Solved: Guest VLAN 111 Isolation and Internet Access Issue

rsthakur · ‎12-08-2025

interface Vlan 111
description Guest@VLAN
ip access-group 2002 in

access-list 2002 permit ip 172.28.240.0 0.0.7.255 172.31.1.0 0.0.0.255 (Firewall, WLC VLAN)
access-list 2002 permit ip 172.28.240.0 0.0.7.255 172.30.1.0 0.0.0.255 (DHCP, DNS, LDAP VLAN)

Issue:

DHCP is working properly.
Able to ping Firewall, DNS, DHCP, and LDAP servers.
However, the LDAP web page is not accessible, and internet access is also not working.

Current Scenario:
Our network has around 100 VLANs, and all VLANs communicate with each other via inter-VLAN routing on the Cisco 6807 switch.

For VLAN 111 (Guest VLAN), the requirement is:

It should not communicate with any other VLANs (both directions).
Only internet access should be allowed.

Kindly suggest the correct configuration or recommended approach to achieve this.

pieterh · ‎12-09-2025

as others already mentioned if you need specific protocols allowed, you need to include those protocols in your allow statement!

Only internet access should work (HTTP/HTTPS)

-> permit tcp 172.28.240.0 0.0.7.255 any eq 80 ! tcp connection on port 80 is used by http
permit tcp 172.28.240.0 0.0.7.255 any eq 443 ! ftcp connectipn on port 443 is used by https
deny ip any any ! specifying "ip' and no port number (eq xxx) means all other protocols

there is allways an implicit deny at the end of all ACL's, but for consistency you can add an explicit deny to the list
this only works differently if you also include the "log" keyword to log those denied communication attempts
mostly you configure logging on during troubleshooting and off during normal operation.

View solution in original post

Cristian Matei · ‎12-09-2025

Hi,

In the initial thread, you mentioned also some access to Internal resources. If you're looking to provide only basic Internet access you need to allow TCP port 80 and TCP port 443, alongside with DNS resolution. Your ingress ACL applied on the SVI/VLAN interface will look like:

ip access-list extended INBOUND_VLANX
permit udp 172.28.240.0 0.0.7.255 host a.a.a.a eq 53 (a.a.a.a is primary DNS server assigned to IPv4 clients)
permit udp 172.28.240.0 0.0.7.255 host b.b.b.b eq 53 (b.b.b.b is secondary DNS server assigned to IPv4 clients)
deny ip 172.18.240.0 0.0.7.255 10.0.0.0 0.255.255.255
deny ip 172.18.240.0 0.0.7.255 172.16.0.0 0.15.255.255
deny ip 172.18.240.0 0.0.7.255 192.168.0.0 0.0.255.255
permit tcp 172.18.240.0 0.0.7.255 any eq 80
permit tcp 172.18.240.0 0.0.7.255 any eq 443

Your egress ACL applied on the SVI/VLAN interface will look like:

ip access-list extended OUTBOUND_VLANX
permit udp  host a.a.a.a eq 53 172.28.240.0 0.0.7.255
permit udp host b.b.b.b eq 53 172.28.240.0 0.0.7.255 
deny ip 10.0.0.0 0.255.255.255 172.18.240.0 0.0.7.255 
deny ip 172.16.0.0 0.15.255.255 172.18.240.0 0.0.7.255 
deny ip 192.168.0.0 0.0.255.255 172.18.240.0 0.0.7.255 
permit tcp any eq 80 172.18.240.0 0.0.7.255 
permit tcp any eq 443 172.18.240.0 0.0.7.255

Thanks,

Cristian.

View solution in original post

rsthakur · ‎12-09-2025

Below mention ACL is resolve my purpose.

Thanks to ALL for help @Cristian Matei @pieterh if any line is exetra or not required in below ACL, Kindly let me know

ip access-list extended Internet_Only
permit ip 172.28.240.0 0.0.7.255 172.31.1.0 0.0.0.255
permit udp 172.28.240.0 0.0.7.255 host 172.30.1.XX eq domain
permit udp 172.28.240.0 0.0.7.255 host 172.30.1.XX eq domain
permit tcp 172.28.240.0 0.0.7.255 any eq www
permit tcp 172.28.240.0 0.0.7.255 any eq 443
permit icmp 172.28.240.0 0.0.7.255 host 172.30.1.XX
deny ip 172.28.240.0 0.0.7.255 any
deny tcp 172.28.240.0 0.0.7.255 any
deny udp 172.28.240.0 0.0.7.255 any

View solution in original post

pieterh · ‎12-10-2025

some remarks "deny ip..." already includes tcp and udp
as this comes before the other two lines these lines will have no effect at al

if you move it to last, then you can enable/disable logging of tcp or udp connections separate as mentioned in my previous post
commonly just "deny ip any any " is used

View solution in original post

pieterh · ‎12-08-2025

fro this page: https://stackoverflow.com/questions/5913941/is-ldap-a-tcp-or-a-udp-protocol
Normally LDAP is a TCP protocol. But Microsoft uses LDAP also over UDP.
See here: http://msdn.microsoft.com/en-us/library/cc717362(v=prot.10).aspx

-> for UDP you also need to add a rule for return traffic in your ACL

rsthakur · ‎12-08-2025

i am using open source LDAP working on linux paltfrom.

balaji.bandi · ‎12-08-2025

This is ACL (not a stateful Firewall)

So better to have both direction ACLs available for IN and OUT. Also, make sure you can restrict by Ports if you prefer more granularity than just a subnet.

