Create ACL for Guest VLAN

In this example I am creating an access list to restrict access to the “main” network from a “guest” vlan. The exception to this is the DHCP server that the guests will need to connect to pick up an address.

Main network subnets

10.100.10.0/24

192.168.252.201/22

10.99.10.0/24

Guest network subnet

10.40.0.0/21

DHCP server

10.99.10.101

 

Note that you will need to explicitly block every vlan. Any future vlans created will need to be added to this list.

Dell PowerConnect 6000 Series

Create access list:-

access-list Guest permit tcp 10.40.0.0 0.0.7.255 eq 67 10.99.10.101 0.0.0.0

access-list Guest deny ip 10.40.0.0 0.0.7.255 10.100.10.0 0.0.0.255

access-list Guest deny ip 10.40.0.0 0.0.7.255 10.99.10.0 0.0.0.255

access-list Guest deny ip 10.40.0.0 0.0.7.255 192.168.252.0 0.0.3.255

access-list Guest permit ip any any

Apply ACL:-

Int vlan 40

Ip access-group Guest

Dell Force10 S4810 Switches

Create ACL:-

ip access-list extended Guest

seq 10 permit tcp 10.40.0.0 255.255.248.0 eq 67 10.99.10.101 255.255.255.255

seq 20 deny ip 10.40.0.0 255.255.248.0 10.100.10.0 255.255.255.0

seq 30 deny ip 10.40.0.0 255.255.248.0 10.99.10.0 255.255.255.0

seq 40 deny ip 10.40.0.0 255.255.248.0 192.168.252.0 255.255.252.0

seq 100 permit ip any any

Apply ACL:-

Int vlan 40

Ip access-group Guest in

 

This should now work. Don’t forget to use copy run start to save your changes!

Leave a Reply

Your email address will not be published. Required fields are marked *