cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3122
Views
15
Helpful
9
Replies

Access-list used for wireless access.

BigK
Level 1
Level 1

I saw this access-list applied to a vlan interface on the switch. I don't think it serves any purpose and would like a second opinion.  

**************************************

interface Vlan72
description VLAN_WirelessGuests
ip address 10.100.72.1 255.255.255.0
ip access-group WRLS-GUEST-BLOCK in

*********************************************

Extended IP access list WRLS-GUEST-BLOCK
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 10.0.0.0 0.255.255.255
60 permit ip any any

 

 

Thanks

Karim

1 Accepted Solution

Accepted Solutions

Hello,

 

looks like a (partial) anti-spoofing access list. Also, when I think of wireless, most routers dish out addresses in the 10.0.0.0, 172.16.0.0, and 192.168.0.0 range. If this VLAN is used for wireless clients, I would not remove the access list...

View solution in original post

9 Replies 9

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

According to this ACL, it is blocking private IP subnets. Maybe admin wants guest network must be isolated.

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hello,

 

looks like a (partial) anti-spoofing access list. Also, when I think of wireless, most routers dish out addresses in the 10.0.0.0, 172.16.0.0, and 192.168.0.0 range. If this VLAN is used for wireless clients, I would not remove the access list...

@Georg Pauwen

Yes, it used for wireless clients.

Would it possible to provide an example ?

 

Thanks

Karim

Hello,

 

an example of what ? An anti-spoofing access list ?

 

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log

@Georg Pauwen

 

Sorry, The question was not clear. I asked for an example of spoofing but I think I figured it out.

 

The reason we have the acl is that since this is a guest SSID. The user will get an ip adress via DHCP (10.x.x.x) and since we have 10.x.x.x . 192 and 172 networks. the ACL will deniy any to 10.x 192.x and 172.x

Georg referred to this type of access list as anti spoofing. And this type of access list is frequently used on routers at the edge of the network on Internet facing routers. On the Internet facing router there is no packet arriving with a source address in the private address space that is legitimate. And there is no packet being sent out the interface with a destination address in the private address space that is legitimate. So these access lists are implemented to stop the not legitimate traffic. 

 

In your case the access list is not about spoofing. This access list is implemented to be sure that the users in that wireless network are not able to access anything in your inside networks and are only able to communicate with the public Internet.

 

HTH

 

Rick

HTH

Rick

Hello

 


@Georg Pauwen wrote:

Hello,

 

an example of what ? An anti-spoofing access list ?

 

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log


Just like to add the RACL logic of an SVI interface would need to applied OUTBOUND using the above acl.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rasmus.elmholt
Level 7
Level 7
It looks like the admin have configure ACL for a wireless guest network.
Block traffic to all private addresses and allow everything else.

Hello
This following amended acl would be more applicable.

 

extended IP access list WRLS-GUEST-BLOCK
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 10.0.0.0 0.255.255.255
60 permit ip any any

 

 

extended IP access list WRLS-GUEST-BLOCK
10 deny ip any 172.16.0.0 0.15.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 10.0.0.0 0.255.255.255
99 permit ip any any

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card