Sorry to de-rail the de-rail but seeing as this thread seems to be a bit more lively than another thread I had some VLAN bits in I'm going to be cheeky and cross-post...
If designing an ACL to do something along the lines of...
- allow traffic from client VLAN to access ISA server IP
- allow traffic from client VLAN to access DHCP server (via DHCP-helper set on the VLAN)
- deny everything else (HP does this by default but you can define it explicitly as well)
Not sure how you'd want to do DNS for those clients, might just be better to set something like your ISP \ Google DNS for the public wifi clients so they never touch your internal DNS server? If you wanted to use the internal DNS just add another ip permit rule.
As far as I've understood it the ACL would look something like this (assuming client subnet of 192.168.6.0/24)
And on the VLAN definition...
ip access-list standard "PUBLIC_WIFI_ISOLATION"
remark "ALLOW ACCESS TO DHCP SERVER 192.168.1.250"
10 permit ip 192.168.6.0 0.0.0.255 192.168.1.250 0.0.0.0
remark "ALLOW ACCESS TO FIREWALL GREEN INTERFACE"
20 permit ip 192.168.6.0 0.0.0.255 192.168.7.10 0.0.0.0
30 deny any any
(then tag \ untag ports as required)
ip address 192.168.6.254 255.255.255.0
vlan 6 ip access-group "PUBLIC_WIFI_ISOLATION" in
If this looks wrong to anyone please correct me as it's only a theoretical design I've come up with after reading forums \ HP documentation!
If that ACL is correct then my other idea for isolating classroom PCs should work on the same concept, but in this case it would be denying certain traffic then allowing everything else...