Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
2
Replies

Created ACL for Public wireless, applied with no affect.

jjohnson1980
Level 1
Level 1

‎01-16-2012 10:10 AM - edited ‎03-04-2019 02:55 PM

So there are two VLAN's traveling over the port attached to the controller (User vlan 100, and Guest vlan 102). I need to block the guest from everything but the internet allowing the free flow of everything else on the User vlan.

All info sanitized of course.

I think I have the ACL's for eveything else down but not sure about the web access for the GUEST VLAN.

ip access-list extended Wireless

permit ip 172.100.0.0 0.0.255.255 any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

deny ip 172.102.0.0 0.0.255.255 10.5.6.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.5.5.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.5.4.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.5.3.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.5.2.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.5.1.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.5.0.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.100.0.0 0.0.0.255

deny ip 172.102.0.0 0.0.255.255 10.101.0.0 0.0.0.255

permit ip any any

interface GigabitEthernet0/19

description MERU Controller

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport trunk allowed vlan 100,102

switchport mode trunk

no ip address

ip access-group Wireless in

no mdix auto

spanning-tree portfast

interface FastEthernet0/22

description MERU AP 8

switchport access vlan 100

switchport trunk native vlan 100

switchport mode access

no ip address

ip access-group Wireless in

Labels:
Preview file
12 KB
0 Helpful
2 Replies 2

jjohnson1980
Level 1
Level 1

‎01-16-2012 03:20 PM

I have found that applying this ACl to an access port it works just fine. Only problem is applying it to a trunk interface. I can not seem to find anything that works to fix this. Found some things about PACL's but the mode command does not exist in the IOS I have. Any help would be great.

0 Helpful

jjohnson1980
Level 1
Level 1

‎01-17-2012 04:27 PM

I finally figured it out. Still do not know why you cant apply an ACL to a trunk but what ever.

Solution: Created an ACL for the inbound VLAN interface of the Public VLAN. Deleted the Deny ip any any statement and created a deny statement for each individual subnet that I do not what the Public VLAN to have access.

permit ip 172.100.0.0 0.0.255.255 any

permit ip 172.101.0.0 0.0.255.255 any

permit ip 172.5.6.0 0.0.0.255 any

permit ip 172.5.3.0 0.0.0.255 any

permit ip 172.5.2.0 0.0.0.255 any

permit ip 172.5.1.0 0.0.0.255 any

permit ip 172.5.0.0 0.0.0.255 any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

Deny ip 172.102.0.0 0.0.255.255 172.100.0.0 0.0.255.255

Deny ip 172.102.0.0 0.0.255.255 172.101.0.0 0.0.255.255

Deny ip 172.102.0.0 0.0.255.255 172.5.6.0 0.0.0.255

Deny ip 172.102.0.0 0.0.255.255 172.5.3.0 0.0.0.255

Deny ip 172.102.0.0 0.0.255.255 172.5.2.0 0.0.0.255

Deny ip 172.102.0.0 0.0.255.255 172.5.1.0 0.0.0.255

Deny ip 172.102.0.0 0.0.255.255 172.5.0.0 0.0.0.255

permit ip any any

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card