Aceess-list problem

Unanswered Question
Apr 26th, 2007

I have 6 3750 switches stacked and I'm having problems getting one of my ACLS to function properly. I am setting up a guest network for Wireless and need to block all traffic to my network except for the any reequests for DNS and DHCP.

I am using a AP-1130 for my wireless with 2 SSID's.

Here is the config for the port the AP is on along with the vlan information and the ACL

vlan access-map Block_Guest 10

action forward

match ip address Block_Guest

interface GigabitEthernet3/0/40

description IT VLAN

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

spanning-tree portfast

interface Vlan192

description Guest VLAN

ip address 192.168.5.1 255.255.255.0

ip helper-address 10.0.0.21

ip access-list extended Block_Guest

permit udp any any eq domain

deny ip any 10.0.0.0 0.0.0.255

Thanks

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Thu, 04/26/2007 - 07:35

Mike,

You need to apply this access-map in the global configuration mode

Can you try this

vlan filter Block_Guest vlan-list 192

I would have slightly modified the access-map to

ip access-list extended Block_Guest

permit udp any any eq domain

permit udp any any eq 67

permit udp any any eq 68

vlan acces-map Block_Guest 10

match ip address Block_Guest

action forward

vlan acces-map Block_Guest 20

action drop

vlan filter Block_Guest vlan-list 192

HTH, rate if it does

Narayan

mike.levenson Thu, 04/26/2007 - 07:53

Narayan,

Still able to browse one of my fileservers on the 10.0.0.0/24 network.

Here is the appropriate outputs

Confirma_3750G#show vlan filter access-map Block_Guest

VLAN Map Block_Guest is filtering VLANs:

192

show vlan access-map Block_Guest

Vlan access-map "Block_Guest" 10

Match clauses:

ip address: Block_Guest

Action:

forward

Vlan access-map "Block_Guest" 20

Match clauses:

Action:

drop

show ip access-lists Block_Guest

Extended IP access list Block_Guest

10 permit udp any any eq domain

20 permit udp any any eq bootps

30 permit udp any any eq bootpc

I did apply your suggested access-map that you listed above.

royalblues Thu, 04/26/2007 - 08:38

Mike,

Since you are trying to block traffic between VLANS, it is better to use RACLS rather than VACLs

VLAN access lists (VACLs) are filters that directly can affect how packets are handled within a VLAN.

Can you try

ip access-list extended Block_Guest

permit udp any any eq domain

permit udp any any eq 68

permit udp any any eq 67

interface vlan 192

ip access-group Block_Guest in

HTH, rate if it does

Narayan

mike.levenson Thu, 04/26/2007 - 10:42

Narayan,

I think the problem is due to this being a trunked port. When I go and bring up the MAC Table it shows the AP on 3 different vlans;

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 001a.a2b5.8ae2 DYNAMIC Gi3/0/40

100 001a.a2b5.8ae2 DYNAMIC Gi3/0/40

192 001a.a2b5.8ae2 DYNAMIC Gi3/0/40

Here is the config for that port

interface GigabitEthernet3/0/40

description IT VLAN

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

spanning-tree portfast

The native trunk 100 is to allow employees that are connecting to the proper SSID to get the proper IP I'm not sure why vlan 1 is there.

mike.levenson Thu, 04/26/2007 - 11:28

Update....when I do a show int vlan I get the follwoing output.

Port Mode Encapsulation Status Native vlan

Gi1/0/23 on 802.1q trunking 100

Gi3/0/40 on 802.1q trunking 100

Gi4/0/22 on 802.1q trunking 100

Gi5/0/10 on 802.1q trunking 100

Port Vlans allowed on trunk

Gi1/0/23 1-4094

Gi3/0/40 1-4094

Gi4/0/22 1-4094

Gi5/0/10 1-4094

Port Vlans allowed and active in management domain

Gi1/0/23 1,100-105,110-111,192,254

Gi3/0/40 1,100-105,110-111,192,254

Gi4/0/22 1,100-105,110-111,192,254

Gi5/0/10 1,100-105,110-111,192,254

Port Vlans in spanning tree forwarding state and not pruned

Gi1/0/23 1,100-105,110-111,192,254

Gi3/0/40 1,100-105,110-111,192,254

Gi4/0/22 1,100-105,110-111,192,254

Gi5/0/10 1,100-105,110-111,192,254

I think this is what is causing my problem if you look ag gi3/0/40 it shows that all the vlans are albe to go out.

Maybe things are to complex for what I want to do. I don't know though.

Actions

This Discussion