Link to home
Start Free TrialLog in
Avatar of vianceadmin
vianceadmin

asked on

Need some help in creating router access lists to segment Guest/Production traffic

Need some help in creating some access lists on my router - My router is the default gateway for all my devices.  

I'm creating a guest VLAN for WiFi (AP's are already setup with SSID/VLAN tag) and the ports the AP's are connected to have the VLAN tagged...Everything is working.  

I have an IP-Helper address in my router that forwards the Guest WiFi traffic to my DHCP server and guest WiFi test users are getting an IP in that DHCP scope.  Only problem is that I can ping internal production resources from that guest IP.  The router is an Aerhoive/Brocade but the CLI is fairly similar to Cisco CLI.  

Guest traffic (VLAN 15) - 172.16.20.x/24
Production traffic (VLAN 1) - 192.168.24/21

Since I have no ACL's, I'm assuming the router is just forwarding the packets back and forth across the VLANs.  

Thanks in advance...I appreciate the help.
SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of vianceadmin
vianceadmin

ASKER

Thanks guys...Here's an output of what I currently have.  I sort of inherited this network from someone else...What I really need to do is lock down the guest and student VLAN so guests/students can only access the Internet and NOT internal resources.  



ver 08.0.80bT213
!
stack unit 1
  module 1 icx7450-24p-poe-port-management-module
  module 2 icx7400-xgf-4port-40g-module
  module 3 icx7400-qsfp-1port-40g-module
  module 4 icx7400-qsfp-1port-40g-module
!
!
!
!
!
vlan 1 name DEFAULT-VLAN by port
 router-interface ve 1
!
vlan 10 name Student by port
 tagged ethe 1/1/1 to 1/1/13 ethe 1/1/24 ethe 1/2/3 
 router-interface ve 10
!
vlan 15 name Guest by port
 tagged ethe 1/1/1 to 1/1/13 ethe 1/1/24 ethe 1/2/3 
 router-interface ve 15
!
vlan 20 name Voice by port
 tagged ethe 1/1/24 ethe 1/2/3 
 untagged ethe 1/1/14 ethe 1/1/22 to 1/1/23 
 router-interface ve 20
!
vlan 35 name Gaming by port
 tagged ethe 1/1/1 to 1/1/13 ethe 1/1/24 ethe 1/2/3 
 router-interface ve 35
!
vlan 45 name AudioEnhancement by port
 tagged ethe 1/1/24 ethe 1/2/3 
 untagged ethe 1/1/15 to 1/1/18 
 router-interface ve 45
!
vlan 50 name Security by port
 tagged ethe 1/1/24 ethe 1/2/3 
 router-interface ve 50
!
!
!
!
!
!
!
!
!
!
!
!
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode
boot sys fl sec
enable telnet password 8 
hostname MAIN_Site_MDF_Brocade
ip route 0.0.0.0/0 192.168.25.1
!
username admin password 8 
!
!
!
!
!
!
!
!
!
!
!
!
!
interface ve 1
 ip address 192.168.25.19 255.255.248.0
!
interface ve 10
 ip address 172.16.8.1 255.255.252.0
 ip helper-address 1 192.168.25.2
!
interface ve 15
 ip address 172.16.20.1 255.255.254.0
 ip helper-address 1 192.168.25.2
!
interface ve 20
 ip address 192.168.125.1 255.255.255.0
!
interface ve 35
 ip address 192.168.35.1 255.255.255.0
 ip helper-address 1 192.168.25.2
!
interface ve 45
 ip address 192.168.45.1 255.255.255.0
 ip helper-address 1 192.168.25.2
!
interface ve 50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 1 192.168.25.2
!
!
!
!
!
lldp run
!
!
!
!
!
end

Open in new window

Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
So, access to Internet plus internal resources means access to everything, right?! ;-)

If students need access to internal resources, I suggest using a firewall.
Avatar of vianceadmin
vianceadmin

ASKER

Dangit, sorry about that.  Meant student/guest can only access the Internet and NOT access internal resources (made the edit in my post).
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
The ACL already posted works. The notes from Atlas_shuddered are totally valid.

Important part is allow DHCP, block all other internal traffic, and then allow to Internet.
Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image
one other thought.  you could also put dhcp on the router for the wireless network.  that would remove the need to pass dhcp traffic between trust/untrusted as well.