cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
582
Views
0
Helpful
1
Replies

Guest Wireless ACL Review

ruvreve19
Level 1
Level 1

I need to create an ACL for guest internet access. It should block access to the corporate VLANs which include 172.16.x.x and 192.168.x.x while allowing full access to the internet. Guest clients will need to get DHCP from 192.168.50.59. Guest wireless VLAN is 172.16.16.0 255.255.252.0

 

Does this ACL look correct?

interface Vlan16

description WIFI Guest - Subnet 172.16.16.0 - 172.16.19.255
ip address 172.16.16.2 255.255.252.0
ip helper-address 192.168.50.59

 ip access-group WirelessGuest2018 in
standby 16 ip 172.16.16.1
standby 16 priority 115
standby 16 preempt
standby 16 authentication *

 

ip access-list extended WirelessGuest2018
remark DHCP Server
permit udp any host 192.168.50.59 eq bootps
permit udp any host 192.168.50.60 eq bootps

remark block access to switch vlan interfaces
deny ip 172.16.16.0 0.0.3.255 host 172.16.16.1 any
deny ip 172.16.16.0 0.0.3.255 host 172.16.16.2 any
deny ip 172.16.16.0 0.0.3.255 host 172.16.16.3 any

 

remark Allow access to guest wireless network, since blocked below, not needed?
permit ip 172.16.16.0 0.0.3.255 172.16.16.0 0.0.3.255

 

remark Block IP access to all Corporate VLANs
deny ip 172.16.16.0 0.0.3.255 192.174.0.0 0.0.255.255
deny ip 172.16.16.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 172.16.16.0 0.0.3.255 192.168.0.0 0.0.255.255

 

remark Block ICMP access to all Corporate VLANs
deny icmp 172.16.16.0 0.0.3.255 192.174.0.0 0.0.255.255
deny icmp 172.16.16.0 0.0.3.255 192.168.0.0 0.0.255.255
deny icmp 172.16.16.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip any any

1 Reply 1

chrihussey
VIP Alumni
VIP Alumni

Looks pretty good, but there always seems to be a gotcha. I assume the ACL will be applied inbound on the guest wireless VLAN interface

 

Anyway, my comments:

1- You don't need to block the access to the switch VLAN interfaces, that's addressed later in the ACL with the "deny ip 172.16.16.0 0.0.3.255 172.16.0.0 0.0.255.255" entry. You may want the client to be able to ping its default gateway.

2- You shouldn't need the "permit ip 172.16.16.0 0.0.3.255 172.16.16.0 0.0.3.255" either. If it isn't going through the interface it will have no affect.

3- You don't need to block ICMP, it has already been covered by the previous "deny IP" entries.

 

What is providing DNS? Is it on any of the corporate VLANs you are denying access to? If it is, you'll need to allow that. (Just UDP domain)

 

Finally, it would probably be a good idea to reverse the source / destinations in a different ACL and apply it in the outbound direction too. That implements the security policy in both directions which is probably preferred.

 

I'm sure I missed something, but like I said, there is always a gotcha.

 

Hope this helps

Review Cisco Networking for a $25 gift card