Thanks in advance to all!
We want to create a wired guest network inside each one of our buildings. Each building has a switch (x460 that acts like a router) that have mulitple vlans each with an interface with each having ospf enabled on the backbone. These switches are then all connected to our EAPS WAN link that connects all buildings together. I want to create a new 2 new vlans:
create vlan Guest tag ... #-- This vlan would be inside each building
create vlan GuestDefaultGateway tag ... #-- This vlan would be protected vlan on the EAPS ring
I want Guest to not be able to access any of our district networks, but we need the devices to be able to get DHCP from our DHCP server (which is outside each building) which are all on our district networks. By setting up bootprelay we can forward requests to get the IP Address.
If I setup an ACL with 2 entries. One allowing udp port 67 and another entry blocking all other access to district devices I think (in my own twisted mind) I should be OK.
I then want this Guest Network to only go out the new GuestDefaultGateway vlan. Can I setup a routing policy that will set the next-hop for the GuestDefaultGateway?