block wifi guest vlan from accessing other vlans resources

amralrazzaz · ‎09-06-2019

need to block network traffic from vlan wifi guest to other vlans resources like (lan/wifi office/printer/mgmt/server/cctv and so on)

so wifi guest vlan can access intetnet only

vlan wifi guest cannot access other vlans but vise versa is ok ... ( am i right ? or what the standrad for that) >?

here u are the following vlans i have :

LIST OF INTERVLAN ROUTING G.W:

VLAN 2 192.168.2.207/24VLAN 2 LAN

192.168.3.207/24VLAN 9 PRINTER

192.168.4.207/24VLAN 20 WIFI-OFFICE

192.168.5.207/24VLAN 55 NATIVE

192.168.6.207/24VLAN200 VOICE

192.168.7.207/24VLAN250 MGMT

192.168.8.207/24VLAN912 WIFI-GUEST

192.168.9.207/24 VLAN230 STREAMING

ip dhcp pool LAN

network 192.168.2.0 255.255.255.0

default-router 192.168.2.207

dns-server 8.8.8.8

ip dhcp pool Printers

network 192.168.3.0 255.255.255.0

default-router 192.168.3.207

dns-server 8.8.8.8

ip dhcp pool WIFI-OFFICE

network 192.168.4.0 255.255.255.0

default-router 192.168.4.207

dns-server 8.8.8.8

ip dhcp pool Native

network 192.168.5.0 255.255.255.0

default-router 192.168.5.207

dns-server 8.8.8.8

ip dhcp pool Voice

network 192.168.6.0 255.255.255.0

default-router 192.168.6.207

dns-server 8.8.8.8

ip dhcp pool MGMT

network 192.168.7.0 255.255.255.0

default-router 192.168.7.207

dns-server 8.8.8.8

ip dhcp pool WIFI-GUEST

network 192.168.8.0 255.255.255.0

default-router 192.168.8.207

dns-server 8.8.8.8

ip dhcp pool STREAMING

network 192.168.9.0 255.255.255.0

default-router 192.168.9.207

dns-server 8.8.8.8

!

ip cef

no ipv6 cef

!

spanning-tree mode pvst

!

interface FastEthernet0/0

description connected to local NW-INTERVLAN

no ip address

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/0.2

description LAN

encapsulation dot1Q 2

ip address 192.168.2.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.9

description printers

encapsulation dot1Q 9

ip address 192.168.3.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.20

description WIFI-OFFICE

encapsulation dot1Q 20

ip address 192.168.4.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.55

description native

encapsulation dot1Q 55 native

ip address 192.168.5.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.200

description voice

encapsulation dot1Q 200

ip address 192.168.6.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.230

description streaming

encapsulation dot1Q 230

ip address 192.168.9.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.250

description WIFI-GUEST

encapsulation dot1Q 250

ip address 192.168.7.207 255.255.255.0

ip access-group 101 in

ip access-group 101 out

ip nat inside

!

interface FastEthernet0/0.912

description WIFI-GUEST

encapsulation dot1Q 912

ip address 192.168.8.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

description connedted to ISP

ip address 192.168.1.207 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

Frico(config-subif)#interface FastEthernet0/0.250

Frico(config-subif)# encapsulation dot1Q 250

Frico(config-subif)# ip address 192.168.7.207 255.255.255.0

Frico(config-subif)# ip nat inside

Frico(config-subif)#description WIFI-GUEST

Frico(config-subif)#no ip access-group 101 OUT

Frico(config-subif)#no ip access-group 101 in

Frico(config-subif)#

Frico(config-subif)#do wr

Building configuration...

[OK]

Frico(config-subif)#

Frico con0 is now available

Press RETURN to get started.

User Access Verification

Password:

r>en

Password:

r#show run

Building configuration...

Current configuration : 4477 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Frico

!

enable password cisco

!

ip dhcp excluded-address 192.168.2.207

ip dhcp excluded-address 192.168.3.207

ip dhcp excluded-address 192.168.4.207

ip dhcp excluded-address 192.168.5.207

ip dhcp excluded-address 192.168.6.207

ip dhcp excluded-address 192.168.7.207

ip dhcp excluded-address 192.168.8.207

ip dhcp excluded-address 192.168.9.207

ip dhcp excluded-address 192.168.7.1

ip dhcp excluded-address 192.168.7.20

ip dhcp excluded-address 192.168.7.10

ip dhcp excluded-address 192.168.7.2

ip dhcp excluded-address 192.168.3.88

ip dhcp excluded-address 192.168.2.20

ip dhcp excluded-address 192.168.2.10

ip dhcp excluded-address 192.168.2.100

!

