cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


155
Views
15
Helpful
9
Replies
Beginner

Access-list used for wireless access.

I saw this access-list applied to a vlan interface on the switch. I don't think it serves any purpose and would like a second opinion.  

**************************************

interface Vlan72
description VLAN_WirelessGuests
ip address 10.100.72.1 255.255.255.0
ip access-group WRLS-GUEST-BLOCK in

*********************************************

Extended IP access list WRLS-GUEST-BLOCK
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 10.0.0.0 0.255.255.255
60 permit ip any any

 

 

Thanks

Karim

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: Access-list used for wireless access.

Hello,

 

looks like a (partial) anti-spoofing access list. Also, when I think of wireless, most routers dish out addresses in the 10.0.0.0, 172.16.0.0, and 192.168.0.0 range. If this VLAN is used for wireless clients, I would not remove the access list...

9 REPLIES
Collaborator

Re: Access-list used for wireless access.

Hi,

According to this ACL, it is blocking private IP subnets. Maybe admin wants guest network must be isolated.

 

 

Regards,

Deepak Kumar

VIP Mentor

Re: Access-list used for wireless access.

Hello,

 

looks like a (partial) anti-spoofing access list. Also, when I think of wireless, most routers dish out addresses in the 10.0.0.0, 172.16.0.0, and 192.168.0.0 range. If this VLAN is used for wireless clients, I would not remove the access list...

Beginner

Re: Access-list used for wireless access.

@Georg Pauwen

Yes, it used for wireless clients.

Would it possible to provide an example ?

 

Thanks

Karim

VIP Mentor

Re: Access-list used for wireless access.

Hello,

 

an example of what ? An anti-spoofing access list ?

 

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log

Highlighted
Beginner

Re: Access-list used for wireless access.

@Georg Pauwen

 

Sorry, The question was not clear. I asked for an example of spoofing but I think I figured it out.

 

The reason we have the acl is that since this is a guest SSID. The user will get an ip adress via DHCP (10.x.x.x) and since we have 10.x.x.x . 192 and 172 networks. the ACL will deniy any to 10.x 192.x and 172.x

Hall of Fame Master

Re: Access-list used for wireless access.

Georg referred to this type of access list as anti spoofing. And this type of access list is frequently used on routers at the edge of the network on Internet facing routers. On the Internet facing router there is no packet arriving with a source address in the private address space that is legitimate. And there is no packet being sent out the interface with a destination address in the private address space that is legitimate. So these access lists are implemented to stop the not legitimate traffic. 

 

In your case the access list is not about spoofing. This access list is implemented to be sure that the users in that wireless network are not able to access anything in your inside networks and are only able to communicate with the public Internet.

 

HTH

 

Rick

VIP Advisor

Re: Access-list used for wireless access.

Hello

 


@Georg Pauwen wrote:

Hello,

 

an example of what ? An anti-spoofing access list ?

 

access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log


Just like to add the RACL logic of an SVI interface would need to applied OUTBOUND using the above acl.

 



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
Enthusiast

Re: Access-list used for wireless access.

It looks like the admin have configure ACL for a wireless guest network.
Block traffic to all private addresses and allow everything else.
VIP Advisor

Re: Access-list used for wireless access.

Hello
This following amended acl would be more applicable.

 

extended IP access list WRLS-GUEST-BLOCK
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 10.0.0.0 0.255.255.255
60 permit ip any any

 

 

extended IP access list WRLS-GUEST-BLOCK
10 deny ip any 172.16.0.0 0.15.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 10.0.0.0 0.255.255.255
99 permit ip any any

 



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers