- Posts: 138
- Thank you received: 0
Guest Only VLAN
17 years 1 month ago #23326
by drizzle
Guest Only VLAN was created by drizzle
Okay, this is probably something that is pretty easy but I have found very little documentation on best practices, how to, etc. This is pretty long but I want to make sure I am detailed in my explanation.
VLAN 110
- Subnet 10.10.10/24
- Protected business network
VLAN 777
- Subnet 10.10.0.0/24
- Contains WAN Stuff
- Internet Gateway 10.10.0.2
VLAN 666
- Subnet 192.168.0.0/24
- Guest Only VLAN
IP Routes
10.10.10.0 255.255.255.0 Vlan110
10.10.0.0 255.255.255.0 Vlan777
0.0.0.0 0.0.0.0 10.10.0.2
Now, with the routes and configuration above, VLAN 666 can talk amongst itself but can not route anywhere. I want to add a route so that 192.168.0.0 traffic is routed to 10.10.0.2. But, that is the only device on the network it can talk to. What route would I add? I am assuming the answer is adding the following:
(config)# ip route 192.168.0.0 255.255.255.0 Vlan666
(config)# ip access-list extended Guest
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 host 10.10.0.2
(config-ext-nacl)# permit ip host 10.10.0.2 192.168.0.0 0.0.0.255
(config-ext-nacl)# exit
(config)# int vlan 666
(config-if)# ip access-group Guest out
(config-if)# ip access-group Guest in
Would that work? Any suggestions? Is there an easier way to do this? Thanks!
Semper Fidelis!
Andrew
VLAN 110
- Subnet 10.10.10/24
- Protected business network
VLAN 777
- Subnet 10.10.0.0/24
- Contains WAN Stuff
- Internet Gateway 10.10.0.2
VLAN 666
- Subnet 192.168.0.0/24
- Guest Only VLAN
IP Routes
10.10.10.0 255.255.255.0 Vlan110
10.10.0.0 255.255.255.0 Vlan777
0.0.0.0 0.0.0.0 10.10.0.2
Now, with the routes and configuration above, VLAN 666 can talk amongst itself but can not route anywhere. I want to add a route so that 192.168.0.0 traffic is routed to 10.10.0.2. But, that is the only device on the network it can talk to. What route would I add? I am assuming the answer is adding the following:
(config)# ip route 192.168.0.0 255.255.255.0 Vlan666
(config)# ip access-list extended Guest
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 host 10.10.0.2
(config-ext-nacl)# permit ip host 10.10.0.2 192.168.0.0 0.0.0.255
(config-ext-nacl)# exit
(config)# int vlan 666
(config-if)# ip access-group Guest out
(config-if)# ip access-group Guest in
Would that work? Any suggestions? Is there an easier way to do this? Thanks!
Semper Fidelis!
Andrew
17 years 1 month ago #23366
by Elohim
Replied by Elohim on topic Re: Guest Only VLAN
Actually, probably and maybe not.. depends on if you want the device at 10.10.0.2 (internet gateway) to serve as the internet gateway for devices in vlan 666 or to serve as an endpoint for communications between 10.10.0.2 and 192.168.0.0/24. If 10.10.0.2 is to serve as the gateway, than it doesn't work because it's an transit device and your acl assumes it's an endpoint.
If it is indeed the endpoint, then I believe your your deny ip any any will end up at the top of the ACL list which will block everything. You only need to apply this ACL in one direction.
If it is indeed the endpoint, then I believe your your deny ip any any will end up at the top of the ACL list which will block everything. You only need to apply this ACL in one direction.
Okay, this is probably something that is pretty easy but I have found very little documentation on best practices, how to, etc. This is pretty long but I want to make sure I am detailed in my explanation.
VLAN 110
- Subnet 10.10.10/24
- Protected business network
VLAN 777
- Subnet 10.10.0.0/24
- Contains WAN Stuff
- Internet Gateway 10.10.0.2
VLAN 666
- Subnet 192.168.0.0/24
- Guest Only VLAN
IP Routes
10.10.10.0 255.255.255.0 Vlan110
10.10.0.0 255.255.255.0 Vlan777
0.0.0.0 0.0.0.0 10.10.0.2
Now, with the routes and configuration above, VLAN 666 can talk amongst itself but can not route anywhere. I want to add a route so that 192.168.0.0 traffic is routed to 10.10.0.2. But, that is the only device on the network it can talk to. What route would I add? I am assuming the answer is adding the following:
(config)# ip route 192.168.0.0 255.255.255.0 Vlan666
(config)# ip access-list extended Guest
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 host 10.10.0.2
(config-ext-nacl)# permit ip host 10.10.0.2 192.168.0.0 0.0.0.255
(config-ext-nacl)# exit
(config)# int vlan 666
(config-if)# ip access-group Guest out
(config-if)# ip access-group Guest in
Would that work? Any suggestions? Is there an easier way to do this? Thanks!
Semper Fidelis!
Andrew
Time to create page: 0.112 seconds