Aceess-list problem

Unanswered Question
Apr 26th, 2007
User Badges:

I have 6 3750 switches stacked and I'm having problems getting one of my ACLS to function properly. I am setting up a guest network for Wireless and need to block all traffic to my network except for the any reequests for DNS and DHCP.

I am using a AP-1130 for my wireless with 2 SSID's.


Here is the config for the port the AP is on along with the vlan information and the ACL


vlan access-map Block_Guest 10

action forward

match ip address Block_Guest


interface GigabitEthernet3/0/40

description IT VLAN

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

spanning-tree portfast


interface Vlan192

description Guest VLAN

ip address 192.168.5.1 255.255.255.0

ip helper-address 10.0.0.21


ip access-list extended Block_Guest

permit udp any any eq domain

deny ip any 10.0.0.0 0.0.0.255


Thanks

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Thu, 04/26/2007 - 07:35
User Badges:
  • Green, 3000 points or more

Mike,


You need to apply this access-map in the global configuration mode

Can you try this


vlan filter Block_Guest vlan-list 192


I would have slightly modified the access-map to


ip access-list extended Block_Guest

permit udp any any eq domain

permit udp any any eq 67

permit udp any any eq 68


vlan acces-map Block_Guest 10

match ip address Block_Guest

action forward


vlan acces-map Block_Guest 20

action drop


vlan filter Block_Guest vlan-list 192


HTH, rate if it does

Narayan


mike.levenson Thu, 04/26/2007 - 07:53
User Badges:

Narayan,


Still able to browse one of my fileservers on the 10.0.0.0/24 network.


Here is the appropriate outputs


Confirma_3750G#show vlan filter access-map Block_Guest

VLAN Map Block_Guest is filtering VLANs:

192


show vlan access-map Block_Guest

Vlan access-map "Block_Guest" 10

Match clauses:

ip address: Block_Guest

Action:

forward

Vlan access-map "Block_Guest" 20

Match clauses:

Action:

drop


show ip access-lists Block_Guest

Extended IP access list Block_Guest

10 permit udp any any eq domain

20 permit udp any any eq bootps

30 permit udp any any eq bootpc


I did apply your suggested access-map that you listed above.

royalblues Thu, 04/26/2007 - 08:12
User Badges:
  • Green, 3000 points or more

Can you post the running config


Narayan

royalblues Thu, 04/26/2007 - 08:38
User Badges:
  • Green, 3000 points or more

Mike,


Since you are trying to block traffic between VLANS, it is better to use RACLS rather than VACLs


VLAN access lists (VACLs) are filters that directly can affect how packets are handled within a VLAN.


Can you try

ip access-list extended Block_Guest

permit udp any any eq domain

permit udp any any eq 68

permit udp any any eq 67


interface vlan 192

ip access-group Block_Guest in


HTH, rate if it does

Narayan

mike.levenson Thu, 04/26/2007 - 10:42
User Badges:

Narayan,


I think the problem is due to this being a trunked port. When I go and bring up the MAC Table it shows the AP on 3 different vlans;


Vlan Mac Address Type Ports

---- ----------- -------- -----

1 001a.a2b5.8ae2 DYNAMIC Gi3/0/40

100 001a.a2b5.8ae2 DYNAMIC Gi3/0/40

192 001a.a2b5.8ae2 DYNAMIC Gi3/0/40


Here is the config for that port


interface GigabitEthernet3/0/40

description IT VLAN

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

spanning-tree portfast


The native trunk 100 is to allow employees that are connecting to the proper SSID to get the proper IP I'm not sure why vlan 1 is there.

mike.levenson Thu, 04/26/2007 - 11:28
User Badges:

Update....when I do a show int vlan I get the follwoing output.



Port Mode Encapsulation Status Native vlan

Gi1/0/23 on 802.1q trunking 100

Gi3/0/40 on 802.1q trunking 100

Gi4/0/22 on 802.1q trunking 100

Gi5/0/10 on 802.1q trunking 100


Port Vlans allowed on trunk

Gi1/0/23 1-4094

Gi3/0/40 1-4094

Gi4/0/22 1-4094

Gi5/0/10 1-4094


Port Vlans allowed and active in management domain

Gi1/0/23 1,100-105,110-111,192,254

Gi3/0/40 1,100-105,110-111,192,254

Gi4/0/22 1,100-105,110-111,192,254

Gi5/0/10 1,100-105,110-111,192,254


Port Vlans in spanning tree forwarding state and not pruned

Gi1/0/23 1,100-105,110-111,192,254

Gi3/0/40 1,100-105,110-111,192,254

Gi4/0/22 1,100-105,110-111,192,254

Gi5/0/10 1,100-105,110-111,192,254


I think this is what is causing my problem if you look ag gi3/0/40 it shows that all the vlans are albe to go out.


Maybe things are to complex for what I want to do. I don't know though.

Actions

This Discussion