ACL for Guest Network

SOLVED
Ben83
Here to help

ACL for Guest Network

Hi,

I am setting up a new network for our company and am working on ACL's to control access to various network segments. All routing is performed on a layer 3 core switch.  In this example, let's say we have the following 4 VLANS.

Engineering, Sales, Finance, and Uplink (for internet).

Currently, the default ACL allows access to ALL other VLANs.  If I want to block access to all VLANs other than the internet, I need to set up an individual deny ACL for each of the VLAN's, Engineering and Finance.  Are there other solutions that don't require creating individual ACL to block access each time a new VLAN is added?

Example 2 of this support article mentions using the source VLAN rather then the subnet, however, this would also block internet traffic.

What is the recommended solution

Thanks

 

1 ACCEPTED SOLUTION
MerakiDave
Meraki Employee
Meraki Employee

That's correct I believe you would need to call out each of the explicit allows/denys with a switch ACL as the support doc describes, so you can explicitly block traffic between the Sales, Engineering, Finance VLANs as well as allow any of those VLANs for the Uplink VLAN.  Since the ACL with only the VLAN ID specified (vlan 10 in the example) also blocks intraVLAN traffic as well as interVLAN traffic, you may end up just doing this by IP source/dest and not need to specify VLAN IDs.  Unless I misunderstood what you were trying to do.  Also wasn't sure if the L3 core switch is where you're applying the ACL or if that's external to the environment since the ACLs are defined at the network level in Dashboard.

View solution in original post

10 REPLIES 10
Steinbep
Getting noticed

Ben-

 

Where are you looking to create the ACL?  You mention all routing is done on an L3 Core switch.  Do you have an MX?

Wireless? If you are running wireless only the below config should give you what you need.  You just need to make allowances before the deny statement if you need access to something. 

meraki_deny_local.JPG

MerakiDave
Meraki Employee
Meraki Employee

That's correct I believe you would need to call out each of the explicit allows/denys with a switch ACL as the support doc describes, so you can explicitly block traffic between the Sales, Engineering, Finance VLANs as well as allow any of those VLANs for the Uplink VLAN.  Since the ACL with only the VLAN ID specified (vlan 10 in the example) also blocks intraVLAN traffic as well as interVLAN traffic, you may end up just doing this by IP source/dest and not need to specify VLAN IDs.  Unless I misunderstood what you were trying to do.  Also wasn't sure if the L3 core switch is where you're applying the ACL or if that's external to the environment since the ACLs are defined at the network level in Dashboard.

Adam
Kind of a big deal

Depending on how your VLAN subnets are configured you may be able to supernet.  For example:

 

Engineering 10.0.1.0/24

Sales 10.0.2.0/24

Finance 10.0.3.0/24

 

Then you'd create 3 ACLs

Deny Any 10.0.1.0/24 10.0.0.0/16

Deny Any 10.0.2.0/24 10.0.0.0/16

Deny Any 10.0.3.0/24 10.0.0.0/16

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Ben83
Here to help

Hey @Adam,

I had considered this as well, it would certainly simplify the rules.

Unfortunately, I inherited this network and the subnets are not set up to allow this, however, I may modify to allow for this.

Thanks

ph0t0g
Getting noticed

I have a similar question, so rather than add a new topic, I will piggy-back on this one.

 

So it I have this right, in order to create a "Guest" VLAN that will only have internet access, you have to explicitly deny access from that "Guest" VLAN to every other VLAN in the network?

 

 

 

 

@Adam suggestion of supernetting simplifies the rules significantly.

For example, you could set up your network something like this.

 

Name  Supernet
Corp10.50.0.0/23
10.50.0.0/20
Eng10.50.2.0/23
Voice10.50.4.0/23
Management10.50.6.0/24
Spare10.50.7-15
Guest10.50.200.0/2310.50.200.0/23

 

Then add two rules.

Deny Guest to All Company Subnets - Deny source 10.50.200.0/23 destination 10.50.0.0/20

Deny All Company Subnets to GuestDeny source 10.50.0.0/20 destination 10.50.200.0/23

ph0t0g
Getting noticed

Thanks Ben83. I can see how that would work, but I wish I did not have to reconfigure my IP address scheme to accommodate a guest network.

 

I was hoping I could do something like this, but only for the wired LAN...

 

A common usage for this would be the "guest SSID" scenario. Changing the Policy for traffic destined to the Local LAN from Allow to Deny prevents clients on the Guest SSID from accessing the LAN but still allows connections to the Internet. This feature can be used in both Bridge Mode and NAT Mode.

 

However, when you put in the destination of "Local LAN" for a MS or MX firewall ACL, you get....

 

There were errors in saving this configuration:

  • Destination address must be an IP address or a subnet in CIDR form (e.g. '192.168.1.0/24'), or 'any'

Maybe I should add this to my wish list.

 

-P

ph0t0g
Getting noticed

After considering my last post, I decided to try this...

 

New ACL.JPG

 

 I have not had time to test it yet, but it should work.

 

-P

My guess is that by doing this, the Subnet 172.16.3.0/24 will not be able to reach the internet anymore, because it won’t be able to reach the uplink Subnet which is also a RFC1819 network.

So in my opinion you would need to make an Allow rule with 172.16.3.0/24 as the Source and the uplink subnet as the destination, above the Deny rules.

Hey @MerakiDave, thanks for the info.

The ACL's are being applied on the L3 Switch.  It's simple enough to call-out each network in a separate ACL and I guess it also gives more granular control over additional VLANs to locate share resources like Printers etc.

So far, I have been setting these up via source/destination subnet, as you mentioned.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels