I'm pretty new to ACLs and so far I am not making much headway setting them up on this switch. Initially, I just want an ACL (standard, not extended) that restricts my guest VLAN from accessing anything (via any protocol) but the Internet. Any clues how to do this?
I found a tutorial online (link below) for the 2930M, but the 1930 doesn't have a CLI. Otherwise I have found nothing to help in configuring the 1930, and unfortunately, the 1930 Management and Configuration guide is not much more than 'buttonology'.
OK, in case anyone else is interested, using the 1930's web GUI I have managed to replicate the first part of the tutorial.
OK, well that didin't work quite as expected. As my Guests need to obtain an IP via DHCP the final rule does not allow them to talk to the DHCP server as there is no match (as they don't yet have an IP on the 172.16.81.0 network). However, an 'Any, Any' rule does allow this as there is no IP matching.
So, more learning to do as yet, but making some progress.
An updated ACL now that the fix for the DHCP Relay bug means I can move my WIn 2016 server to the 1930:
ip access-list extended Guest-ACLpermit udp any bootpc any bootps ace-priority 1permit udp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 20permit tcp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 25permit icmp 172.16.81.0 0.0.0.15 172.16.31.3 0.0.0.0 any any ace-priority 35permit ip 172.16.81.0 0.0.0.15 172.16.81.0 0.0.0.15 ace-priority 40deny ip 172.16.81.0 0.0.0.15 10.0.0.0 0.255.255.255 ace-priority 55 log-inputdeny ip 172.16.81.0 0.0.0.15 172.16.0.0 0.15.255.255 ace-priority 60 log-inputdeny ip 172.16.81.0 0.0.0.15 192.168.0.0 0.0.255.255 ace-priority 65 log-inputpermit ip 172.16.81.0 0.0.0.15 0.0.0.0 255.255.255.255 ace-priority 100exit