Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
1
Replies

Setup Visitor WIFI for Internet Only

Not applicable

‎07-05-2017 10:59 AM - last edited on ‎03-08-2019 11:13 AM by

I am new to this configuration and would appreciate any help you can offer.

I am trying to setup a SSID for our visitor network. I have it all setup in the WLC and it is working except that I can still ping IP addresses inside the network. I can not ping DNS names. So it is not truly an Internet Only connection.

Below is the configuration on our Primary Switch that provides the DHCP and configuration for the visitor network.

If you have any questions please let me know.

Thank you!

ip dhcp excluded-address 172.24.0.250 172.24.0.254
!
ip dhcp pool Vlan_172
network 172.24.0.0 255.255.254.0
domain-name intrepidpotash.com
default-router 172.24.0.243
dns-server 8.8.8.8 4.4.4.4
!
vlan access-map InternetOnly 10
action forward
match ip address GUEST
vlan access-map InternetOnly 20
action drop
match ip address DENY-INTERNAL
vlan access-map InternetOnly 30
action forward
match ip address INTERNET
vlan access-map ExchangeOnly 10
action forward
match ip address EXCHANGE-ALLOW
vlan access-map ExchangeOnly 20
action drop
match ip address DENY-INTERNAL
!
vlan filter InternetOnly vlan-list 172
vlan internal allocation policy ascending
!
vlan 50,64-65,100,110,147-148,150-151,172,200,210
!
***Port to the Cisco 5500 Wireless Controller
interface GigabitEthernet2/0/3
description To CNMWLC.WS.4.069
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 147,148,150,151,172,254
switchport mode trunk
!
interface Vlan172
ip address 172.24.0.243 255.255.254.0

ip access-list standard EXCHANGE-ALLOW
permit 10.130.26.0 0.0.0.255
permit 10.20.64.0 0.0.0.255
permit 10.20.65.0 0.0.0.255
ip access-list standard GUEST
permit 10.20.0.12
permit 10.20.0.10
permit 10.20.0.84
permit 10.20.0.83
permit 10.130.0.125
permit 172.24.0.0 0.0.1.255
ip access-list standard INTERNET
permit any
!
ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
ip access-list extended sl_def_acl
deny tcp any any eq telnet
deny tcp any any eq www
deny tcp any any eq 22
permit ip any any

Labels:
0 Helpful
1 Reply 1

paul driver
VIP
VIP

‎07-06-2017 02:23 AM

Hello

Vals are specific within that vlan, howerver Racls can be used betwee multiple vlans.

To negate communication between vlan 172 and the rest of your Lan you can aply a RACL on  vlan 172 routed interface to deny the traffic.

Example:
access-list 100 deny ip 10.10.10.0 0.0.0.255 any  <vlan 10>
access-list 100 deny ip 20.20.20.0 0.0.0.255 any  <vlan 20>
access-list 100 permit ip any any

int vlan 172
ip access-group 100 OUT

Another way would to remove dhcp server for these guest users from the switch and also its L3 interface and have the WLC  provide the routing and/or DHCP, lasty negate the guest dhcp server from advertsing to the rest of the LAN.

DHCP server mac-address = 0000.1111.1111 

mac address-table static 0000.1111.1111 vlan 10 drop
mac address-table static 0000.1111.1111 vlan 20 drop




res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card