ip dhcp pool LAN

network 192.168.2.0 255.255.255.0

default-router 192.168.2.207

dns-server 8.8.8.8

ip dhcp pool Printers

network 192.168.3.0 255.255.255.0

default-router 192.168.3.207

dns-server 8.8.8.8

ip dhcp pool WIFI-OFFICE

network 192.168.4.0 255.255.255.0

default-router 192.168.4.207

dns-server 8.8.8.8

ip dhcp pool Native

network 192.168.5.0 255.255.255.0

default-router 192.168.5.207

dns-server 8.8.8.8

ip dhcp pool Voice

network 192.168.6.0 255.255.255.0

default-router 192.168.6.207

dns-server 8.8.8.8

ip dhcp pool MGMT

network 192.168.7.0 255.255.255.0

default-router 192.168.7.207

dns-server 8.8.8.8

ip dhcp pool WIFI-GUEST

network 192.168.8.0 255.255.255.0

default-router 192.168.8.207

dns-server 8.8.8.8

ip dhcp pool STREAMING

network 192.168.9.0 255.255.255.0

default-router 192.168.9.207

dns-server 8.8.8.8

!

ip cef

no ipv6 cef

!

spanning-tree mode pvst

!

interface FastEthernet0/0

description connected to local NW-INTERVLAN

no ip address

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/0.2

description LAN

encapsulation dot1Q 2

ip address 192.168.2.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.9

description printers

encapsulation dot1Q 9

ip address 192.168.3.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.20

description WIFI-OFFICE

encapsulation dot1Q 20

ip address 192.168.4.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.55

description native

encapsulation dot1Q 55 native

ip address 192.168.5.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.200

description voice

encapsulation dot1Q 200

ip address 192.168.6.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.230

description streaming

encapsulation dot1Q 230

ip address 192.168.9.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.250

description WIFI-GUEST

encapsulation dot1Q 250

ip address 192.168.7.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.912

description WIFI-GUEST

encapsulation dot1Q 912

ip address 192.168.8.207 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

description connedted to ISP

ip address 192.168.1.207 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router eigrp 100

network 192.168.1.0

network 192.168.2.0

network 192.168.3.0

network 192.168.4.0

network 192.168.5.0

network 192.168.6.0

network 192.168.7.0

network 192.168.8.0

no auto-summary

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 2 interface FastEthernet0/1 overload

ip nat inside source list 3 interface FastEthernet0/1 overload

ip nat inside source list 4 interface FastEthernet0/1 overload

ip nat inside source list 5 interface FastEthernet0/1 overload

ip nat inside source list 6 interface FastEthernet0/1 overload

ip nat inside source list 7 interface FastEthernet0/1 overload

ip nat inside source list 8 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.253

!

ip flow-export version 9

!

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

access-list 3 permit 192.168.4.0 0.0.0.255

access-list 4 permit 192.168.5.0 0.0.0.255

access-list 5 permit 192.168.6.0 0.0.0.255

access-list 6 permit 192.168.7.0 0.0.0.255

access-list 7 permit 192.168.8.0 0.0.0.255

access-list 8 permit 192.168.9.0 0.0.0.255

!

no cdp run

!

line con 0

password cisco

login

!

line aux 0

!

line vty 0 4

password

login

!

end

amr alrazzaz

Dennis Mink · ‎09-06-2019

Usually the way this is done is by means of a guest wifi vlan that you terminate into a dmz. Or even a dedicated internet router. So therr is bo layer 3 cross over with it in your network

Please remember to rate useful posts, by clicking on the stars below.

amralrazzaz · ‎09-07-2019

thanks a lot

can u please help and give me example how to block access from guest to other internal resources and allow only internet access by using access list ???

whats dmz ?

amr alrazzaz

Georg Pauwen · ‎09-07-2019

Hello,

the below should work. Networks 192.168.2.0/24 thru 192.168.7.0/24 are summarized as 192.168.0.0/21.

access-list 111 deny ip 192.168.0.0 0.0.7.255 192.168.8.0 0.0.0.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 permit ip any any
!
interface FastEthernet0/0.912
description WIFI-GUEST
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip access-group 111 in
ip nat inside

amralrazzaz · ‎09-08-2019

as per ur configuration the below so i can under stand the following and please correct me and whats the standards for that in companies? :

1- wifi guest cannot connect or even ping on any of the other vlans ?

2- other vlans can connect to wifi guest as well or not ? so the connection in both direction block ?

3- what if i need to allow only the printer vlan to wifi guest vlan ?

4- the summarize vlans ip is from 2 to 7 only ? correct ? not including 8 and 9 networks?

thanks a lot

amr alrazzaz

Georg Pauwen · ‎09-08-2019

Hello,

the access list blocks access from the guest Vlan to all other Vlans, and vice versa. The guest Vlan can only access the Internet and nothing else.

If you need a printer to be able to access Vlan 8, you need to add a host entry:

access-list 111 permit ip host x.x.x.x any

access-list 111 permit ip any host x.x.x.x

where x.x.x.x is the IP address of your printer.

