Solved: Cisco ACL for Wireless VLAN's

martynch1 · ‎12-29-2012

Hi all and Merry Christmas to you.

So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning

What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.

My lab look like this:-

Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.

My DHCP server is on VLAN 6 with an IP address of 192.168.6.241

VLANs are: -

interface Vlan5

description *****DATA VLAN*****

ip address 192.168.5.253 255.255.255.240

ip helper-address 192.168.6.241

!

interface Vlan6

description *****Servers*****

ip address 192.168.6.254 255.255.255.240

!

interface Vlan7

description *****VOICE*****

ip address 192.168.7.254 255.255.255.240

ip helper-address 192.168.6.241

!

interface Vlan8

description *****VOICE WIFI*****

ip address 192.168.8.254 255.255.255.240

ip helper-address 192.168.6.241

!

interface Vlan9

description *****WIFI CONSOLES*****

ip address 192.168.9.254 255.255.255.240

ip helper-address 192.168.6.241

!

interface Vlan10

description *****WiFi Home*****

ip address 192.168.10.254 255.255.255.240

ip helper-address 192.168.6.241

!

interface Vlan11

description *****WiFi Guest*****

ip address 192.168.11.254 255.255.255.240

ip helper-address 192.168.6.241

!

interface Vlan12

description *****Management*****

ip address 192.168.12.254 255.255.255.240

The AP config looks like:

dot11 ssid Console

vlan 9

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 094F4107170A051103

!

dot11 ssid Home

vlan 10

authentication open eap eap_methods

authentication network-eap eap_methods

guest-mode

mbssid guest-mode

interface Dot11Radio0.9

encapsulation dot1Q 9

ip helper-address 192.168.6.241

no ip route-cache

bridge-group 9

bridge-group 9 subscriber-loop-control

bridge-group 9 block-unknown-source

no bridge-group 9 source-learning

no bridge-group 9 unicast-flooding

bridge-group 9 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

ip helper-address 192.168.6.241

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface Dot11Radio0.12

encapsulation dot1Q 12 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest

I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?

Hope you can help me out.

Happy new year

Martyn

Scott Fella · ‎12-29-2012

Here is a suport document in regards to autonomous ACL:

https://supportforums.cisco.com/docs/DOC-13768

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎12-29-2012

Here is a suport document in regards to autonomous ACL:

https://supportforums.cisco.com/docs/DOC-13768

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***