For the guest vlan (vlan ID 17 = 10.0.55.0 / 24) We must close all corporate traffic allowing the basic services for its proper functioning from the Internet point of view.

The minimum required services are DHCP (tcp, udp = 67-68), DNS (tcp, udp = 53) and of course the entity that will output the service (Internet = Server Proxy, firewall = NAT / PAT, etc). In the example we see the servers with addresses 192.168.0.170 (DHCP - DNS) and 192.168.0.5 (firewall = Tipping Point)

If we want Vlan 17 to not see any other network or vlan ID, we must apply rules where certain accesses are denied. (see previous graph).

After executing the above, QoS rules must be applied, denying all the exclusive ports to the services required in the IPs described (192.168.0.170 and 192.168.0.5), the above depends on the scenario where such solution is implemented.

For this, QoS rules must be applied to the GUEST SSID of the switch controller or QoS rules must be applied denying such services on the switch LAN ports that allow such a feature.

— David Gonzalez 2021/04/03 09:29