Reset Search
 

 

Article

How to Configure ACL on S-Series to Control Guest Network Access

« Go Back

Information

 
TitleHow to Configure ACL on S-Series to Control Guest Network Access
Objective
Permit Guest network to access public Internet while blocking access to internal subnets
 
Environment
  • S-Series
  • Firmware version 08.xx.xx.xxxx and greater
  • ACL
  • Private internal networks
  • Public Internet Access
Procedure
1  Configure an extended ACL with permits and denies as required (Guest subnet here is 192.168.1.0 /24 )
configure
ip access-list extended internet-only
permit ip 192.168.1.0 0.0.0.255 host 192.168.2.50
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.10.0 0.0.0.255
permit ip any any
exit
2  Apply the ACL to the Guest Network Interface as an input:
interface vlan 10
ip access-group internet-only in


In the above example, clients are in 192.168.1.0/24 range, and we are allowing access to DNS Server 192.168.2.50, while denying access to internal subnets 10.0.0.0/8 and 172.16.10.0/24
The permit ip any any allows all other traffic from the client to the internet
 
Additional notes
  • Access to the DNS servers must be provided before the deny statements, the permit to any must be after the deny statements
  • Wildcard Subnet Masks are the reverse of a normal mask, which is calculated by subtracting each octet from value 255
Example:
Subnet Mask = 255.255.224.0
Subtract each octet from 255, and we get= 0.0.31.255

See also: How to configure ACL to permit through two hosts on different subnets on S-Series and N-Series
 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255