Wednesday, September 19, 2018

Restricting Network Access for Guest Wireless

Hoping this isn't going to generate a bunch of "in over your head" responses.

I am trying to restrict access for our Guest Wireless VLAN to be internet only, no internal LAN access.

Clients authenticate 802.1x via Aironet 3602 back to a 5508 WLC.

We have redundant N7K cores with a PBR route-map assigned.

I'm trying to build a simple ACL so that the wireless clients have access to the VLAN they are authenticated on, the internet, and nothing else.

When I tried to configure the ACL, I received errors stating "deny statements are not permitted" ... so that sucked.

I've tried configuring the ACL on the 5508 itself, but simply allowing access to the Guest VLAN and Authentication Server VLAN would not allow them to hit the internet.

This very well could be a lack of understanding on my part, and I'm willing to accept that. I just thought I could reach out for an assist, or a place to start researching.

I've tried several things I found through the Cisco Learning Network, none have worked.

One Engineer suggested creating two separate ACL's, one with the Permit scope, one with the Deny Scope (but with permit statements), and to allow/deny each within the PBR, but alas that failed as well.

I honestly don't have a firm understanding of PBR, so maybe this really is out of my league, but I'm willing to research and study, so I'm just here for advice, not to be handed the answer.

This seemed like a very simple thing to do until the PBR got involved (sounds like college, am I right?)

Any help would be appreciated, I can post configs if needed.



No comments:

Post a Comment