Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1112
Views
0
Helpful
1
Replies

ACL Cisco IOS help

Go to solution
tschaefer
Level 1
Level 1

‎10-06-2017 02:43 PM

I have an ACL on a VLAN interface which is used for wired Guest access.

The device is given a IP address in the Guest range I want to deny access to internal networks and allow Internet only access

Problem is the following Access list in not working correctly

Extended IP access list Internet-Only

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 permit ip any host 10.129.40.127

    70 permit ip any host 10.129.36.80

    80 deny ip any 10.0.0.0 0.255.255.255 (12 matches)

    90 deny ip any 172.16.0.0 0.15.255.255

    100 deny ip any 192.168.0.0 0.0.255.255

    110 permit ip any any (1759 matches)

The host receives an IP address of 10.129.88.x and cannot ping out to 8.8.8.8 or internally as you can see it hits the first Deny rule.

The ACL is applied to the vlan interface for guest for outbound traffic. No inbound ACL is applied to the VLAN

i.e

interface vlan 100

ip access-group ACCESS-list out

What am I missing here ?

Appreciate the feedback

Tim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Hild
Level 11
Level 11

‎10-06-2017 03:39 PM

I'm not sure of the reference point for the data, but it seems to me that you need a "ip access-group ACCESS-list in" on the VLAN interface. That is, assuming your VLAN 100 is the VLAN that your endpoint is a member of. The fact that the UDP entries do not show any hits, yet the endpoint received an IP may be an indication of this.

I could be wrong and completely misunderstanding your network, but it's worth a try, IMHO.

I hope this is helpful.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
David Hild
Level 11
Level 11

‎10-06-2017 03:39 PM

I'm not sure of the reference point for the data, but it seems to me that you need a "ip access-group ACCESS-list in" on the VLAN interface. That is, assuming your VLAN 100 is the VLAN that your endpoint is a member of. The fact that the UDP entries do not show any hits, yet the endpoint received an IP may be an indication of this.

I could be wrong and completely misunderstanding your network, but it's worth a try, IMHO.

I hope this is helpful.

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top