Question about access-lists (ACL's) on a Cisco 2900XL Switch

Answered Question
Jun 23rd, 2010

Hello there,

I have a CIsco 2900XL Switch with Release 12.0(5)WC11 installed on it.  In the commands, there are a global command for "Show access-lists" and a configuration command for access-list.

I have the switch connected to a router using port fa0/1.  I want to put a router on port fa0/24 and have it provide an open wi-fi hotspot.  My local network is on fa0/2 through fa0/6.  What I want, is an access-list that allows the traffic from the wi-fi to go out to my router, but not be able to go to my local network.

The IP's involved are 192.168.2.254 for the router hosting the wireless (Linksys WRT54G) and 192.168.2.1 for my ethernet interface on the Cisco router (Cisco 2514 Router).

I created the access-list on the switch like this:

access-list 110 permit ip 192.168.2.254 0.0.0.0 192.168.2.1 0.0.0.0

access-list 110 deny ip 192.168.2.254 0.0.0.0 any

My two questions are these:

1. Will this work for what I want?  (knowing that the router will provide dhcp on 192.168.3.0 network)

2.  How do I implement this on the actual ports?

I know how to implement this on routers, so I'm wondering whether the manner is the same (int fa0/x  ip access-group 110 in).  And will I want to implement it on all of the ports, or should I just put it on the out (or in) on int fa0/24 (which will have the router)

Thanks and have a great day:)
Patrick.

Correct Answer by m.lammerse@ueco... about 6 years 7 months ago

Hi Patrick,

I don't think this particular access list will work, because the traffic (from an IP perspective) won't actually be between the wifi hotspot and your router. It will be between your wifi clients' IP and their destination IP address.

Wouldn't it be easier to create separate vlans for your router to wifi hot spot connection and your local network? That way, they won't be able to talk to each other unless they go through your router. You can then apply a firewall policy on the router to prevent the wifi clients from connecting to your internal network.

  • put  your internal router interface and the local network device on  fa0/2-fa0/6 in, say, vlan 100.
  • put your external router interface and the wifi hotspot on fa0/24 in, say, vlan 200.
  • configure 192.168.2.1/30 on the external router interface and 192.168.2.2/30 on the wifi hotspot ethernet interface.
  • configure 192.168.3.1/24 on the internal router interface and configure your local network to match.
  • configure another IP subnet on the wifi hot spot for dhcp to the wifi clients
  • statically route this IP subnet from your router to the wifi hotspot
  • configure default gateway on the wifi hotspot to point to your router
  • configure an access list on the router to prevent traffic from entering your local network and permit for wherever it needs to go

Alternatively, if you don't want to separate them out at layer 3, you could try private vlans (pvlans), but I'm not 100% sure whether that is supported on the 2900XL series.

HTH

Marcel

Correct Answer by Leo Laohoo about 6 years 7 months ago

2900/3500XL, sadly, are layer 2 only switches.  Only MAC access lists are supported.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Leo Laohoo Wed, 06/23/2010 - 15:12

2900/3500XL, sadly, are layer 2 only switches.  Only MAC access lists are supported.

Correct Answer
m.lammerse@ueco... Wed, 06/23/2010 - 15:47

Hi Patrick,

I don't think this particular access list will work, because the traffic (from an IP perspective) won't actually be between the wifi hotspot and your router. It will be between your wifi clients' IP and their destination IP address.

Wouldn't it be easier to create separate vlans for your router to wifi hot spot connection and your local network? That way, they won't be able to talk to each other unless they go through your router. You can then apply a firewall policy on the router to prevent the wifi clients from connecting to your internal network.

  • put  your internal router interface and the local network device on  fa0/2-fa0/6 in, say, vlan 100.
  • put your external router interface and the wifi hotspot on fa0/24 in, say, vlan 200.
  • configure 192.168.2.1/30 on the external router interface and 192.168.2.2/30 on the wifi hotspot ethernet interface.
  • configure 192.168.3.1/24 on the internal router interface and configure your local network to match.
  • configure another IP subnet on the wifi hot spot for dhcp to the wifi clients
  • statically route this IP subnet from your router to the wifi hotspot
  • configure default gateway on the wifi hotspot to point to your router
  • configure an access list on the router to prevent traffic from entering your local network and permit for wherever it needs to go

Alternatively, if you don't want to separate them out at layer 3, you could try private vlans (pvlans), but I'm not 100% sure whether that is supported on the 2900XL series.

HTH

Marcel

Patrick_Dickey Wed, 06/23/2010 - 18:15

Thank you both for the answers.  I would ask why the ios has the commands available to

it, when it's not able to use them.  But, I understand that switches deal with layer 2 and MAC Addresses, where routers deal with Layer 3 and IP Addresses.

The problem with having my router deal with everything is it would involve trunking from port fa0/1 to the router and using subinterfaces on the router.  Except that the Cisco 2514 has Ethernet Interfaces (and I don't think I can get MAU's that allow Fast Ethernet).  I tried creating the subinterfaces on the router, but since I'm unable to enable any type of encapsulation on ethernet ports, I can't assign IP Addresses to the subinterfaces.

So, if there's a way that I can have my cake, and eat it too (in other words create the two vlans and have them both go through the router), I'd appreciate some advice on how to accomplish it.  Otherwise, the open-wifi will just have to go the way of the birds...

Thanks, and have a great day:)
Patrick.

m.lammerse@ueco... Wed, 06/23/2010 - 18:35

Hey Patrick,

last time I checked, the 2514 has 2 ethernet interfaces. Just to confirm, as I couldn't gather this from your initial post, is that other interface still available?

As for why certain ios commands are available, but not supported. That is not as uncommon in ios as you may think That's just because ios is often ported to other hardware platforms and cisco doesn't always take out the commands that aren't supported on that particular platform.

*shrug*

Patrick_Dickey Wed, 06/23/2010 - 22:05

Hi Marcel,

Yes the router has two ethernet interfaces.  I should have clarified the entire situation.  I'm using one of the interfaces to connect to my modem, and the other is connected to the switch.  Originally I was using a Linksys WRT54G for my home network, but it can't handle the high traffic with backups and copying files from my computers to my Windows Home Server.  So, since I had the routers (I have four of them total that I bought third-hand), I decided to use one for my routing and get a switch on ebay to handle the LAN side of things.

If I decide that I have to do the open wi-fi, I'll hook another router up and use a serial cable between the two--since it won't work this way.

Thanks for the help, and I'm going to mark two (or three) as answers, if the forum will allow that.

Have a great day:)
Patrick.

Actions

This Discussion

Related Content