Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3191
Views
0
Helpful
2
Replies

VLAN Filter - configuration assistance

tdennehy
Level 1
Level 1

‎04-09-2010 01:47 PM - edited ‎03-06-2019 10:33 AM

I am trying to create the most simplest of VLAN filters out there, yet it doesn't work.  My goal is to filter the traffic on VLAN 3060 to only allow DHCP (so client can get an IP address from our server) DNS, HTTP and HTTPS only.  Nothing else.

My configuration below allows my client device to get an IP address, but that's where it ends.  I cannot do an nslookup from the DNS server, etc.

Can someone see the error I have overlooked?

vlan filter Guest_WLAN_Protocol_Restriction vlan-list 3060

vlan access-map Guest_WLAN_Protocol_Restriction 10

match ip address Guest_WLAN_Protocol_Restriction

action forward

ip access-list extended Guest_WLAN_Protocol_restriction

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp any any eq domain

permit tcp any any eq domain

permit udp any any eq 80

permit tcp any any eq www

permit tcp any any eq 443

deny ip any any

Thanks,

Tim

Labels:
0 Helpful
2 Replies 2

zartar911
Level 1
Level 1

‎04-14-2010 12:55 PM

Hi Tim,

I believe you are missing the dns reply in your access-list, something similar to the following should work:

permit udp any eq domain any gt 1023

Regards,

Tim

0 Helpful

tdennehy
Level 1
Level 1
In response to zartar911

‎04-15-2010 09:17 AM

Tim,

I figured it out, and you were right on the money. I was missing the return path:

Here's my working solution:

vlan access-map Guest_WLAN_Protocol_Restriction 10

match ip address Guest_WLAN_Protocol_Restriction

action forward

!

vlan filter Guest_WLAN_Protocol_Restriction vlan-list 2099

ip access-list extended Guest_WLAN_Protocol_Restriction

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp 10.128.254.0 0.0.0.255 any eq domain

permit tcp 10.128.254.0 0.0.0.255 any eq domain

permit icmp 10.128.254.0 0.0.0.255 any echo

permit icmp 10.128.254.0 0.0.0.255 any echo-reply

permit icmp 10.128.254.0 0.0.0.255 any port-unreachable

permit udp 10.128.254.0 0.0.0.255 any eq 80

permit tcp 10.128.254.0 0.0.0.255 any eq www

permit tcp 10.128.254.0 0.0.0.255 any eq 443

deny ip 10.128.254.0 0.0.0.255 any

permit ip any 10.128.254.0 0.0.0.255

Thanks,

Tim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card