Hopefully others are interested in this - I now have managed to get this working, although my config is a little odd because of the DHCP Relay bug.
Guest ACL code:
ip access-list extended Guest-ACL
permit udp any bootpc any bootps ace-priority 5
permit udp 172.16.81.0 0.0.0.15 any 192.168.11.49 0.0.0.0 domain ace-priority 10
permit udp 172.16.81.0 0.0.0.15 any 192.168.11.50 0.0.0.0 domain ace-priority 11
permit tcp 172.16.81.0 0.0.0.15 any 192.168.11.49 0.0.0.0 domain ace-priority 15
permit tcp 172.16.81.0 0.0.0.15 any 192.168.11.50 0.0.0.0 domain ace-priority 16
permit udp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 20
permit tcp 172.16.81.0 0.0.0.15 any 172.16.31.3 0.0.0.0 domain ace-priority 25
permit icmp 172.16.81.0 0.0.0.15 192.168.11.49 0.0.0.0 any any ace-priority 30
permit icmp 172.16.81.0 0.0.0.15 192.168.11.50 0.0.0.0 any any ace-priority 31
permit icmp 172.16.81.0 0.0.0.15 172.16.31.3 0.0.0.0 any any ace-priority 35
permit ip 172.16.81.0 0.0.0.15 172.16.81.0 0.0.0.15 ace-priority 40
deny ip 172.16.81.0 0.0.0.15 10.0.0.0 0.255.255.255 ace-priority 55 log-input
deny ip 172.16.81.0 0.0.0.15 172.16.0.0 0.15.255.255 ace-priority 60 log-input
deny ip 172.16.81.0 0.0.0.15 192.168.0.0 0.0.255.255 ace-priority 65 log-input
permit ip 172.16.81.0 0.0.0.15 0.0.0.0 255.255.255.255 ace-priority 100
exit
------------------------------
Colin Fieldgate
------------------------------
Original Message:
Sent: 10-24-2020 06:10 AM
From: Archive User
Subject: Configuring ACLs on 1930
OK, well that didin't work quite as expected. As my Guests need to obtain an IP via DHCP the final rule does not allow them to talk to the DHCP server as there is no match (as they don't yet have an IP on the 172.16.81.0 network). However, an 'Any, Any' rule does allow this as there is no IP matching.
So, more learning to do as yet, but making some progress.