Setting ACL to allow only DNS and DHCP Access

Unanswered Question
May 23rd, 2007

I'm attempting to setup my wireless to allow guest access. I've gotten my AP setup with two VLANs 40 and 41. 40 will be used by internal users and 41 will be for vendors, consultants etc. I have a Cisco 3560 L3 switch that I'll be configuring. I'm wanting to block access to all my network servers and such for those users on the 41 subnent, however I do want them to have access to the Interent. I'm having some issue with putting together the correct ACL for this because the 41 users will need to use DNS, and obtain a DHCP address to get to the Internet. The network servers are on Vlan 36.

Subnets: 192.168.36.0, 192.168.40.0, and 192.168.41.1

Thanks,

Bob

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
brad-denham Wed, 05/23/2007 - 12:20

I have exactly the same scenario, here is the access list and the interface that I have the list applied to. I am only allowing this subnet access to obtain a DHCP address, DNS resolution and web access. I am also performing rate limiting so that users cannot monopolize Internet bandwidth

Access List

ip access-list extended guestvlan

permit udp any any eq bootpc

permit udp any any eq domain

permit tcp any any eq www

permit tcp any any eq 443

Interface application

interface GigabitEthernet6/0.100

description Guest VLAN

encapsulation isl 100

ip address 10.10.100.2 255.255.255.0

ip access-group guestvlan in

ip helper-address xxx.xxx.xxx.49

no ip redirects

rate-limit input 128000 256000 384000 conform-action transmit exceed-action drop

rate-limit output 128000 256000 384000 conform-action transmit exceed-action drop

mls rp ip

no snmp trap link-status

standby 100 ip 10.10.100.1

standby 100 timers 5 15

standby 100 priority 110

standby 100 preempt

bob.mckinley Thu, 05/24/2007 - 06:01

Is this configuration from a router or a L3 switch. I'm a bit confused because I already have access to all network resources from my guest VLAN to my other vlans and I don't have any ACLs setup. Does the fact that I'm using a L3 switch make a difference? I've copied my current running config of my 3560 switch.

3560#show run

Building configuration...

Current configuration : 6798 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption

service sequence-numbers

!

hostname 3560

!

enable secret xxx

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

system mtu routing 1500

ip subnet-zero

ip routing

no ip domain-lookup

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

description Connection 2960-MDF1 Port G0/1

switchport trunk encapsulation dot1q

!

interface GigabitEthernet0/2

description Conntection 2960-MDF2 Port G0/1

switchport trunk encapsulation dot1q

!

!

interface GigabitEthernet0/25

switchport access vlan 36

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/26

switchport trunk encapsulation dot1q

switchport mode trunk

Description --- Wireless AP w VLAN 40 and 41

!

interface GigabitEthernet0/27

switchport access vlan 38

switchport mode access

spanning-tree portfast

!

!

interface GigabitEthernet0/45

switchport access vlan 36

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet0/46

description Connection 2960-IDF1 G 0/1

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet0/47

description Connection 2960-MDF1 G 0/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/48

description Connection 2960-MDF2 G 0/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/49

!

interface GigabitEthernet0/50

!

interface GigabitEthernet0/51

!

interface GigabitEthernet0/52

!

interface Vlan1

ip address x.x.1.1 255.255.255.0

!

interface Vlan36

ip address x.x.36.5 255.255.254.0

ip helper-address x.x.36.31

!

interface Vlan38

ip address x.x.38.1 255.255.255.0

!

interface Vlan39

ip address x.x.39.1 255.255.255.0

!

interface Vlan40

ip address x.x.40.1 255.255.255.0

ip helper-address x.x.36.31

!

interface Vlan41

ip address x.x.41.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.36.2

ip route x.x.12.0 255.255.254.0 x.x.36.2

ip route x.x.24.0 255.255.255.0 x.x.36.2

ip route x.x.36.0 255.255.255.0 x.x.36.2

ip route x.x.74.0 255.255.255.0 x.x.36.2

ip route x.x.4.0 255.255.255.0 x.x.36.2

ip route x.x.185.0 255.255.255.0 x.x.36.2

ip http server

!

!

control-plane

!

!

line con 0

password xxx

logging synchronous

login

line vty 0 4

password xxx

login

line vty 5 15

password xxx

login

!

end

3560#

Amit Singh Thu, 05/24/2007 - 06:07

Bob,

The configs posted above were from a router's sub-interface. You can configure the same ACL's and bind it to the Vlan41's interface. This should give you the desired results.

HTH,

-amit singh

bob.mckinley Thu, 05/24/2007 - 06:54

That doesn't make sense to me because my vlan 41 already has "permit" access to those items by default, It works now with out any ACL "Permit" statements, why would this change when I add "permits" and not "denys".

Anyway I added the ACL as shown in the fisrt post, I've listed it below and now I can not obtain a DHCP address and when I staticly assign an IP address I can not access the Interent, where as before the ACL was applied I could.

Did I do this incorrectly?

interface Vlan41

ip address x.x.41.1 255.255.255.0

ip access-group guestvlan in

ip helper-address x.x.36.31

!

!

ip access-list extended guestvlan

permit udp any any eq bootpc

permit udp any any eq domain

permit tcp any any eq www

permit tcp any any eq 443

Thanks...

dsturgeon Fri, 05/25/2007 - 11:17

I think your:

permit udp any any eq bootpc

should be:

permit udp any eq bootpc any

Can you not access via name or ip or both? The rest of it should be good.

bob.mckinley Thu, 05/31/2007 - 07:58

That seem to fix the DHCP issue, however I still can not access the Internet. I changed my other access list to match but still can not get out. I've copied the new config below. There is one thing to keep in mind, my Internet goes through a Proxy server, an ISA to be specfic. The IP is x.x.36.3 and when I attempt to ping that IP address from my laptop that has a 41.6 address I get dest. unreachable. If I do not apply the access-list to that vlan I can access the internet fine.

Any thoughts on what I'm missing?

interface Vlan41

ip address x.x.41.1 255.255.255.0

ip access-group guestvlan in

ip helper-address x.x.36.31

!

!

ip access-list extended guestvlan

permit udp any eq bootpc any

permit tcp any eq www any

permit tcp any eq 443 any

permit tcp any eq domain any

Thanks,

Bob

bob.mckinley Thu, 05/31/2007 - 10:30

I believe I've figured this out. I added the following to my ACL and now I can access the Internet just fine.

permit tcp x.x.41.0 0.0.0.255 host x.x.36.3

If anyone has any other suggestions I should be concidering, please let me know.

Thanks,

Bob

Actions

This Discussion