# Guest Network Setup



## support707 (Apr 6, 2016)

Hi,

I want to make a guest network setup for my company provided the guest logged into this network get only access to the internet and does not gain access and cause any harm to my internal network. I am using CISCO 3750X.

The setup done by me is as below.

Created a separate VLAN for the guest network denying permission to access other VLAN.

If there is anything I should do to prevent access to my internal network.


Thanks,


----------



## MitchConner (May 8, 2015)

Hi mate,

Can you show me the access-list you created and attached to the svi?


----------



## support707 (Apr 6, 2016)

Guest Network IP’s – 172.21.15.0 
DNS - 172.21.1.1
Printer IP – 172.21.5.1
Other VLANS’s – 172.21.1.0, 172.21.2.0 etc..

------------------------------------------------------------------------------
ip access-list extended Guest-Restrict-Acl
remark --[Allow Guest DNS requests to DNS Server]--
permit udp 172.21.15.0 0.0.0.255 host 172.21.1.1 eq domain 
remark [Necessary for DHCP Server to receive Client requests] 
permit udp any any eq bootps
permit udp any any eq bootpc 
remark --[Printer Access for Guest ]--
permit ip 172.21.15.0 0.0.0.255 host 172.21.5.1
remark --[Deny Guest Access to other VLANs]--
deny ip 172.21.15.0 0.0.0.255 172.21.1.0 0.0.0.255 log 
deny ip 172.21.15.0 0.0.0.255 172.21.2.0 0.0.0.255 log 
deny ip 172.21.15.0 0.0.0.255 172.21.3.0 0.0.0.255 log 
remark --[Permit Guest Access to everywhere else Internet ]-- 
permit ip 172.21.15.0 0.0.0.255 any
____________________________________________________


----------



## MitchConner (May 8, 2015)

Hi mate. Yeah that's pretty much it. 

There's not much more I would to do be honest beyond changing the acl slightly. I'd deny to the internal networks on your guest interface and permit everything else. You could also do the same on your other interfaces.

From a general security point of view, make sure you're not using vlan 1 for anything and set another (ex. 999) as your native vlan and don't allow it across any trunks:

I'd also look at configuring dynamic arp inspection and dhcp snooping.


----------



## support707 (Apr 6, 2016)

Thanks.

Consider i need to give one printer access to the Guest VLAN. Is the below configuration okay. Since this printer IP is on the common VLAN how do we ensure that guest dont get access to the other VLAN through the printer.


Guest Network IP’s – 172.21.15.0 
DNS - 172.21.1.1
Printer IP – 172.21.5.1
Other VLANS’s – 172.21.1.0, 172.21.2.0, 172.21.3.0, 172.21.4.0, 172.21.5.0 etc..

------------------------------------------------------------------------------
ip access-list extended Guest-Restrict-Acl
remark --[Allow Guest DNS requests to DNS Server]--
permit udp 172.21.15.0 0.0.0.255 host 172.21.1.1 eq domain 
remark [Necessary for DHCP Server to receive Client requests] 
permit udp any any eq bootps
permit udp any any eq bootpc 
remark --[Printer Access for Guest ]--
permit ip 172.21.15.0 0.0.0.255 host 172.21.5.1
remark --[Deny Guest Access to other VLANs]--
deny ip 172.21.15.0 0.0.0.255 172.21.1.0 0.0.0.255 log 
deny ip 172.21.15.0 0.0.0.255 172.21.2.0 0.0.0.255 log 
deny ip 172.21.15.0 0.0.0.255 172.21.3.0 0.0.0.255 log 
deny ip 172.21.15.0 0.0.0.255 172.21.4.0 0.0.0.255 log 
deny ip 172.21.15.0 0.0.0.255 172.21.5.0 0.0.0.255 log 
remark --[Permit Guest Access to everywhere else Internet ]-- 
permit ip 172.21.15.0 0.0.0.255 any
____________________________________________________


----------



## MitchConner (May 8, 2015)

I would get another printer and use that for guest only but that if you must, I would change the statement to only allow ports required for printing.


----------



## support707 (Apr 6, 2016)

Thanks.


----------