192.168.8.0/24 IS the wife guest network, right ? Addresses 2-7 are summarized, the entry for 9 is at the end of the access list.

amralrazzaz · ‎09-09-2019

dear as below acl wifi guest vlan cant reach any other vlans and also vlan 8 (wifi guest ) still cant access the 2 printers that i have on network ( vlan 9) as below :

access-list 111 deny ip 192.168.0.0 0.0.7.255 192.168.8.0 0.0.0.255

access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.7.255

access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 111 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 permit ip any any

access-list 111 permit ip host 192.168.3.3 any

access-list 111 permit ip any host 192.168.3.3

access-list 111 permit ip host 192.168.3.1 any

access-list 111 permit ip any host 192.168.3.1

!

so still cant wifi guest connect to printer ?:)

amr alrazzaz

Georg Pauwen · ‎09-09-2019

Hello,

you need to change the order of the access list. Entries are processed in sequence, so your host entries need to be first. Remove the access list, and then add it again, in the order below:

access-list 111 permit ip host 192.168.3.3 any
access-list 111 permit ip any host 192.168.3.3
access-list 111 permit ip host 192.168.3.1 any
access-list 111 permit ip any host 192.168.3.1
access-list 111 deny ip 192.168.0.0 0.0.7.255 192.168.8.0 0.0.0.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 permit ip any any

amralrazzaz · ‎09-10-2019

thanks a lot dear

another q:

on the wifi guest as below so is it okay ? for the ip access group 111 in and what if i add out also in addition

and for the ip nat inside is to the internet access ? am i correct ?

interface FastEthernet0/0.912

description WIFI-GUEST

encapsulation dot1Q 912

ip address 192.168.8.207 255.255.255.0

ip access-group 111 in

ip nat inside

amr alrazzaz

Georg Pauwen · ‎09-10-2019

Hello,

you only need to apply the access list inbound. NAT is not affected, as you allow all traffic from the guest Wifi Vlan to the Internet...

amralrazzaz · ‎09-10-2019

is this on is okay ???

i have two printer 192.168.3.1 and 3.2 so if i need only to provide guest wifi an access to only these 2 printer only same as below is okay ?or should i make any changes ?

ip access-list extended in_guest_traffic

permit ip host 192.168.3.2 any
permit ip any host 192.168.3.2
permit ip host 192.168.3.1 any
permit ip any host 192.168.3.1

deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
permit ip any any
#apply it to the interface
interface FastEthernet0/0.912
ip access-group in_guest_traffic in
end

amr alrazzaz

Georg Pauwen · ‎09-10-2019

Hello,

apply the below and see what the result is:

access-list 111 permit ip host 192.168.3.3 any
access-list 111 permit ip any host 192.168.3.3
access-list 111 permit ip host 192.168.3.1 any
access-list 111 permit ip any host 192.168.3.1
access-list 111 deny ip 192.168.0.0 0.0.7.255 192.168.8.0 0.0.0.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 111 deny ip 192.168.8.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 permit ip any any
!
interface FastEthernet0/0.912
description WIFI-GUEST
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip access-group 111 in
ip nat inside

Dennis Mink · ‎09-08-2019

Havr you got a firewall at all in your network?

Please remember to rate useful posts, by clicking on the stars below.

amralrazzaz · ‎09-08-2019

i have 1 cisco router isr 2911 - 2 of SWITCH 24 PORTS CATALYST 2960 - X SERIES

and please find attached pic of the network design maybe its more clear to understand

thanks

amr alrazzaz

paul driver · ‎09-10-2019

Hello
Your listing of vlan250 shows its MGT vlan on sub-interface fa0/0.250, I assume this is a typo in your configuration and if so you access-list is applied to the wrong sub-interface?

interface FastEthernet0/0.250
description WIFI-GUEST
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip access-group 101 in
ip access-group 101 out

interface FastEthernet0/0.912
description WIFI-GUEST
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0

Also the current defined acl 101 is summarized to also include your printer vlan which would be incorrect.
So to allow communication between Vlan 9 Printer & Vlan 912 wifi guest , deny all other communication to wifi guest vlan.

Could you try the following:
conf t
int fa0/0.250
no ip access-group 101 in
no ip access-group 101 out
exit

no access-list 101

access-list 100 remark allow Wifi-Guest to Printer vlan and internet
access-list 100 deny ip any 192.168.2.0 0.0.0.255
access-list 100 deny ip any 192.168.4.0 0.0.0.255
access-list 100 deny ip any 192.168.5.0 0.0.0.255
access-list 100 deny ip any 192.168.6.0 0.0.0.255
access-list 100 deny ip any 192.168.7.0 0.0.0.255
access-list 100 deny ip any 192.168.9.0 0.0.0.255
access-list 100 permit ip any any

access-list 101 remark allow Printer vlan to Wifi-Guest
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.4.0 0.0.0.255 any
access-list 101 deny ip 192.168.5.0 0.0.0.255 any
access-list 101 deny ip 192.168.6.0 0.0.0.255 any
access-list 101 deny ip 192.168.7.0 0.0.0.255 any
access-list 101 deny ip 192.168.9.0 0.0.0.255 any
access-list 101 permit ip any any

int fa0/0.912
ip access-group 100 out
ip access-group 101 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul