01-16-2012 10:10 AM - edited 03-04-2019 02:55 PM
So there are two VLAN's traveling over the port attached to the controller (User vlan 100, and Guest vlan 102). I need to block the guest from everything but the internet allowing the free flow of everything else on the User vlan.
All info sanitized of course.
I think I have the ACL's for eveything else down but not sure about the web access for the GUEST VLAN.
ip access-list extended Wireless
permit ip 172.100.0.0 0.0.255.255 any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any any eq domain
deny ip 172.102.0.0 0.0.255.255 10.5.6.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.5.5.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.5.4.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.5.3.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.5.2.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.5.1.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.5.0.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.100.0.0 0.0.0.255
deny ip 172.102.0.0 0.0.255.255 10.101.0.0 0.0.0.255
permit ip any any
interface GigabitEthernet0/19
description MERU Controller
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100,102
switchport mode trunk
no ip address
ip access-group Wireless in
no mdix auto
spanning-tree portfast
interface FastEthernet0/22
description MERU AP 8
switchport access vlan 100
switchport trunk native vlan 100
switchport mode access
no ip address
ip access-group Wireless in
01-16-2012 03:20 PM
I have found that applying this ACl to an access port it works just fine. Only problem is applying it to a trunk interface. I can not seem to find anything that works to fix this. Found some things about PACL's but the mode command does not exist in the IOS I have. Any help would be great.
01-17-2012 04:27 PM
I finally figured it out. Still do not know why you cant apply an ACL to a trunk but what ever.
Solution: Created an ACL for the inbound VLAN interface of the Public VLAN. Deleted the Deny ip any any statement and created a deny statement for each individual subnet that I do not what the Public VLAN to have access.
permit ip 172.100.0.0 0.0.255.255 any
permit ip 172.101.0.0 0.0.255.255 any
permit ip 172.5.6.0 0.0.0.255 any
permit ip 172.5.3.0 0.0.0.255 any
permit ip 172.5.2.0 0.0.0.255 any
permit ip 172.5.1.0 0.0.0.255 any
permit ip 172.5.0.0 0.0.0.255 any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any any eq domain
Deny ip 172.102.0.0 0.0.255.255 172.100.0.0 0.0.255.255
Deny ip 172.102.0.0 0.0.255.255 172.101.0.0 0.0.255.255
Deny ip 172.102.0.0 0.0.255.255 172.5.6.0 0.0.0.255
Deny ip 172.102.0.0 0.0.255.255 172.5.3.0 0.0.0.255
Deny ip 172.102.0.0 0.0.255.255 172.5.2.0 0.0.0.255
Deny ip 172.102.0.0 0.0.255.255 172.5.1.0 0.0.0.255
Deny ip 172.102.0.0 0.0.255.255 172.5.0.0 0.0.0.255
permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide