Wireless Access

Reply
Occasional Contributor II

firewall rules for guests on controller

 Hi,

I have a controller with 3 vlans, 1 for guests, 1 for admin and 1 for management. I want to restrict the guests from accessing the admin and management vlans. Inter-vlan routing is on on all vlans. I want to do this with acl, so i want to know what the best practice is.

My vlans are:

guest : 172.16.1.0

admin 192.168.1.0

mgmt: 10.0.99.0

 

I made an alias for my admin and mgmt vlans called int_network

 

Is this a good setup?

 

Derived Role = 'Guest_1mbit'
Up BW contract = 1mbit_basic (1000000 bits/sec) (per-user) Down BW contract = 1mbit_basic (1000000 bits/sec) (per-user)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 50
Periodic reauthentication: Disabled
ACL Number = 55/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Deny_internal_lan session

Deny_internal_lan
-----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 172.16.10.0 255.255.255.0 172.16.10.1 any permit Low 4
2 172.16.10.0 255.255.255.0 int_network  any deny Low 4
3 172.16.10.0 255.255.255.0 any any permit Low 4

 

 

Thanks,

Akki

Re: firewall rules for guests on controller

Did you make a typo in your guest vlans?  You have the guest as, 172.16.1.0/24, then the acl has the rules for source, 172.16.10.0/24.

 

To be safe, change line 2 to be

 

2 any int_network  any deny Low 4


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Occasional Contributor II

Re: firewall rules for guests on controller

Hi Michael,

Yeah sorry it was a typo, i should have written 172.16.10.0.

 

So it looks like this now:

 

Derived Role = 'Guest_1mbit'
Up BW contract = 1mbit_basic (1000000 bits/sec) (per-user) Down BW contract = 1mbit_basic (1000000 bits/sec) (per-user)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 50
Periodic reauthentication: Disabled
ACL Number = 55/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Deny_internal_lan session

Deny_internal_lan
-----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 172.16.10.0 255.255.255.0 172.16.10.1 any permit Low 4
2 any int_network any deny Low 4
3 172.16.10.0 255.255.255.0 any any permit Low 4

Expired Policies (due to time constraints) = 0

 

When i apply this to the guest_1mbit role i notice i get an ip adress, but after 2 sec i lose it and cant get a new one.Am i doing something wrong? When i had the allow all rule it was working fine

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: