 03:42 AM
Hi - did you solve this? I have a very similar problem - guests are assigned to a VLAN correctly, but the ACLs don't seem to apply to them?
Sam
06-29-2011 04:06 AM
Hi,
Make sure you have associated the correct vlan (#switchport access vlan guests) to port to which the wireless access pint (WAP) or a Guest PC is connected.
Please rate the helpfull posts.
Regards,
Naidu.
06-30-2011 11:13 PM
Hi this is my working access lists ACL 101 is for NAT and 110 is to restrict any traffic in between 10.0.10.0/24 and 10.0.12.0/24 We have only two VLANs and 10.0.12.0/24 is my guest network this network can only access internet,
access-list 101 deny ip 10.0.10.0 0.0.0.255 10.0.11.0 0.0.0.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 any
access-list 101 permit ip 10.0.12.0 0.0.0.255 any
access-list 110 deny ip 10.0.12.0 0.0.0.255 10.0.10.0 0.0.0.255 log
access-list 110 deny tcp 10.0.12.0 0.0.0.255 eq telnet host 10.0.12.1 eq telnet
access-list 110 permit ip any any
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
Description Guest VLAN
ip address 10.0.12.1 255.255.255.0
ip access-group 110 in
ip access-group 110 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
Regards
Krishan Saran
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide