11-02-2023 03:23 PM
So we have a DHCP and DNS server with the IP of 10.1.0.2. Is there a way to create and ACL that will allow the client to talk with the DHCP and DNS server and allow HTTPS traffic for browsing, but will not allow anything else? Here is what I have tried, and for some reason my phone is not able to connect back to the wifi.
permit udp any host 10.1.0.2 eq domain
permit tcp any host 10.1.0.2 eq domain
permit udp any eq bootpc host 10.1.0.2 eq bootps
permit udp any eq bootps host 10.1.0.2 eq bootpc
permit tcp any any eq 443
deny ip any any
permit udp any eq bootpc host 10.1.0.2 eq bootps
permit udp any host 10.1.0.2 eq domain
deny ip any 192.168.0.0 0.0.255.255
permit udp host 10.1.0.2 any eq domain
permit tcp host 10.1.0.2 any eq domain
permit udp host 10.1.0.2 any eq bootps
permit udp host 10.1.0.2 any eq bootpc
permit ip any any
11-03-2023 12:07 AM
Hello!
Create the ACL like this:
ip access-list extended GUEST
permit udp any any eq bootpc
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
And apply it to the IN direction on the VLAN.
BR
11-03-2023 12:35 AM
I would also disable all traffic to RFC1918. So the complete ACL would be like this.
ip access-list extended GUEST
permit udp any any eq bootpc
permit udp any any eq domain
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
11-04-2023 04:25 AM
I need to know the direction of this ACL IN or OUT
I need to know the Auth you use for Wifi
Thanks A Lot
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide