Solved: Re: ip access-list : for guest wifi - Page 2

mwilde · ‎11-26-2018

Hi, networking is not my speciality, hence I'm struggling to get this to work.
I want to create a VLAN for guest wifi access. I don't want anyone on this VLAN to access anything other than the internet.

I am using a pair of Nexus 3548.

I have created a interface VLAN on the first switch

interface Vlan50
  description guest_wifi
  no shutdown
  ip access-group guest_wifi in
  ip access-group guest_wifi out
  ip address 192.168.10.1/24
  ip dhcp relay address 10.100.64.180
  ip dhcp relay address 10.100.64.181
  vrrp 50
    priority 110
    address 192.168.10.1
    no shutdown

And similar on the second switch

interface Vlan50
  description guest_wifi
  no shutdown
  ip access-group guest_wifi in
  ip access-group guest_wifi out
  ip address 192.168.10.2/24
  ip dhcp relay address 10.100.64.180 
  ip dhcp relay address 10.100.64.181 
  vrrp 50
    address 192.168.10.1 
    no shutdown

I then have created the access list on both like this

ip access-list guest_wifi
  10 deny ip any 10.0.0.0/8
  20 deny ip any 172.0.0.0/8
  30 permit ip any any

I have tried all sorts of different rules in the access-list. I have changed the acces-group statement from in and out...

It just doesnt seem to work. Can someone please point me in the direction of what is wrong?

I want the clients to see 10.100.64.180 and 10.100.64.181 for DHCP, but then I just want to give http, https and DNS access. I have tried this....

ip access-list guest_wifi
  10 permit udp any any eq domain
  20 permit tcp any any eq www
  30 permit tcp any any eq 443
  40 deny ip any any

Seb Rupik · ‎11-26-2018

I which case I would move towards the VRF solution and use the firewall for all of your filtering.

There is something not right with the Nexus.

mwilde · ‎11-26-2018

Ok - thank you for all your help today. Its very much appreciated.

mwilde · ‎11-26-2018

even if I add

1 deny ip any any

I can still access stuff.

There are a lot of rules that start with

ip access-list copp-system-xxxx
Is that anything to do with it?

Seb Rupik · ‎11-26-2018

Well if a deny ip any any ACL i having no effect, then either you have encountered a critical bug, or your routing is not how you imagine!

The copp ACL you mention are for control plane policing. The traffic you are trying to police (excluding VRRP) would not be destined here.

Going back to your topology, do the Nexus pair provide the only layer3 interfaces off the subnet?

Cheers,

Seb.

mwilde · ‎11-27-2018

Seb - thank you for your help yesterday. I have been in contact with Cisco all day today. We eventually got to the bottom of it.

There is a bug on the version of IOS on the switch which means if you have a dhcp relay on a interface the ACL does not apply.

N3500 RACL not hit when configured with DHCP relay on same intf

CSCuy63407

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy63407/?reffering_site=dumpcr

Description

Symptom:Routed ACL not filtering traffic when applied on inbound with DHCP relay configured on the interface.
No ACL hits are observed and is not applied at all.

Conditions:DHCP relay configured on the same interface where RACL-Inbound is being applied on N3500 series switches either in Normal or WARP mode.

Workaround:Use Outbound RACL to filter specified traffic based on traffic flow if switch is running in Normal forwarding mode.
No workaround for WARP mode, only option is to remove DHCP relay and resort to a local DHCP server in the subnet/VLAN.

Seb Rupik · ‎11-28-2018

Wow, that is a pretty terrible bug!

Glad you got it confirmed allowing you to continue with your original architecture.

cheers,

Seb.