Also, could you log and check what is wrong?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cristian Matei · ‎12-08-2025

Hi,

If LDAP is not working, it means you're not matching on that traffic with your second entry from the ACL, double check that. As for further allowing only Internet access and no access to any other VLAN's, you would need to add few additional statements to your ACL, in order to deny all traffic destined to RFC918 prefixes and allowing everything else:

ip access-list extended 2002
 deny ip 172.18.240.0 0.0.7.255 10.0.0.0 0.255.255.255
 deny ip 172.18.240.0 0.0.7.255 172.16.0.0 0.15.255.255
 deny ip 172.18.240.0 0.0.7.255 192.168.0.0 0.0.255.255
 permit ip 172.18.240.0 0.0.7.255 any

If you're also owning some public resources you want to restrict access to, add additional 'deny' lines before the last 'permit' entry.

Also, as already suggested you'd ideally configure your ACL entries that allow access to LDAP, DNS and whatever other services are needed, based on specific protocol (TCP/UDP) and port numbers, as oppose to how you have it now where all IP traffic to some private subnets is fully allowed.

Thanks,

Cristian.

Richard Burts · ‎12-08-2025

The OP says "internet access is also not working". This is not surprising. I see the access list has 2 statements permitting access to local resources, but no statement about access to outside resources. We should remember that in an ACL things that are not permitted are denied. If you want internet access then you should add to the access list a statement that denies the local vlan addresses to any other private address, and a statement that permits the local vlan addresses to any address.

HTH

Rick

rsthakur · ‎12-08-2025

Try this but no luck.

ip access-list extended Guest_Internet_Only
deny ip 172.28.240.0 0.0.7.255 172.16.0.0 0.15.255.255
permit ip 172.28.240.0 0.0.7.255 172.31.1.0 0.0.0.255
permit ip 172.28.240.0 0.0.7.255 172.30.1.0 0.0.0.255
permit ip 172.28.240.0 0.0.7.255 any

interface Vlan 111

ip access-group Guest_Internet_Only in

After applying this , i am not able to ping permit subnet (172.31.1.0 and 172.30.1.0)

Cristian Matei · ‎12-08-2025

Hi,

Because your first ACL entry is now denying access towards destinations in RFC1918 Class B range, which includes 172.30.1.0 and 172.31.1.0. Your ACL needs to look as follows, assuming you don't want to restrict access towards internal resources based on protocol and port:

ip access-list extended Guest_Internet_Only
permit ip 172.28.240.0 0.0.7.255 172.31.1.0 0.0.0.255
permit ip 172.28.240.0 0.0.7.255 172.30.1.0 0.0.0.255
deny ip 172.18.240.0 0.0.7.255 10.0.0.0 0.255.255.255
deny ip 172.18.240.0 0.0.7.255 172.16.0.0 0.15.255.255
deny ip 172.18.240.0 0.0.7.255 192.168.0.0 0.0.255.255
permit ip 172.18.240.0 0.0.7.255 any

Thanks,

Cristian.

rsthakur · ‎12-09-2025

permit tcp 172.28.240.0 0.0.7.255 any

everything starts working, because this line allows all TCP traffic (HTTP/HTTPS/SSH/SMB/etc.) from the Guest VLAN to any destination, including internet websites.
Only ICMP (ping) is blocked, since the permit is for TCP only.

However, our requirement is different:

We want:

Only internet access should work (HTTP/HTTPS)
All internal services (SSH, HTTPS, SMB, internal servers, etc.) must remain blocked

So we need to allow only limited ports for internet and deny internal private subnets first, instead of permitting all TCP.

Cristian Matei · ‎12-09-2025

Hi,

In the initial thread, you mentioned also some access to Internal resources. If you're looking to provide only basic Internet access you need to allow TCP port 80 and TCP port 443, alongside with DNS resolution. Your ingress ACL applied on the SVI/VLAN interface will look like:

ip access-list extended INBOUND_VLANX
permit udp 172.28.240.0 0.0.7.255 host a.a.a.a eq 53 (a.a.a.a is primary DNS server assigned to IPv4 clients)
permit udp 172.28.240.0 0.0.7.255 host b.b.b.b eq 53 (b.b.b.b is secondary DNS server assigned to IPv4 clients)
deny ip 172.18.240.0 0.0.7.255 10.0.0.0 0.255.255.255
deny ip 172.18.240.0 0.0.7.255 172.16.0.0 0.15.255.255
deny ip 172.18.240.0 0.0.7.255 192.168.0.0 0.0.255.255
permit tcp 172.18.240.0 0.0.7.255 any eq 80
permit tcp 172.18.240.0 0.0.7.255 any eq 443

