Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3184
Views
0
Helpful
1
Replies

Blocking WiFi guests from accessing LAN resources with a ACL

Chris Holub
Level 1
Level 1

‎10-19-2017 10:30 AM - edited ‎03-08-2019 12:25 PM

Hello all,

 

I need a little help creating a ACL that only allows internet access for our guest wifi users.

The guest WiFi range is from 10.1.160.3 to 10.1.175.254

We VLAN everything and use the VLAN number as the 3rd octet in the IP address. For example 40 is our VLAN for printers so something like a 10.1.40.12 would be a printer

Vlan Name IP Range Notes
10 Management 10.1.10.0/24 Management network used for switches, access points, and monitors.
20 Data (East) 10.1.20.0/24 Data network for end users. Covers Admin building to building 100
21 Data (West) 10.1.21.0/24 Data network for end users. Covers buildign 4000 to Facility Trailer
30 Servers 10.1.30.0/24 Campus Specific Servers (Currently None for Peoria)
40 Printers 10.1.40.0/24 Used for campus specific printers
48 Private Wireless 10.1.48.0/22 Used for the CCV Staff wireless network
60 Public Wireless 10.1.60.0/22 Public wireless (not in use on PEO Campus, Juniper DHCP is used
70 Public Wired 10.1.70.0/24 Used for public facing network ports
80 Checkin 10.1.80.0/24 Used for checkins
90 Point of Sale 10.1.90.0/24 Used for any POS type device
100 Public Kiosk 10.1.100.0/24 Used for Giving Kiosks
110 Production 10.1.110.0/24 Used for any AV & Production areas
120 Security Cameras 10.1.12.0/24 Network used for security cameras and servers
121 Security Badge 10.1.121.0/24 Network used for security badge access
130 VOIP 10.1.130.0/24 Used for our VOIP phones
140 Campus Streaming 10.1.140.0/24 Used exclusively for Evertz campus stream
160 Guest / Public WiFi 10.1.160.0/20 Used for Guest / Public WiFi

 

Not sure if all of that was needed but for thoroughness I thought I would add it.

This would be on a Cisco 4506 with a Sup 7e and the WiFi system if you were wanting to know is Ruckus. The 4506 is where all of the servers connect too as well as our Fortinet Firewall with our connection to the internet.

So the main thing is the 4506 is to only allow someone with a address from that WiFi DHCP scope to only get out to the internet and not on anything locally.

 

Cheers,
Chris

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Julio E. Moisa
VIP Alumni
VIP Alumni

‎10-20-2017 06:41 AM - edited ‎10-20-2017 06:45 AM

Hi Chris,

You can set up VACL or just ACLs, you can try with:

 

ip access-list extended INTERNET-ONLY

deny ip 10.1.160.0 0.0.15.255 10.1.0.0 0.0.127.255  (summarized network)

deny ip 10.1.160.0 0.0.15.255 10.1.130.0 0.0.0.255

deny ip 10.1.160.0 0.0.15.255 10.1.140.0 0.0.0.255

permit ip any any 

 

or 

 

ip access-list extended INTERNET-ONLY

deny ip any 10.1.0.0 0.0.127.255

deny ip any 10.1.130.0 0.0.0.255

deny ip any 10.1.140.0 0.0.0.255

permit ip any any 

 

int vlan 160

ip access-group INTERNET-ONLY in

 

Hope it is useful

:-)

 

 

* I don´t know your topology but I usually don't recommend to use highest subnet mask than /23, it could generate some issues. 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents