cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3251
Views
0
Helpful
12
Replies

Access-List to isolate wireless LAN from LAN

Jobin Varghese
Level 1
Level 1

I am trying to create an extended access list based on the scenario in the diagram.

I have wireless LAN on 10.xxx.xxx.xx. I do not want the these clients access my LAN on 128.1.xxx.xxx, 172.18.xxx.xxx or 172.19.xxx.xxx.

However, I want them access the core switch and also the UTM Firewall inorder to have access to Internet.

I also want the network admin on LAN be able to access the DHCP server for the WLAN.

Any client that try to access the access point should also be able to receive a lease from the DHCP server 10.0.0.1.

The WLAN is connected to interface 4/1 on the core switch to which command "ip access-group wireless in" was applied.

access list:

ip access-list extended wireless

permit ip host 10.0.0.1 host 172.19.aaa.bbb

permit ip 10.0.0.0 0.0.0.255 host ipofUTM

permit ip 10.0.0.0 0.0.0.255 host ipofCORE

I am not bale to receive any lease after this.

12 Replies 12

ALIAOF_
Level 6
Level 6

I'm going to assume you have a WLAN controller connected to the core switch so the below example is related to that.  If you have a different setup please elaborate:

Ok so on the core you'll need a VLAN for your WLAN.  Lets say its vlan 10. So under that VLAN you'll do

"ip-helper address 10.0.0.1"

Then the ACL can be something like this.

ip access-list extended wireless

permit ip host 10.0.0.1 host 172.19.aaa.bbb

deny ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.0.255

deny ip 10.0.0.0 0.0.0.255 172.19.0.0 0.0.0.255

permit ip any any

Mohammad Ali wrote:

I'm going to assume you have a WLAN controller connected to the core switch so the below example is related to that.  If you have a different setup please elaborate:

Ok so on the core you'll need a VLAN for your WLAN.  Lets say its vlan 10. So under that VLAN you'll do

"ip-helper address 10.0.0.1"

Then the ACL can be something like this.

ip access-list extended wireless

permit ip host 10.0.0.1 host 172.19.aaa.bbb

deny ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.0.255

deny ip 10.0.0.0 0.0.0.255 172.19.0.0 0.0.0.255

permit ip any any

I do not have an WLAN controller as of now.

I have specified a VLAN and ip helper address for the same too in the core.

I tried out what you said

interface GigabitEthernet4/1

switchport access vlan 200

switchport mode access

ip access-group wireless in

ip access-list extended wireless

permit ip host 10.0.0.1 host 172.19.aaa.bbb

permit ip 10.0.0.0 0.255.255.255 host 128.1.xxx.yyy  [where 128.1.xxx.yyy is my firewall]

permit ip 10.0.0.0 0.255.255.255 host 128.1.aaa.bbb [where 128.1.aaa.bbb is my core]

deny   ip 10.0.0.0 0.255.255.255 172.18.0.0 0.0.255.255

deny   ip 10.0.0.0 0.255.255.255 172.19.0.0 0.0.255.255

deny   ip 10.0.0.0 0.255.255.255 128.1.0.0 0.0.248.255

permit ip any any

!

But any lease on my WLAN is able to ping my LAN still.

You need this command under VLAN SVI

ip access-group wireless in

Mohammad Ali wrote:

You need this command under VLAN SVI

ip access-group wireless in

Thank You Mohammed. Thank seem to do the required. But I do face a slight issue.

There is an issue with ping to My LAN being shown as Destination net unreachable than showing Request timed out.

Update:

After a few check I have serious issue cause of this access list. The phone look for the exchange and other services locally than take the route to firewall and access over Internet.

Jobin Varghese
Level 1
Level 1

Any help ? I'm totally lost.

Hi Jobin,

where did you applied your wireless acl? interface vlan 200 or interface GigabitEthernet4/1? you should apply your acl in vlan 200.

btw, i see you are trying pinging while i can't see a acl entry for icmp in your access-list (e.g. permit icmp any any).

in your update, you said your phone look for exchange locally then over internet? which vlan is your phone in? do you mean you changed wireless acl and it affects other service in other vlan?

Thomas Fan wrote:

Hi Jobin,

where did you applied your wireless acl? interface vlan 200 or interface GigabitEthernet4/1? you should apply your acl in vlan 200.

btw, i see you are trying pinging while i can't see a acl entry for icmp in your access-list (e.g. permit icmp any any).

in your update, you said your phone look for exchange locally then over internet? which vlan is your phone in? do you mean you changed wireless acl and it affects other service in other vlan?

I applied it on Interface VLAN 200.

Regarding the phones what I meant is, the phones that are using VLAN 200 rather than going through the firewall and taking the external route, is not delivering the local service of exchange and lync cos of the destination unreachable issue shown in the ping.

The devices on VLAN 200 now recognizes that there is local route, rather than trying through the firewall over the Internet for the same.

Ok so VLAN 200 is the wireless VLAN and you don't want users to be able to your other VLAN's.  You were able to accomoplish this via the ACL but now you have an issue with the VoIP phones that are sitting on the VLAN 200.  So they need to be able to reach their phone switch etc.  You'll need to update the access list to allow VLAN 200 access to devices that are handling all that.

Mohammed Thanks for the reply. The real requirement is an isolated network within th epresent network to handle Wireless connection.

But also the device needs to access the Firewall via the same core.

Though it is a partial sucess I still have the wireless accessing device recognizig the other VLANs.

Hello

you could also try removing the wlan vlan from the trunks of the other switches.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I am confused you do not want the traffic from Wireless VLAN to reach the internal networks such as 172.x.x.x but you are also trying to ping one of the IP's on the 172.x.x.x network and saying that you can't ping it.  Secondly you are also saying that the phones that are on Wireless VLAN 200 they are not working which most likely is because the back end infrastructure for the phones is residing on the 172.x.x.x network.  So can you elabore what exactly are you trying to accomplish, do you want to be able to access 172.x.x.x network from Wireless VLAN 200 or no?

Thank you for the reply.

The reason for trying to ping 172.x.x.x was just to make sure that there is no sort of communcation. But what i am receieving ratherthan time our is destination unreachable.

The real requirement is that the WLAN 200 shoudl not know or reach internal network but have all it resources taken through the firewall over internet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco