Vlan 802 is our guest wireless subnet. I need to allow it to pull DNS from 801, pull dhcp from the switch, but not have any other access to 801 or 802 and go directly to the Internet, allowing all protocols. I only have access to the switch and am unable to test, so need to be sure I have things set up correctly. Does this accomplish what I need, based on the included config?
ip access-list extended "Guest Vlan Access"
10 permit tcp 10.10.0.0 0.0.255.255 eq 53 172.17.0.0 0.0.255.255 log
20 deny ip 10.10.0.0 0.0.255.255 172.17.0.0 0.0.255.255 log
30 deny ip 10.10.0.0 0.0.255.255 10.13.0.0 0.0.255.255 log
40 permit ip 10.10.0.0 0.0.255.255 0.0.0.0 255.255.255.255
Config:
vlan 801 name "VLAN801" untagged 13 ip address 172.17.1.2 255.255.0.0 exitvlan 801 name "VLAN801" untagged 13 ip address 172.17.1.2 255.255.0.0 exitvlan 802 name "VLAN802" untagged 15 ip access-group "Guest Vlan Access" out ip address 10.10.250.2 255.255.0.0 dhcp-server exitvlan 803 name "VLAN803" untagged 16 ip address 10.13.253.1 255.255.0.0 dhcp-server exit
Your ACL need only allow DNS udp/TCP on port 53 to the internal DNS server.
You could have the VLAN guest use external DNS servers
On the vlan setup ip helper,DHCP relay agent which will proxy the requests.
You could have the VLAN guest use external DNS servers
On the vlan setup ip helper,DHCP relay agent which will proxy the requests.