routing policy and acl

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Thanks in advance to all!

We want to create a wired guest network inside each one of our buildings.  Each building has a switch (x460 that acts like a router) that have mulitple vlans each with an interface with each having ospf enabled on the backbone.  These switches are then all connected to our EAPS WAN link that connects all buildings together.  I want to create a new 2 new vlans:

create vlan Guest tag ...  #-- This vlan would be inside each building
create vlan GuestDefaultGateway tag ... #-- This vlan would be protected vlan on the EAPS ring 

I want Guest to not be able to access any of our district networks, but we need the devices to be able to get DHCP from our DHCP server (which is outside each building) which are all on our district networks.  By setting up bootprelay we can forward requests to get the IP Address.

If I setup an ACL with 2 entries.  One allowing udp port 67 and another entry blocking all other access to district devices I think (in my own twisted mind) I should be OK.

I then want this Guest Network to only go out the new GuestDefaultGateway vlan.  Can I setup a routing policy that will set the next-hop for the GuestDefaultGateway?  

Photo of bw447


  • 864 Points 500 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Official Response
Hey BW447 so it sounds like all of the Layer 2 guest VLANs will be tagged all the way back to the core correct.  At that point will you have the IP addresses on the core switch?

Your ACL looks correct you will need to add another one to allow the unicast DHCP offer to get back to the host using port 68 I think.

You could then put an entry to add a redirect statement to forward

"redirect ipv4"
"addr—Forwards the packet to the specified IPv4 address  (BlackDiamond X8"
"series switches, BlackDiamond 8000 c-, e-, xl-, and xm-series modules, and Summit family switches"

Redirecting Packets
Packets are forwarded to the IPv4 address specified, without modifying the IP header (except the TTL is decremented and the IP checksum is updated). The IPv4 address must be in the IP ARP cache, otherwise the packet is forwarded normally. Only fast path traffic can be redirected. This capability can be used to implement Policy-Based Routing.

Would that help?