Creating a Guest Wireless ACL

jacksonwoods4923 · ‎11-02-2023

So we have a DHCP and DNS server with the IP of 10.1.0.2. Is there a way to create and ACL that will allow the client to talk with the DHCP and DNS server and allow HTTPS traffic for browsing, but will not allow anything else? Here is what I have tried, and for some reason my phone is not able to connect back to the wifi.

permit udp any host 10.1.0.2 eq domain
permit tcp any host 10.1.0.2 eq domain
permit udp any eq bootpc host 10.1.0.2 eq bootps
permit udp any eq bootps host 10.1.0.2 eq bootpc
permit tcp any any eq 443
deny ip any any

permit udp any eq bootpc host 10.1.0.2 eq bootps
permit udp any host 10.1.0.2 eq domain
deny ip any 192.168.0.0 0.0.255.255

permit udp host 10.1.0.2 any eq domain
permit tcp host 10.1.0.2 any eq domain
permit udp host 10.1.0.2 any eq bootps
permit udp host 10.1.0.2 any eq bootpc
permit ip any any

DanielP211 · ‎11-03-2023

Hello!

Create the ACL like this:

ip access-list extended GUEST
permit udp any any eq bootpc
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any

And apply it to the IN direction on the VLAN.

BR

****Kindly rate all useful posts*****

DanielP211 · ‎11-03-2023

I would also disable all traffic to RFC1918. So the complete ACL would be like this.

ip access-list extended GUEST
permit udp any any eq bootpc
permit udp any any eq domain
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any

****Kindly rate all useful posts*****

MHM Cisco World · ‎11-04-2023

I need to know the direction of this ACL IN or OUT
I need to know the Auth you use for Wifi

Thanks A Lot
MHM