Your egress ACL applied on the SVI/VLAN interface will look like:

ip access-list extended OUTBOUND_VLANX
permit udp  host a.a.a.a eq 53 172.28.240.0 0.0.7.255
permit udp host b.b.b.b eq 53 172.28.240.0 0.0.7.255 
deny ip 10.0.0.0 0.255.255.255 172.18.240.0 0.0.7.255 
deny ip 172.16.0.0 0.15.255.255 172.18.240.0 0.0.7.255 
deny ip 192.168.0.0 0.0.255.255 172.18.240.0 0.0.7.255 
permit tcp any eq 80 172.18.240.0 0.0.7.255 
permit tcp any eq 443 172.18.240.0 0.0.7.255

Thanks,

Cristian.

pieterh · ‎12-09-2025

as others already mentioned if you need specific protocols allowed, you need to include those protocols in your allow statement!

Only internet access should work (HTTP/HTTPS)

-> permit tcp 172.28.240.0 0.0.7.255 any eq 80 ! tcp connection on port 80 is used by http
permit tcp 172.28.240.0 0.0.7.255 any eq 443 ! ftcp connectipn on port 443 is used by https
deny ip any any ! specifying "ip' and no port number (eq xxx) means all other protocols

there is allways an implicit deny at the end of all ACL's, but for consistency you can add an explicit deny to the list
this only works differently if you also include the "log" keyword to log those denied communication attempts
mostly you configure logging on during troubleshooting and off during normal operation.

Richard Burts · ‎12-09-2025

I am not clear what is the current state of this issue. If it is still an active issue can the OP provide a fresh output that includes the current configuration of the interface, current configuration of the access list, and description of what is working and what is not working for this interface?

HTH

Rick

Joseph W. Doherty · ‎12-09-2025

You need to clarify, what's to be allowed, or not.

Initially, you describe:

For VLAN 111 (Guest VLAN), the requirement is:

It should not communicate with any other VLANs (both directions).
Only internet access should be allowed.

But later amend that to:

You mention using LDAP but not how and . . .

We want:

Only internet access should work (HTTP/HTTPS)
All internal services (SSH, HTTPS, SMB, internal servers, etc.) must remain blocked

So we need to allow only limited ports for internet and deny internal private subnets first, instead of permitting all TCP.

So, do you want allow this VLAN any Internet access or just Internet access to HTTP/HTTPS? If the latter, are we talking of "known" port access or actual protocol usage?

Also, now, do you only want to block specific internal access, or access to anything located internally?

BTW, any chance of having VLAN 111 connected to the FW, directly (if even logically)? I ask, because a FW might be able to filter protocols even when not using their known ports.

rsthakur · ‎12-09-2025

Below mention ACL is resolve my purpose.

Thanks to ALL for help @Cristian Matei @pieterh if any line is exetra or not required in below ACL, Kindly let me know

ip access-list extended Internet_Only
permit ip 172.28.240.0 0.0.7.255 172.31.1.0 0.0.0.255
permit udp 172.28.240.0 0.0.7.255 host 172.30.1.XX eq domain
permit udp 172.28.240.0 0.0.7.255 host 172.30.1.XX eq domain
permit tcp 172.28.240.0 0.0.7.255 any eq www
permit tcp 172.28.240.0 0.0.7.255 any eq 443
permit icmp 172.28.240.0 0.0.7.255 host 172.30.1.XX
deny ip 172.28.240.0 0.0.7.255 any
deny tcp 172.28.240.0 0.0.7.255 any
deny udp 172.28.240.0 0.0.7.255 any

Cristian Matei · ‎12-10-2025

Hi,

First ACL line, namely "permit ip 172.28.240.0 0.0.7.255 172.31.1.0 0.0.0.255", allows all IP traffic to some internal destinations, is this what you want / need? If so, leave it there or ideally change it to allow only specific TCP/UDP services you need and only towards specific IP's/hosts rather than the entire subnet; if you don't need it, remove it.

4th and 5th lines allow all TCP traffic destined to port 80 and 443, including towards internal resources, is this what you want? Initially you said you only want Internet access.

Your last 2 lines are not really needed, since the line before which denies IP traffic will implicitly deny TCP and UDP.

If you only need Internet access, best ACL to use is the one I've mentioned before:

ip access-list extended INBOUND_VLANX
permit udp 172.28.240.0 0.0.7.255 host a.a.a.a eq 53 (a.a.a.a is primary DNS server assigned to IPv4 clients)
permit udp 172.28.240.0 0.0.7.255 host b.b.b.b eq 53 (b.b.b.b is secondary DNS server assigned to IPv4 clients)
deny ip 172.18.240.0 0.0.7.255 10.0.0.0 0.255.255.255 
deny ip 172.18.240.0 0.0.7.255 172.16.0.0 0.15.255.255 
deny ip 172.18.240.0 0.0.7.255 192.168.0.0 0.0.255.255 
permit tcp 172.18.240.0 0.0.7.255 any eq 80 
permit tcp 172.18.240.0 0.0.7.255 any eq 443 
deny ip any any log

If you need to allow any other traffic towards internal resources, add these additional ACE's before the 3rd entry in the above mentioned ACL.

Thanks,

Cristian.