I've done a few route maps before and the logic is pretty much the same. I just can't figure this one out.
It's probably not the best solution, but it is what I have to work with. I would like to configure a guest vlan on our network and only allow access for DHCP, DNS, and Web. I'm attempting to use a VLAN filter along with a L3 ACL on the L3 VLAN. My L3 ACL seems to work fine. I've been able to block access to the other internal subnets. I would like users of this subnet to be able to ping the gateway and to traceroute to the Internet. I'm not sure why I care, but I would also like to block all communication from user to user within the same guest vlan. I've created the following ACL and VLAN access-map, but I'm still able to ping hosts on the same guest network and am also able to open a share on another host.
I'm intentionally not matching the deny statements since the action is to drop. Then, I want to drop the permit statements. With this configuration, I can pull DHCP, DNS, and surf the web. I have tested this functionality by adjusting those rules back to permit. When I do that it breaks DHCP, DNS, and web. The only piece that is not working is to block communication between hosts on the same guest vlan. Any ideas?
vlan access-map map982 10
action drop
match ip address acl982
vlan access-map map982 20
action forward
match ip address aclMatchAll
vlan filter map982 vlan-list 982
ip access-list extended acl982
deny icmp any host 10.98.207.1 unreachable
deny icmp any host 10.98.207.1 time-exceeded
deny icmp any host 10.98.207.1 echo-reply
deny icmp any host 10.98.207.1 echo
deny icmp host 10.98.207.1 any echo
deny icmp host 10.98.207.1 any echo-reply
deny icmp host 10.98.207.1 any time-exceeded
deny icmp host 10.98.207.1 any unreachable
deny udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
deny udp host 10.98.207.1 eq bootps any eq bootpc
deny udp 10.98.207.0 0.0.0.255 host 10.0.0.1 eq domain
permit ip 10.98.207.0 0.0.0.255 10.98.207.0 0.0.0.255
permit ip 10.98.207.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.98.207.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 10.98.207.0 0.0.0.255 192.168.0.0 0.0.255.255
Thanks all.