Solved: Access list Question

ksarin123_2 · ‎07-14-2010

Hello folks -

I am in the processing of configuring a wireless LAN which will provide access to both employee and guest users. For guest users, I have created a separate VLAN (192.168.40.0 /24). The default gateway for the subnet is 192.168.40.1, which is a SVI interface on a L3 switch. The L3 switch is also doing DHCP for guest users.

I want to prevent all guest acess to the internal network, and give them only access to the Internet. For that reason, I have created the following access-list and applied it in the "IN" bound direction on interface vlan 40 on the L3 switch.

5 permit ip 192.168.40.0 0.0.0.63 host 192.168.40.1
6 deny ip 192.168.40.0 0.0.0.63 192.168.0.0 0.0.255.255
10 deny ip 192.168.40.0 0.0.0.63 172.16.0.0 0.0.255.255
20 deny ip 192.168.40.0 0.0.0.63 10.0.0.0 0.0.0.255
30 permit ip 192.168.40.0 0.0.0.63 any

That being said, when I ping 192.168.254.50 address from 192.168.40.23, each time I get the following:

Reply from 192.168.40.1: Destination net unreachable
Request timed out
Reply from 192.168.40.1: Destination net unreachable
Request timed out

Question: Why do I get varying messages for the pings above? Shouldn't I always get "Request timed out" message each time? Also, I read somewhere that you cannot use an access list for blocking traffic between hosts on the same IP subnet and one has to use VLAN maps. Although I am able to do just that with the access-l above. So I am a little confused.

Any help or other suggestions on this would be appreciated!

Richard Burts · ‎07-14-2010

The reason that there are varying messages is because the response:"Reply from 192.168.40.1: Destination net unreachable" is based on receipt of an ICMP error message. IOS rate limits generation of ICMP error messages (as one way to mitigate potential DOS attacks). So the router generates the ICMP error for some pings and not for some, and the ones without the ICMP just show as timeouts.

HTH

Rick

HTH

Rick

View solution in original post

kenrandrews · ‎07-14-2010

I am thinking it might have to do with the fact that your subnets overlap. Is there a particular reason you did not just use a completely different subnet for the guest network?

As for using an access list to block traffic on the same subnet usually this is true because the traffic will never hit the interface if it does not need to leave the subnet so it will never get blocked. In your case this is different, but that access list will not stop one Wireless user from pinging another Wireless user.

ksarin123_2 · ‎07-14-2010

A slight correction - I am using a separate subnet for guest users, 192.168.40.0 /26, and not /24 as indicated in my original post.

So the subnets do not overlap.

Since I am not blocking ICMP in the access-l, shouldn't the pings still work to internal network resources?

I am not concerned about blocking access between wireless guest users, just guest access to internal network resources.

So the question still remains as to why do I get varying messages to pings?

kenrandrews · ‎07-14-2010

I did not even notice the /24 in the beginning, I was looking at the access list. My point was that addresses in the guest network can actually be used in the Employee network as well, ie: 192.168.40.15 will work in both networks. This maybe a long shot because I don't have that good of knowledge of ICMP error messages, but it might be worth a shot. Other than that I am not sure. Good luck.

Richard Burts · ‎07-14-2010

The reason that there are varying messages is because the response:"Reply from 192.168.40.1: Destination net unreachable" is based on receipt of an ICMP error message. IOS rate limits generation of ICMP error messages (as one way to mitigate potential DOS attacks). So the router generates the ICMP error for some pings and not for some, and the ones without the ICMP just show as timeouts.

HTH

Rick

HTH

Rick

ksarin123_2 · ‎07-14-2010

Thanks Rick. You made it very clear for me.

On Jul 14, 2010, at 11:27 AM, "rburts"