Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6533
Views
0
Helpful
7
Replies

ACL allowing DHCP

Grady0298
Level 1
Level 1

‎06-13-2020 07:12 AM

Wireless Access Point used for Corporate and Guest WiFi

VLAN 150 10.102.150.0 /24 Guest WiFi
VLAN 50 10.102.50.0 /24 Corp Wifi

Multiple other VLANs 10.102.x.x /24

DHCP Server on VLAN 30 10.102.30.3, guest wifi needs access to the DHCP server

WAP port set up as Trunk allowing only VLAN 150 and 50 (L2 switch connected to L3 switch)

IP Address for internet access for guest wifi is 10.102.5.2

I want to block the Guest WiFi from all other VLANS and block all other
VLANs from the Guest WiFi. I want to allow Guest WiFi to obtain IP addresses from internal DHCP server


Access-List 105 Permit 10.102.150.0 0.0.0.255 10.102.5.2 0.0.0.0 (Allow access from VLAN 150 to the internet)
Access-List 105 Permit udp host 0.0.0.0 host 255.255.255.255 eq bootps ( Client discover and request)
Access-List 105 Permit udp host 10.102.30.3 10.102.150.0 0.0.0.255 eq bootpc (Allow offer and acknowledgement from DHCP server to client)
Access-List 105 deny ip any any (explicit deny to allow seeing logs, explicit or implicit should keep Guest wifi from communicating with other vlans and other vlans from communicating with Guest wifi.

 

L3 Switch

VLAN 150 ip access-group 105 in
VLAN 150 ip access-group 105 out

 

Please let me know if this accomplishes what I am after, thank you. 

Labels:
0 Helpful
7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

‎06-13-2020 08:19 AM - edited ‎06-13-2020 08:20 AM

Hi,

You can try something like this with 2 access-list, one in and one out

 

access-list 105 permit udp any any eq bootps
access-list 105 deny ip 10.102.150.0 0.0.0.255 10.102.50.0 0.0.0.255
access-list 105 permit ip 10.102.150.0 0.0.0.255 any
access-list 105 deny ip any any

access-list 106 permit udp any any eq bootpc
access-list 106 permit ip any any


interface Vlan150

ip access-group 105 in
ip access-group 106 out

HTH

0 Helpful

Grady0298
Level 1
Level 1
In response to Reza Sharifi

‎06-14-2020 08:23 AM

These are Ubiquiti WAPs managed with a Could Key, I believe this would still fall under the definition of autonomous?

0 Helpful

paul driver
VIP
VIP
In response to Grady0298

‎06-14-2020 11:47 AM - edited ‎06-14-2020 11:48 AM

Hello

On the L3 interface for the vlan 150 possibly apply the following:

access-list 100 permit udp host 10.102.30.3 any eq bootps
access-list 100 deny   ip 10.102.30.0 0.0.0.255 any
access-list 100 deny   ip 10.102.50.0 0.0.0.255 any
access-list 100 permit ip any any

int vlan 150
ip access-group 100 OUT

or

int x/x.150
ip access-group 100 OUT


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Grady0298
Level 1
Level 1
In response to paul driver

‎06-15-2020 12:28 PM

Paul,
There are multiple other vlans in the 10.102.x.x /24 range. Your access list denies to VLAN 30 and VLAN 50 but would allow to all other vlans and would also allow other VLANs to VLAN 150 would it not?
Thank you,
David

0 Helpful

paul driver
VIP
VIP
In response to Grady0298

‎06-15-2020 02:27 PM

Hello

@Grady0298 wrote:

 but would allow to all other vlans and would also allow other VLANs to VLAN 150 would it not?
Thank you,
David

Yes it would but you didn't state there were other vlans in any case you just need to extend that acl to deny the other vlans also

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Grady0298
Level 1
Level 1
In response to Reza Sharifi

‎06-15-2020 12:28 PM

Reza,

Reza,
2nd line denies guest wifi to corp wifi, 3rd line permits guest wifi to other guest wifi, 4th denies all other.
Question, why is the 2nd line deny needed to corp wifi, would not the 4th line deny ip any any take care of that?
Also, what about access to the internet for the guest wifi?
I realize firewalls are stateful but I don’t think the L3 switch is, would I not need a specific ACL allowing the traffic back from the internet to VLAN 150? (Which by the way, I did not have in my original post).
Your access group out I see you are allowing the communication back from the DHCP server to the client. Can you explain what the purpose of permit any any is on access-list 106?
Thank you,
David

0 Helpful

paul driver
VIP
VIP

‎06-14-2020 07:21 AM

Hello

Is this access-point running autonomously or lightweight?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Top