Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Guest Only VLAN

Guest Only VLAN 9 years 2 months ago #23326

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
Okay, this is probably something that is pretty easy but I have found very little documentation on best practices, how to, etc. This is pretty long but I want to make sure I am detailed in my explanation.

VLAN 110
- Subnet 10.10.10/24
- Protected business network

VLAN 777
- Subnet 10.10.0.0/24
- Contains WAN Stuff
- Internet Gateway 10.10.0.2

VLAN 666
- Subnet 192.168.0.0/24
- Guest Only VLAN

IP Routes
10.10.10.0 255.255.255.0 Vlan110
10.10.0.0 255.255.255.0 Vlan777
0.0.0.0 0.0.0.0 10.10.0.2

Now, with the routes and configuration above, VLAN 666 can talk amongst itself but can not route anywhere. I want to add a route so that 192.168.0.0 traffic is routed to 10.10.0.2. But, that is the only device on the network it can talk to. What route would I add? I am assuming the answer is adding the following:

(config)# ip route 192.168.0.0 255.255.255.0 Vlan666
(config)# ip access-list extended Guest
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 host 10.10.0.2
(config-ext-nacl)# permit ip host 10.10.0.2 192.168.0.0 0.0.0.255
(config-ext-nacl)# exit
(config)# int vlan 666
(config-if)# ip access-group Guest out
(config-if)# ip access-group Guest in

Would that work? Any suggestions? Is there an easier way to do this? Thanks!

Semper Fidelis!
Andrew
The administrator has disabled public write access.

Re: Guest Only VLAN 9 years 2 months ago #23366

  • Elohim
  • Elohim's Avatar
  • Offline
  • Senior Member
  • Posts: 220
  • Karma: 0
Actually, probably and maybe not.. depends on if you want the device at 10.10.0.2 (internet gateway) to serve as the internet gateway for devices in vlan 666 or to serve as an endpoint for communications between 10.10.0.2 and 192.168.0.0/24. If 10.10.0.2 is to serve as the gateway, than it doesn't work because it's an transit device and your acl assumes it's an endpoint.

If it is indeed the endpoint, then I believe your your deny ip any any will end up at the top of the ACL list which will block everything. You only need to apply this ACL in one direction.


Okay, this is probably something that is pretty easy but I have found very little documentation on best practices, how to, etc. This is pretty long but I want to make sure I am detailed in my explanation.

VLAN 110
- Subnet 10.10.10/24
- Protected business network

VLAN 777
- Subnet 10.10.0.0/24
- Contains WAN Stuff
- Internet Gateway 10.10.0.2

VLAN 666
- Subnet 192.168.0.0/24
- Guest Only VLAN

IP Routes
10.10.10.0 255.255.255.0 Vlan110
10.10.0.0 255.255.255.0 Vlan777
0.0.0.0 0.0.0.0 10.10.0.2

Now, with the routes and configuration above, VLAN 666 can talk amongst itself but can not route anywhere. I want to add a route so that 192.168.0.0 traffic is routed to 10.10.0.2. But, that is the only device on the network it can talk to. What route would I add? I am assuming the answer is adding the following:

(config)# ip route 192.168.0.0 255.255.255.0 Vlan666
(config)# ip access-list extended Guest
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 host 10.10.0.2
(config-ext-nacl)# permit ip host 10.10.0.2 192.168.0.0 0.0.0.255
(config-ext-nacl)# exit
(config)# int vlan 666
(config-if)# ip access-group Guest out
(config-if)# ip access-group Guest in

Would that work? Any suggestions? Is there an easier way to do this? Thanks!

Semper Fidelis!
Andrew
The administrator has disabled public write access.
Time to create page: 0.074 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup