ACL on bridge blocks Wireless

Unanswered Question
Jan 28th, 2010

Hi,

We use the Cisco 851W. Image is c850-advsecurityk9-mz.124-15.T7.bin.

There are the bridge group that bounds the interfaces Dot11Radio and Vlan. The Vlan interface bounds the 4 ethernet interfaces.

interface Dot11Radio0
description Wi-Fi soft-werke
no ip address
beacon period 500
beacon dtim-period 20
!
encryption key 1 size 40bit 0 xxxxxxxxxx transmit-key
encryption mode wep mandatory
!
ssid soft-werke
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country RU indoor
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!

All works fine. But when I create the ACL and attach it to the BVI1:


ip access-list extended acl_FromSWLAN
remark from S-W LAN to router
remark SDM_ACL Category=1
deny   ip any 10.0.0.0 0.255.255.255
permit ip any 192.168.10.0 0.0.0.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.0.255 any
deny   ip any any


interface BVI1
ip access-group acl_FromSWLAN in

then the Vlan1 continue working but the Dot11Radio0 starts blocking all the traffic. Radio is on but no IP (clients see 'limited connection').

Can anybody say why?

Thanks,

Igor.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dancampb Thu, 01/28/2010 - 10:02

You probably need to add a permit statment to allow the DHCP requests in your ACL.  Do the clients have connectivity if they have a static IP?

soft-werke Fri, 01/29/2010 - 08:24

Yes, you are right. The static IP clients continue working after the ACL is applied. Further more the DHCP clients, that have got the IP already, continue working also. Only the swithtching on DHCP clients get the problem.

Now there is a question. How to update the ACL to permit DHCP?

I thought the

permit ip any 192.168.10.0 0.0.0.255

should allow DHCP also. Isn't it? Because

interface BVI1
ip address 192.168.10.1 255.255.255.0
If anything, the DHCP will lease the IPs via the BVI

Or I understand something incorrect??

Thanks,

Igor.

dancampb Fri, 01/29/2010 - 09:42

That statement in the ACL allows directed broadcasts.  Keep in mind that the client doesn't have any idea of its IP info when sending the DHCP discover.  You would want to add something like:

access-list 198 permit udp any any eq bootpc

access-list 198 permit udp any any eq bootps

Actions

This Discussion