Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
5
Replies

IOT ACL

00u18jg7x27DHjRMh5d7
Level 1
Level 1

‎01-23-2023 08:09 AM

I’m attempting to put our IOT Amazon Thermostats on a VLAN with a restricted ACL. It allows access to Internet, DNS, and DHCP. Deny access to all other Vlans and devices. The ACL I have works on test PC’s place on the Vlan. But when connecting the thermostats to WiFi on the Vlan thermostat receives DHCP lease, gets out to the internet, but when finalizing communication with the Amazon App it cannot connect.

Does anyone know what ports or communication profiles / ports need to be added to the ACL for this to work?

Thanks,

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎01-23-2023 08:11 AM

what device mode  and code running, how is your ACL look like ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

00u18jg7x27DHjRMh5d7
Level 1
Level 1
In response to balaji.bandi

‎01-23-2023 08:21 AM

Vlan IP is 192.168.175.0 /24

The Thermostat is Amazon Smart Thermostat. I do not know the Code used. It connects to Amazon Smart app on mobile device.

ACL: IOT_

ip access-list extended IOT_OUTBOUND

  10 permit icmp any any

    20 permit tcp 192.168.175.0 0.0.0.255 any eq www

    30 permit tcp 192.168.175.0 0.0.0.255 any eq 443

    40 permit udp 192.168.175.0 0.0.0.255 host 192.168.1.238 range bootps bootpc

    50 permit tcp 192.168.175.0 0.0.0.255 host 8.8.8.8 eq domain

    60 permit tcp 192.168.175.0 0.0.0.255 host 192.168.1.238 eq domain

    70 permit udp 192.168.175.0 0.0.0.255 host 192.168.10.52 eq domain

    80 deny ip any any log

 

ip access-list extended IOT_INBOUND

    10 permit icmp any any

    20 permit tcp any eq www 192.168.175.0 0.0.0.255

    30 permit tcp any eq 443 192.168.175.0 0.0.0.255

    40 permit udp host 192.168.1.238 range bootps bootpc 192.168.175.0 0.0.0.255

    50 permit tcp host 8.8.8.8 eq domain 192.168.175.0 0.0.0.255

    60 permit tcp host 192.168.1.238 eq domain 192.168.175.0 0.0.0.255

    70 permit udp host 192.168.10.52 eq domain 192.168.175.0 0.0.0.255

    71 deny tcp any range telnet 24 192.168.175.0 0.0.0.255 range telnet 24

    80 deny ip any any log

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to 00u18jg7x27DHjRMh5d7

‎01-23-2023 08:56 AM

that is end device, what is the model of the device you using this ACL, what IOS code running on it ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

00u18jg7x27DHjRMh5d7
Level 1
Level 1
In response to balaji.bandi

‎01-23-2023 02:38 PM

Cisco C9300-48P Catalyst 9300

ver17.3.4

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to 00u18jg7x27DHjRMh5d7

‎01-24-2023 12:44 PM

Can you post full config - i would like to see NAT, also you mentioned PC works and device you looking not working

can you give example when you connect PC, what IP it got ? when the device not working what IP it got ?

you do not need inbound ACL - is this device directly connected to internet ? how is your network diagram looks like ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents