Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL on bridge blocks Wireless

Hi,

We use the Cisco 851W. Image is c850-advsecurityk9-mz.124-15.T7.bin.

There are the bridge group that bounds the interfaces Dot11Radio and Vlan. The Vlan interface bounds the 4 ethernet interfaces.

interface Dot11Radio0
description Wi-Fi soft-werke
no ip address
beacon period 500
beacon dtim-period 20
!
encryption key 1 size 40bit 0 xxxxxxxxxx transmit-key
encryption mode wep mandatory
!
ssid soft-werke
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
world-mode dot11d country RU indoor
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!

All works fine. But when I create the ACL and attach it to the BVI1:


ip access-list extended acl_FromSWLAN
remark from S-W LAN to router
remark SDM_ACL Category=1
deny   ip any 10.0.0.0 0.255.255.255
permit ip any 192.168.10.0 0.0.0.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.0.255 any
deny   ip any any


interface BVI1
ip access-group acl_FromSWLAN in

then the Vlan1 continue working but the Dot11Radio0 starts blocking all the traffic. Radio is on but no IP (clients see 'limited connection').

Can anybody say why?

Thanks,

Igor.

3 REPLIES
Gold

Re: ACL on bridge blocks Wireless

You probably need to add a permit statment to allow the DHCP requests in your ACL.  Do the clients have connectivity if they have a static IP?

New Member

Re: ACL on bridge blocks Wireless

Yes, you are right. The static IP clients continue working after the ACL is applied. Further more the DHCP clients, that have got the IP already, continue working also. Only the swithtching on DHCP clients get the problem.

Now there is a question. How to update the ACL to permit DHCP?

I thought the

permit ip any 192.168.10.0 0.0.0.255

should allow DHCP also. Isn't it? Because

interface BVI1
ip address 192.168.10.1 255.255.255.0
If anything, the DHCP will lease the IPs via the BVI

Or I understand something incorrect??

Thanks,

Igor.

Gold

Re: ACL on bridge blocks Wireless

That statement in the ACL allows directed broadcasts.  Keep in mind that the client doesn't have any idea of its IP info when sending the DHCP discover.  You would want to add something like:

access-list 198 permit udp any any eq bootpc

access-list 198 permit udp any any eq bootps

379
Views
0
Helpful
3
Replies