04-26-2007 07:16 AM - edited 03-05-2019 03:42 PM
I have 6 3750 switches stacked and I'm having problems getting one of my ACLS to function properly. I am setting up a guest network for Wireless and need to block all traffic to my network except for the any reequests for DNS and DHCP.
I am using a AP-1130 for my wireless with 2 SSID's.
Here is the config for the port the AP is on along with the vlan information and the ACL
vlan access-map Block_Guest 10
action forward
match ip address Block_Guest
interface GigabitEthernet3/0/40
description IT VLAN
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
spanning-tree portfast
interface Vlan192
description Guest VLAN
ip address 192.168.5.1 255.255.255.0
ip helper-address 10.0.0.21
ip access-list extended Block_Guest
permit udp any any eq domain
deny ip any 10.0.0.0 0.0.0.255
Thanks
Mike
04-26-2007 07:35 AM
Mike,
You need to apply this access-map in the global configuration mode
Can you try this
vlan filter Block_Guest vlan-list 192
I would have slightly modified the access-map to
ip access-list extended Block_Guest
permit udp any any eq domain
permit udp any any eq 67
permit udp any any eq 68
vlan acces-map Block_Guest 10
match ip address Block_Guest
action forward
vlan acces-map Block_Guest 20
action drop
vlan filter Block_Guest vlan-list 192
HTH, rate if it does
Narayan
04-26-2007 07:53 AM
Narayan,
Still able to browse one of my fileservers on the 10.0.0.0/24 network.
Here is the appropriate outputs
Confirma_3750G#show vlan filter access-map Block_Guest
VLAN Map Block_Guest is filtering VLANs:
192
show vlan access-map Block_Guest
Vlan access-map "Block_Guest" 10
Match clauses:
ip address: Block_Guest
Action:
forward
Vlan access-map "Block_Guest" 20
Match clauses:
Action:
drop
show ip access-lists Block_Guest
Extended IP access list Block_Guest
10 permit udp any any eq domain
20 permit udp any any eq bootps
30 permit udp any any eq bootpc
I did apply your suggested access-map that you listed above.
04-26-2007 08:12 AM
Can you post the running config
Narayan
04-26-2007 08:22 AM
04-26-2007 08:38 AM
Mike,
Since you are trying to block traffic between VLANS, it is better to use RACLS rather than VACLs
VLAN access lists (VACLs) are filters that directly can affect how packets are handled within a VLAN.
Can you try
ip access-list extended Block_Guest
permit udp any any eq domain
permit udp any any eq 68
permit udp any any eq 67
interface vlan 192
ip access-group Block_Guest in
HTH, rate if it does
Narayan
04-26-2007 10:42 AM
Narayan,
I think the problem is due to this being a trunked port. When I go and bring up the MAC Table it shows the AP on 3 different vlans;
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 001a.a2b5.8ae2 DYNAMIC Gi3/0/40
100 001a.a2b5.8ae2 DYNAMIC Gi3/0/40
192 001a.a2b5.8ae2 DYNAMIC Gi3/0/40
Here is the config for that port
interface GigabitEthernet3/0/40
description IT VLAN
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
spanning-tree portfast
The native trunk 100 is to allow employees that are connecting to the proper SSID to get the proper IP I'm not sure why vlan 1 is there.
04-26-2007 11:28 AM
Update....when I do a show int vlan I get the follwoing output.
Port Mode Encapsulation Status Native vlan
Gi1/0/23 on 802.1q trunking 100
Gi3/0/40 on 802.1q trunking 100
Gi4/0/22 on 802.1q trunking 100
Gi5/0/10 on 802.1q trunking 100
Port Vlans allowed on trunk
Gi1/0/23 1-4094
Gi3/0/40 1-4094
Gi4/0/22 1-4094
Gi5/0/10 1-4094
Port Vlans allowed and active in management domain
Gi1/0/23 1,100-105,110-111,192,254
Gi3/0/40 1,100-105,110-111,192,254
Gi4/0/22 1,100-105,110-111,192,254
Gi5/0/10 1,100-105,110-111,192,254
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/23 1,100-105,110-111,192,254
Gi3/0/40 1,100-105,110-111,192,254
Gi4/0/22 1,100-105,110-111,192,254
Gi5/0/10 1,100-105,110-111,192,254
I think this is what is causing my problem if you look ag gi3/0/40 it shows that all the vlans are albe to go out.
Maybe things are to complex for what I want to do. I don't know though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide