Showing results for 
Search instead for 
Did you mean: 

Wireless ACL - Block internal access

I need to block all access from the guest wireless to our internal network. 

The following is the ACL I've come up with so far for the guest SSID. I thought seq 1 and 2 would work - 1 allow clients to communicate with DHCP and 2 block access to all internal IP addresses. I had to add seq 3 for clients to access the internet as a workaround for now. Unfortunately because of seq 3 clients can also access everything else on our internal network.. I believe the descriptions are correct. Not 100% sure. It's what I want them to do anyway. 

  • Our DHCP Windows server hands our guest wireless clients an IP address and sets their DNS to the DNS of our ISP not our internal DNS server. 

  • The guest VLAN DHCP range is 
  • Our internal network is any IP in the 10.55 range. 
  • Our controller is a Cisco 4402. 

How do I accomplish this? 

ACL: GuestWiFi           
SeqActionSource IP/MaskDestination IP/MaskProtocolSource PortDest PortDSCPDirectionNoHDesc
1Permit10.55.12.0 / / ClientDHCP ServerAnyInbound0DHCP Server. Allow clients to respond to DHCP requests.
2Deny10.55.12.0 / / access to internal network - all 10.55 addresses
3Permit0.0.0.0 / / 

Thoroughly Check wild card mask which u r using on 1st and 2nd sequence which may be creating problem.


But  the concept is right.. :)


Seq 1: The guest VLAN DHCP range is 

Seq 2: Our internal network is any IP in the 10.55 range.

Knowing these two things does it look like I would have any problems with the wildcard mask? I'm not very confident in answering this. Hoping someone can help. 


Hi Andy,


There are some things I would recommend, the first is to keep in mind that when the clients in guest vlan boot up, they boot without any ip addresses, so if you apply an access list based on the assumed guest vlan ip addresses that will be assigned from the dhcp server it will not work and your guest vlan clients would never be able to get any ip address from the dhcp server. The second thing, is in order to allow guest vlan to access the internet, you don't have necessarily to allow that traffic towards your internal network, it would be enough to allow it towards the gateway router. Last thing, is that you don't need to apply any deny statement at the end of the access list since there is an implicit deny by default.

Here how your access list should look like:

access-list 100 permit udp host eq bootpc host eq bootp
access-list 100 permit ip host (assuming this is the gateway ip address)




Hey Aref, 

Thank you for your suggestion. Yes. The gateway is I'd hate to make you spell it out, but it would be easiest for me to get this up and running if you could right the access list out somewhat similar to the table above.  

Thank you


I believe I have the issue resolved. I cannot find any issues with the solution yet. If anyone sees any issues with this setup let me know. The problem was solved through an ACL on the wireless controller. 

Problem description: Want to deny access to internal network from guest network.
Resolution summary:
>> Configured ACL for denying access to all internal network.
>> Applied one rule for permitting access to any network.
>> Cannot ping internal network as per our requirement.
>> But Able to go on the internet.
>> Everything is working as expected.


Hi Andy,

Do you mind sharing the Access list you configured on the WLC? I am looking to do the same on my Guest WLAN


Not a problem. The order is very important. 

First allow access to all of your network. This ends up being last in the sequence. Then start denying access. For our network I permitted to all and then added vlans to deny. At the very beginning of the sequence is where I allowed access to specific devices/services on vlans that are blocked. Here is an example. There could be a better way of doing this. If there is please chime in.

ACL: GuestWiFi           
SeqActionSource IP/MaskDestination IP/MaskProtocolSource PortDest PortDSCPDirectionNoHDesc
1Permit0.0.0.0 / / ClientDHCP ServerAnyInbound0Allow printer
2Deny10.55.12.0 / / Wireless Vlan
3Deny10.55.12.0 / / Vlan
4Permit0.0.0.0 / /

Thanks will give it a try!


Dear Sir 

i have two wify vlan102 emp wify ssid  one is started ip range is to and second is vlan 103 guest ssid which ip address range is and subnet mask is same and one is my intranet server witch ip address i want to block vlan 103 block in access web servers ip please help me iam try many time but all network access block ,,,


Gopal Bhatt




I am facing a similar issue where I have guest users accessing the internal services.

I need to write ACLs on the anchor WLC to deny their access. Would you be able to help.


My internal server range is, 168.252.0\16.


I have a internal DHCP server on the anchor WLC itself and they are on the subnet\22. And I need access from the internal users\8 to access the WLC ip for creating a lobby admin.

Content for Community-Ad