×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Internet Only Guest Access ACL (not answered)

Answered Question
Apr 3rd, 2012
User Badges:

Hi,


We have a new WLC set up at a remote office controlling 4 access points and we need to restrict access to our Guest SSID to only internet access. This is the way the network is currently configured:


3750G Switch:


Two layer 3 vlans, one for Corporate access to the inside network and internet and one Guest access to internet only. Both of these have helper addresses on them pointing to our DHCP server which has scopes for both the Guest and Corporate vlans. The controller is on a trunk port with an address on our management subnet and the AP's are on access ports on the same management subnet. The subnets are as follows:


10.80.27.0 - Wireless Corporate (vlan 27)

10.80.28.0 - Wireless Guest (vlan 28)

10.80.10.0 - Management (vlan 10)


(In addition, we have multiple other vlans on both a 172.16.0.0/16 and the 10.80.X.0/24 network)


In order to restrict access for the Guest wireless clients, I tried to add the following ACL on vlan 28 thinking this would allow DHCP and DNS requests for wireless clients as well as web access while denying access to all other inside network resources:


ip access-list extended UNTRUSTED-ACL

permit udp 10.80.28.0 0.0.0.255 any eq domain

permit udp 10.80.28.0 0.0.0.255 any eq bootps bootpc

permit tcp 10.80.28.0 0.0.0.255 any eq www

permit tcp 10.80.0.0 0.0.255.255 any eq 443

deny   ip 10.80.28.0 0.0.0.255 10.0.0.0 0.255.255.255

deny   ip 10.80.28.0 0.0.0.255 172.16.0.0 0.0.255.255


So basically, without the ACL applied, a client receives an address from DHCP without issue and is able to surf the internet as well as all inside resources. When I apply the ACL to the vlan, clients can no longer recieve an IP from DHCP. However, if a client had already received an address prior to applying the ACL, that client is able to surf while being denied access to the inside network when the ACL is applied. Which is the desired effect. So it would seem that the issue is with access to the DHCP server when the ACL is in place. Is my ACL misconfigured or am I just going about this entirely the wrong way?


(apologies for the overly verbose explanation, wanted to be sure I got enough detail in there)

Correct Answer by Martin Bosch about 5 years 4 months ago

I had a issue like this before.

I split my bootps / bootpc in each for its own line, and it started working

Something like

remark DHCP server

permit udp 10.80.28.0 0.0.0.255 host eq bootpc

permit udp 10.80.28.0 0.0.0.255 host eq bootps

what about if you add log after the deny. Does the logs show anything? Sending it to a syslog might help filtering

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Martin Bosch Tue, 04/03/2012 - 08:05
User Badges:

I had a issue like this before.

I split my bootps / bootpc in each for its own line, and it started working

Something like

remark DHCP server

permit udp 10.80.28.0 0.0.0.255 host eq bootpc

permit udp 10.80.28.0 0.0.0.255 host eq bootps

what about if you add log after the deny. Does the logs show anything? Sending it to a syslog might help filtering

Michael Marzol Tue, 04/03/2012 - 08:12
User Badges:

( mistakenly clicked 'correct answer' )


Martin,


That's a good point, I will try that and post the outcome.


-Mike

Michael Marzol Tue, 04/03/2012 - 11:53
User Badges:

I added the following but still no luck:


Extended IP access list UNTRUSTED-ACL

    10 permit udp 10.80.28.0 0.0.0.255 any eq domain

    20 permit udp 10.80.28.0 0.0.0.255 any eq bootpc

    30 permit udp 10.80.28.0 0.0.0.255 any eq bootps (4 matches)

    40 permit tcp 10.80.28.0 0.0.0.255 any eq www

    50 permit tcp 10.80.28.0 0.0.0.255 any eq 443

    60 deny ip 10.80.28.0 0.0.0.255 10.0.0.0 0.255.255.255 (202 matches)

    70 deny ip 10.80.28.0 0.0.0.255 172.16.0.0 0.0.255.255 (34 matches)

Extended IP access list UNTRUSTED-ACL-OUT

    10 permit udp any 10.80.28.0 0.0.0.255 eq domain

    20 permit udp any 10.80.28.0 0.0.0.255 eq bootpc

    30 permit udp any 10.80.28.0 0.0.0.255 eq bootps

    40 permit tcp any 10.80.28.0 0.0.0.255 eq www

    50 permit tcp any 10.80.28.0 0.0.0.255 eq 443

George Stefanick Tue, 04/03/2012 - 18:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

First, lets be clear. You have a WLC, correct. Did you turn off DHCP proxy on the WLC? This is enabled by default. If proxy is enabled your ip helpers are not being used for your wireless clients. Because the WLC will unicast for the DHCP for the client.

Michael Marzol Thu, 04/05/2012 - 06:50
User Badges:

Hi George,


DHCP Proxy was actually disabled by default. Still no luck.

Michael Burk Tue, 04/03/2012 - 08:12
User Badges:

Also check the direction of your ACL and make sure that's correct. It should look like this:

interface Vlan28

description WLAN_SSID_guest

ip address 10.80.28.1 255.255.255.0

ip access-group from_guest_into_wired in

ip access-group to_guest_from_wired out



You may also want to use a "Reflexive" ACL to permit the return packets, it basically makes your switch's ACL a stateful like an ASA.

Michael Marzol Tue, 04/03/2012 - 08:14
User Badges:

Thanks Michael,


I will give both of these a shot and post the results.


-Mike

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network