ACL on bridge blocks Wireless

Unanswered Question
Jan 28th, 2010


We use the Cisco 851W. Image is c850-advsecurityk9-mz.124-15.T7.bin.

There are the bridge group that bounds the interfaces Dot11Radio and Vlan. The Vlan interface bounds the 4 ethernet interfaces.

interface Dot11Radio0
description Wi-Fi soft-werke
no ip address
beacon period 500
beacon dtim-period 20
encryption key 1 size 40bit 0 xxxxxxxxxx transmit-key
encryption mode wep mandatory
ssid soft-werke
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country RU indoor
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
interface BVI1
description LAN
ip address
ip nat inside
ip virtual-reassembly

All works fine. But when I create the ACL and attach it to the BVI1:

ip access-list extended acl_FromSWLAN
remark from S-W LAN to router
remark SDM_ACL Category=1
deny   ip any
permit ip any
deny   ip any
permit ip any
deny   ip any any

interface BVI1
ip access-group acl_FromSWLAN in

then the Vlan1 continue working but the Dot11Radio0 starts blocking all the traffic. Radio is on but no IP (clients see 'limited connection').

Can anybody say why?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dancampb Thu, 01/28/2010 - 10:02

You probably need to add a permit statment to allow the DHCP requests in your ACL.  Do the clients have connectivity if they have a static IP?

soft-werke Fri, 01/29/2010 - 08:24

Yes, you are right. The static IP clients continue working after the ACL is applied. Further more the DHCP clients, that have got the IP already, continue working also. Only the swithtching on DHCP clients get the problem.

Now there is a question. How to update the ACL to permit DHCP?

I thought the

permit ip any

should allow DHCP also. Isn't it? Because

interface BVI1
ip address
If anything, the DHCP will lease the IPs via the BVI

Or I understand something incorrect??



dancampb Fri, 01/29/2010 - 09:42

That statement in the ACL allows directed broadcasts.  Keep in mind that the client doesn't have any idea of its IP info when sending the DHCP discover.  You would want to add something like:

access-list 198 permit udp any any eq bootpc

access-list 198 permit udp any any eq bootps


This Discussion