Comware

Our Network has 3 Vlans. 

Vlan 1 - Corp Wired        10.1.0.0/19

Vlan 101 - Corp Wirless    10.101.0.0/19

Vlan 32 - Guest Wireless    192.168.1.0/19

Our DHCP server (VM) sits on Vlan 1.  Our edge router (5406 or 5412) has IP routing enabled so inter vlan communication is enabled.

I would like to secure Vlan 32 from access to all Corp Vlans.  I assume the best method is adding and ACL However Vlan 32 needs to obtain DHCP which sits on our DC and is on Vlan 1  Adding another DHCP server is out of the question.  Vlan 32 just needs access to the internet. 

I am not sure what is the best practice so Vlan 32 can obtain DHCP once the ACL is in place. 

Thoughts?

In reply to my own question I added the following ACL which does get an IP from the DHCP server 10.1.3.200 however I can not get internet access.  (the Guest network is 10.101.32/19) not the 192 address I listed above.

I have applied this ACL to the Vlan as vlan-in and in to no avail.

ip access-list extended "105"
10 permit udp 10.101.32.0 0.0.31.255 10.1.3.200 0.0.0.0 eq 67
20 permit udp 10.101.32.0 0.0.31.255 10.1.3.200 0.0.0.0 eq 68
30 permit tcp 10.101.32.0 0.0.31.255 0.0.0.0 eq 53
40 permit tcp 10.101.32.0 0.0.31.255 0.0.0.0 eq 80
50 permit tcp 10.101.32.0 0.0.31.255 0.0.0.0 eq 443

show statistics aclv4 105 vlan 32 in

                10 permit udp 10.101.32.0 0.0.31.255 10.1.3.200 0.0.0.0 eq 67
                20 permit udp 10.101.32.0 0.0.31.255 10.1.3.200 0.0.0.0 eq 68
                30 permit tcp 10.101.32.0 0.0.31.255 0.0.0.0 eq 53
                40 permit tcp 10.101.32.0 0.0.31.255 0.0.0.0 eq 80
(22 hits)  50 permit tcp 10.101.32.0 0.0.31.255 0.0.0.0 eq 443