Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
5
Helpful
1
Replies

Access Lists on WLC

nitsg.gupta
Level 2
Level 2

‎03-26-2009 09:53 AM - edited ‎07-03-2021 05:22 PM

Hi All,

i have configured WLC for guests users and internal users.

i have created 2 normal WLANs and 2 different interfaces with the all information like ip address scheme and gateway and dhcp address.

one is INTERNAL and another one is GUESTS.

INTERNAL WLAN is mapped to Internal interface which configuration is as follows:-

VLAN ID : 2

ip add : 192.168.10.177

subnet : 255.255.255.0

gateway: 192.168.10.10

dhcp add : 192.168.10.190

GUEST WLAN is mapped to GUEST interface which configuration is as follows:-

VLAN ID : 23

ip add : 192.168.23.2

subnet : 255.255.255.0

gateway: 192.168.23.1

dhcp add : 192.168.10.77

now i m getting 2 SSID when i search for wireless Networks.

i can connect to intra and inter network by using any of the SSIDs.

SOUNDS GOOD

currently i can access 192.168.10.0 and 192.168.23.0 and Internet too because of interVLAN Routing, but now if i join GUEST SSID i want to restrict intranet (192.168.10.0) access except 192.168.10.5 (Network Printer ip address).

i have configured 1 access list and applied it to GUEST interface.

access list has the following statements.

1 permit 192.168.23.0/24 192.168.10.5/32 any any any(outbound/inbound/any)

2 deny 192.168.23.0/24 192.168.10.0/24 any any any(outbound/inbound/any)

3 permit 0.0.0.0/0 0.0.0.0/0 any any any(outbound/inbound/any)

by using these statements i can access INTERNET and not reachable to intranet network. thats good

but not able to access network printer (i don't know why)

one more problem is that if i mention specific network in the statement it is not working as i mentioned 0.0.0.0 in last statement its working but if i set it as 192.168.23.0/24 0.0.0.0/0 it wont work.

Labels:
0 Helpful
1 Reply 1

andrewswanson
Level 11
Level 11

‎03-27-2009 05:02 AM

ACLs on a WLC are not stateful - have a look at the document:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml

it states:

if either the source or destination are not any, then the direction of the filter must be specified, and an inverse statement in the opposite direction must be created.

to allow access to your printer try:

permit 192.168.23.0/24 192.168.10.5/32 any any inbound

permit 192.168.10.5/32 192.168.23.0/24 any any outbound

hth

andy

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card