Solved: Help Configuring VLan for Internet Only Traffic

jhiggins2001 · ‎09-27-2013

I have a Cisco Catalyst 3750 Switch with a 2500 series Wireless Controller. I have multiple vlans, and 3 wireless networks. I have created a new vlan and wireless network, both work just like the other vlans and wireless. The problem is when I try to apply ACLs to limit traffic to internet only neither will work.

Subnets I don’t what access to:

172.16.2.0/23

172.16.4.0/23

172.16.6.0/24

10.10.10.0/24

Subnet to go to Internet:

172.18.20. 0/22

My goals are these:

1. Limit the new subnet to Internet only access

2. Be able to receive DHCP addresses on new subnet

3. DNS is optional as I have external DNS servers in the DHCP options

4. Be able to use wired or wireless on new subnet.

Any help is greatly appreciated.

rfalconer.sffcu · ‎09-30-2013

You have the source and destination flipped for DHCP:

access-list 120 permit udp any host 10.10.10.5 eq bootpc

access-list 120 permit udp any host 10.10.10.5 eq bootps

Also, as the last line of the ACL, you can add the line:

deny ip any any log

This will create a log of traffic that doesn't hit one of the rules. It can be helpful in diagnosing issues with ACLs. You don't need to leave it there permanently. I typically will add it only if/when there are issues with traffic hitting an element in the ACL. You'll need to remove the permit any any to make this work.

View solution in original post

rfalconer.sffcu · ‎09-27-2013

Write an ACL with a source of 172.18.20.0/22 that does the following in this order:

Permits DHCP to specific DHCP server(s)

Deny IP to the subnets that you want to protect

Permit internet traffic (www,https,dns at a minimum) to anywhere

Apply ACL to the SVI for 172.18.20.0/22

jhiggins2001 · ‎09-30-2013

Robert, Thanks for the reply.

OK, I tried doing as you said, but I still can'e get an IP when I have ACL applied. What should my Permit DHCP statement look like? I have:

access-list 120 permit udp host 10.10.10.5 any eq bootpc

access-list 120 permit udp host 10.10.10.5 any eq bootps

Where 10.10.10.5 is my DHCP

Then I have deny statements on the rest of my subnets followed by Permit:

access-list 120 permit ip any any

?

Thanks,

John

Carlo Poggiarelli · ‎09-30-2013

Hi.

ip access-list extended TO-The-Net

deny ip 172.18.20.0 0.0.3.255 172.16.2.0 0.0.1.255

deny ip 172.18.20.0 0.0.3.255 172.16.4.0 0.0.1.255

deny ip 172.18.20.0 0.0.3.255 172.16.6.0 0.0.0.255

deny ip 172.18.20.0 0.0.3.255 172.16.10.0 0.0.0.255

permit ip 172.18.20.0 0.0.3.255 any

This acl , applyed in ingress to the SVI, should meet your needs.

HTH

Regards

Carlo

Please rate all helpful posts

"The more you help the more you learn"

Please rate all helpful posts "The more you help the more you learn"

rfalconer.sffcu · ‎09-30-2013