vianceadmin
asked on
Need some help in creating router access lists to segment Guest/Production traffic
Need some help in creating some access lists on my router - My router is the default gateway for all my devices.
I'm creating a guest VLAN for WiFi (AP's are already setup with SSID/VLAN tag) and the ports the AP's are connected to have the VLAN tagged...Everything is working.
I have an IP-Helper address in my router that forwards the Guest WiFi traffic to my DHCP server and guest WiFi test users are getting an IP in that DHCP scope. Only problem is that I can ping internal production resources from that guest IP. The router is an Aerhoive/Brocade but the CLI is fairly similar to Cisco CLI.
Guest traffic (VLAN 15) - 172.16.20.x/24
Production traffic (VLAN 1) - 192.168.24/21
Since I have no ACL's, I'm assuming the router is just forwarding the packets back and forth across the VLANs.
Thanks in advance...I appreciate the help.
I'm creating a guest VLAN for WiFi (AP's are already setup with SSID/VLAN tag) and the ports the AP's are connected to have the VLAN tagged...Everything is working.
I have an IP-Helper address in my router that forwards the Guest WiFi traffic to my DHCP server and guest WiFi test users are getting an IP in that DHCP scope. Only problem is that I can ping internal production resources from that guest IP. The router is an Aerhoive/Brocade but the CLI is fairly similar to Cisco CLI.
Guest traffic (VLAN 15) - 172.16.20.x/24
Production traffic (VLAN 1) - 192.168.24/21
Since I have no ACL's, I'm assuming the router is just forwarding the packets back and forth across the VLANs.
Thanks in advance...I appreciate the help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So, access to Internet plus internal resources means access to everything, right?! ;-)
If students need access to internal resources, I suggest using a firewall.
If students need access to internal resources, I suggest using a firewall.
ASKER
Dangit, sorry about that. Meant student/guest can only access the Internet and NOT access internal resources (made the edit in my post).
The ACL already posted works. The notes from Atlas_shuddered are totally valid.
Important part is allow DHCP, block all other internal traffic, and then allow to Internet.
Important part is allow DHCP, block all other internal traffic, and then allow to Internet.
one other thought. you could also put dhcp on the router for the wireless network. that would remove the need to pass dhcp traffic between trust/untrusted as well.
ASKER
Open in new window