Showing results for 
Search instead for 
Did you mean: 

Guest VLAN - Restriction



What is the best way to implement Guest VLAN and ensure it cannot communicate with other vlans.

vlan 2
name User_VLAN

interface Vlan2
ip address

vlan 3
name Server_VLAN

interface Vlan3
ip address

vlan 4
name Management_VLAN

interface Vlan4
ip address

vlan 5
name Uplink_to_ASA

interface Vlan5
ip address

vlan 10
name guest_VLAN

interface Vlan10
ip address


ip route

4 Replies 4

Richard Burts
VIP Community Legend VIP Community Legend
VIP Community Legend


You have not told us much about your environment and there may be things that we do not know about yet which might change our advice. But based on what you have given us so far I would suggest that the solution would be to configure an inbound access list on the vlan 10 interface. The access list would deny any traffic originating within the guest vlan and had destinations in the other VLANs on that router/switch and permit traffic to the Internet.

The access list might look something like this:

access-list 150 deny ip

access-list 150 deny ip

access-list 150 permit ip any





Hi Rick

thanks for your input. Our environment got  Internet-Router connects to the ASA 5510 and back to cisco 3560


For now we got Guest area so configuring guest VLAN on those nodes is not an issue, we do have plan to implement Cisco AP dedicated for Guest users.

I didnt added these to the initial post

  • ospf area 0 is configured on 3560
  • 4 branch office are connected to  HQ
  • between ASA and 3560 there is static routing

On the ACL I need to add branch office subnet to deny, apply the ACL to guest VLAN, on the ASA I need to add a static route for guest VLAN



The most secure and simple thing you can do is to get a 5505 set it up towards the internet and set up switches and APs for the Guestvlan behind that.

why is this the best solution in most cases ?

There is nothing to gain for the "guests" to try to attack your systems over the guest system then over the internet, with one exeption, the speed towards your 5510 will most likely be faster than over the internet.

It is easy to control and monitor.

An agressor can not exhaust any resources in your production switching environment

An agressor can not capitalise on any software bugs in your production environment.

An agressor can not se what equipment you are using for your production environment.

An agressor can not capitalise on configuration errors in the production equipment/environment.

The negative side is that it will cost a little money for hardware for you to set this up.

The positive side is that it is basically impossible to mess up this setup to make a security concern out of it.

Good luck


Message was edited by: hobbe


If there are multiple branch offices then you do need to add their addresses to the deny statements in the access list. You may notice that in my example access list I used two approaches: I denied a specific network/subnet ( and I used summarization to deny a group of network/subnet ( To get your 4 branch offices into the access list you could add 4 specific deny statements, or you might be able to use some summarization and get all of them included with fewer statements.



[edit] And if re-designing the network and deploying additional equipment is an option, then the suggestion of having a separate firewall that connects all the guest access points and allows them to have Internet access but not access to your network might be a good idea.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers