Solved: Re: Access-list used for wireless access.

BigK · ‎11-19-2018

I saw this access-list applied to a vlan interface on the switch. I don't think it serves any purpose and would like a second opinion.

**************************************

interface Vlan72
description VLAN_WirelessGuests
ip address 10.100.72.1 255.255.255.0
ip access-group WRLS-GUEST-BLOCK in

*********************************************

Extended IP access list WRLS-GUEST-BLOCK
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 10.0.0.0 0.255.255.255
60 permit ip any any

Thanks

Karim

Georg Pauwen · ‎11-19-2018

Hello,

looks like a (partial) anti-spoofing access list. Also, when I think of wireless, most routers dish out addresses in the 10.0.0.0, 172.16.0.0, and 192.168.0.0 range. If this VLAN is used for wireless clients, I would not remove the access list...

View solution in original post

Deepak Kumar · ‎11-19-2018

Hi,

According to this ACL, it is blocking private IP subnets. Maybe admin wants guest network must be isolated.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎11-19-2018

Hello,

looks like a (partial) anti-spoofing access list. Also, when I think of wireless, most routers dish out addresses in the 10.0.0.0, 172.16.0.0, and 192.168.0.0 range. If this VLAN is used for wireless clients, I would not remove the access list...

BigK · ‎11-19-2018

@Georg Pauwen

Yes, it used for wireless clients.

Would it possible to provide an example ?

Thanks

Karim

Georg Pauwen · ‎11-19-2018

Hello,

an example of what ? An anti-spoofing access list ?

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log

BigK · ‎11-21-2018

@Georg Pauwen

Sorry, The question was not clear. I asked for an example of spoofing but I think I figured it out.

The reason we have the acl is that since this is a guest SSID. The user will get an ip adress via DHCP (10.x.x.x) and since we have 10.x.x.x . 192 and 172 networks. the ACL will deniy any to 10.x 192.x and 172.x

Richard Burts · ‎11-21-2018

Georg referred to this type of access list as anti spoofing. And this type of access list is frequently used on routers at the edge of the network on Internet facing routers. On the Internet facing router there is no packet arriving with a source address in the private address space that is legitimate. And there is no packet being sent out the interface with a destination address in the private address space that is legitimate. So these access lists are implemented to stop the not legitimate traffic.

In your case the access list is not about spoofing. This access list is implemented to be sure that the users in that wireless network are not able to access anything in your inside networks and are only able to communicate with the public Internet.

HTH

Rick

HTH

Rick

paul driver · ‎11-21-2018

Hello

@Georg Pauwen wrote:

Hello,

an example of what ? An anti-spoofing access list ?

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log

Just like to add the RACL logic of an SVI interface would need to applied OUTBOUND using the above acl.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rasmus.elmholt · ‎11-19-2018

It looks like the admin have configure ACL for a wireless guest network.
Block traffic to all private addresses and allow everything else.

paul driver · ‎11-21-2018

Hello
This following amended acl would be more applicable.

extended IP access list WRLS-GUEST-BLOCK
~~10 deny ip 172.16.0.0 0.15.255.255 any~~
20 deny ip any 172.16.0.0 0.15.255.255
~~30 deny ip 192.168.0.0 0.0.255.255 any~~
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 10.0.0.0 0.255.255.255
60 permit ip any any

extended IP access list WRLS-GUEST-BLOCK
10 deny ip any 172.16.0.0 0.15.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 10.0.0.0 0.255.255.255
99 permit ip any any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul