Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
0
Helpful
2
Replies

Guest Wireless acl for segmentation from internal devices

malcolm sutton
Level 1
Level 1

‎02-02-2024 09:44 AM

I am trying to segment my Guest Wireless from our internal network. I only want guess to be able to out to the internet and get DHCP and DNS internal. Here is the acl i created:

ip access-group Wireless-Guest in(here is the extended acl and the config on the vlan interface)

10 permit udp any host 10.50.0.161 eq bootps
11 permit udp any host 10.56.28.114 eq bootps
20 permit udp any host 10.56.28.111 eq domain
21 permit udp any host 10.56.28.112 eq domain
22 permit udp any host 10.56.28.113 eq domain
120 deny ip any 10.0.0.0 0.255.255.255 (605048 matches)
121 deny icmp any 10.0.0.0 0.255.255.255
130 deny ip any 192.168.0.0 0.0.255.255 (2 matches)
131 deny icmp any 192.168.0.0 0.0.255.255
140 deny ip any 172.16.0.0 0.15.255.255 (1 match)
150 permit ip any any (561 matches)
151 permit icmp any any

Is this right?

Labels:
0 Helpful
2 Replies 2

Ruben Cocheno
Spotlight
Spotlight

‎02-02-2024 10:00 AM

@malcolm sutton 

Yes, that is pretty much what you need to block all internal access except DNS and DHCP, and be able to reach the Internet.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-02-2024 10:10 AM

High level that should be ok, but depends how your network diagram looks like, and where you appling this ACL.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card