Solved: Cisco 887 no ip access-group

leepeiwai · ‎07-16-2012

Hi,

I am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.

How can I stop traffic into the LAN network?

Cheers,

Pei Wai.

Giuseppe Larosa · ‎07-16-2012

Hello Leepewai,

an ACL is an OSI layer3 object so it can only be applied to a L3 interface that is the Vlan interface in your case as the fastethernet port is a switchport ( like a L2 LAN switch port) in your router.

You should be able to achieve the desired traffic filtering by applying the ACL on the SVI interface using ip access-group at interface vlan level.

Your only limitation is that you cannot filter traffic between fastethernet ports ( traffic within the IP subnet associated to the Vlan) that are member of the same L2 Vlan. This can be achieved on a multilayer switch like C3750 using VACL feature.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎07-16-2012

Hello Leepewai,

an ACL is an OSI layer3 object so it can only be applied to a L3 interface that is the Vlan interface in your case as the fastethernet port is a switchport ( like a L2 LAN switch port) in your router.

You should be able to achieve the desired traffic filtering by applying the ACL on the SVI interface using ip access-group at interface vlan level.

Your only limitation is that you cannot filter traffic between fastethernet ports ( traffic within the IP subnet associated to the Vlan) that are member of the same L2 Vlan. This can be achieved on a multilayer switch like C3750 using VACL feature.

Hope to help

Giuseppe

leepeiwai · ‎07-16-2012

Hello Giuseppe,

So I understood why ACL cannot be applied to fastethernet as it is switchport, thanks!

I have 2 subnet: VLAN 2 (office)-192.168.89.0/24 , VLAN 3 (wireless guest)-10.127.0.0/24.

Both VLAN can accesss to Internet, but VLAN 3 should not access to VLAN 2

I created an ACL:

Access-list 33 permit 192.168.89.0 0.0.0.255

Then I applied it to Interface VLAN 2:

INTERFACE VLAN 2

IP Access-Group 33 IN

However, I am still able to ping to the VLAN 2 (192.168.89.1) from the Guest PC.

Please advise how do I stop Guest PC to acccess to VLAN 2?

Cheers,

Pei Wai

Giuseppe Larosa · ‎07-16-2012

Hello Pei Wai,

I would suggest to use an extended IP ACL as you want to block communication between Vlan2 and Vlan3

access-list 101 remark deny vlan3 to vlan2

access-list 101 deny ip 192.168.89.0 0.0.0.255 10.127.0.0 0.0.0.255

access-list 101 permit ip any any

int vlan2

ip access-group 101 in

This should break communication between vlan2 and vlan3 without impacting internet connectivity

Your ACL 33 allows traffic sourced from 192.168.89.0/24 including that with destination 10127.0.0/24

Hope to help

Giuseppe

leepeiwai · ‎07-16-2012

Hi Giuseppe,

I tried the ACL 101 above and applied to VLAN 2 but traffic from wireless Guest network still can ping to 192.168.89.1 (VLAN 2 interface).

I even tried removing permit ip any any, traffic from Guest still can ping to 192.168.89.1.

note: access-point has its own module: service-module wlan-ap 0 session.

I tried to apply an ACL on the INT Gi0 and deny everyhing, but still not able to stop Guest to access to VLAN 2.

Please advise.

Pei Wai.

leepeiwai · ‎07-16-2012

And also, 887 does not support vlan access-map.

leepeiwai · ‎07-16-2012

Got it sorted.

I apply the ACL on int VLAN3:

access-list 113 deny ip 10.127.0.0 0.0.0.255 192.168.89.0 0.0.0.255

access-list 113 permit ip any any

INT VLAN3

ip access-group 113 in

Guest Traffic (10.127.0.0) to 192.168.89.0 is stopped at the entrance to VLAN3.

Cheers,

Pei Wai