We help IT Professionals succeed at work.

Proper ACL for guest wireless traffic

Raymond Norton
Raymond Norton used Ask the Experts™
on
Info:
Aruba 3810
Vlans 801,802,803

Vlan 802 is our guest wireless subnet. I need to allow it to pull DNS from 801, pull dhcp from the switch, but not have any other access to 801 or 802 and go directly to the Internet, allowing all protocols. I only have access to the switch and am unable to test, so need to be sure I have things set up correctly. Does this accomplish what I need, based on the included config?

ip access-list extended "Guest Vlan Access"
     10 permit tcp 10.10.0.0 0.0.255.255 eq 53 172.17.0.0 0.0.255.255 log
     20 deny ip 10.10.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
     30 deny ip 10.10.0.0 0.0.255.255 10.13.0.0 0.0.255.255 log
     40 permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255



Config:
vlan 801
   name "VLAN801"
   untagged 13
   ip address 172.17.1.2 255.255.0.0
   exit
vlan 801
   name "VLAN801"
   untagged 13
   ip address 172.17.1.2 255.255.0.0
   exit
vlan 802
   name "VLAN802"
   untagged 15
   ip access-group "Guest Vlan Access" out
   ip address 10.10.250.2 255.255.0.0
   dhcp-server
   exit

vlan 803
   name "VLAN803"
   untagged 16
   ip address 10.13.253.1 255.255.0.0
   dhcp-server
   exit

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Your ACL need only allow DNS udp/TCP  on port 53 to the internal DNS server.
You could have the VLAN guest use external DNS servers
On the vlan setup ip helper,DHCP relay agent which will proxy the requests.
WAN Admin
Commented:
This worked for me. Added any DNS in case the end user wanted to keep everything off of their network:

ip access-list extended "Guest Vlan Access"
10 permit udp 10.10.0.0 0.0.255.255 eq 53 172.17.0.0 0.0.255.255 log
16 permit icmp 10.10.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
20 permit udp 10.10.0.0 0.0.255.255 eq 53 0.0.0.0 255.255.255.255 log
30 deny ip 10.10.0.0 0.0.255.255 10.13.0.0 0.0.255.255 log
35 deny ip 10.10.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
40 permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255
exit

vlan 802
   name "VLAN802"
   untagged 15
   ip access-group "Guest Vlan Access" in
   ip address 10.10.250.2 255.255.0.0
   dhcp-server
   exit