cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
1
Comments

Hi, I'm learning about ACLs for the CCNA.

Vlan 10 on my home network is dedicated to wireless clients.

192.168.1.1/24 is the IP address of my Cisco router

192.168.1.2/24 is the address of a DD-WRT wireless router connected to the Cisco and working in Access Point pass through mode.

Another Vlan has a subnet of 192.168.0.0/29 with an ADSL modem at 192.168.0.2 which is the default route out to the Internet

The ACL config below is incomplete (because I need help) and shows the access I have permitted on vlan 10.

interface FastEthernet0.10

description TO-VLAN10-WIRELESS

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.0

ip access-group ACL-VLAN10-WIRELESS-IN in

ip nat inside

ip virtual-reassembly in

ip access-list extended ACL-VLAN10-WIRELESS-IN

remark * Allow all wireless clients to reach router *

permit ip host 192.168.1.1 192.168.1.0 0.0.0.255

remark *

remark * Allow all wireless clients to communicate with each other *

permit ip 192.168.1.3 0.0.0.252 192.168.1.3 0.0.0.252

remark *

remark * Allow following IPs to manage AP *

permit ip host 192.168.1.2 10.10.10.8 0.0.0.4 log-input

........

How do I allow all wireless clients access to the Internet, whilst still blocking access to the AP at 192.168.1.2?

If I add the line:

permit ip any any

Will that defeat the implicit deny of ACLs and allow all wireless clients access to all IPs?

Thanks in advance.

Comments
Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

I don't think it is possible using your configuration since the AP and wireless clients are on the same subnet. This means traffic is never routed to the router SVI for the ACL to take effect.

You either need to apply an ACL on the AP itself, or create two VLANs, one of managment/ control of the AP and a second for AP client traffic. Route both of these VLANs on the router and you will be able to create the necessary ACLs to filter traffic between the two.

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco