We use the Cisco 851W. Image is c850-advsecurityk9-mz.124-15.T7.bin.
There are the bridge group that bounds the interfaces Dot11Radio and Vlan. The Vlan interface bounds the 4 ethernet interfaces.
interface Dot11Radio0 description Wi-Fi soft-werke no ip address beacon period 500 beacon dtim-period 20 ! encryption key 1 size 40bit 0 xxxxxxxxxx transmit-key encryption mode wep mandatory ! ssid soft-werke ! speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 station-role root world-mode dot11d country RU indoor bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ no ip address ip tcp adjust-mss 1452 bridge-group 1 ! interface BVI1 description LAN ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly !
All works fine. But when I create the ACL and attach it to the BVI1:
ip access-list extended acl_FromSWLAN remark from S-W LAN to router remark SDM_ACL Category=1 deny ip any 10.0.0.0 0.255.255.255 permit ip any 192.168.10.0 0.0.0.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 192.168.10.0 0.0.0.255 any deny ip any any
interface BVI1 ip access-group acl_FromSWLAN in
then the Vlan1 continue working but the Dot11Radio0 starts blocking all the traffic. Radio is on but no IP (clients see 'limited connection').
Yes, you are right. The static IP clients continue working after the ACL is applied. Further more the DHCP clients, that have got the IP already, continue working also. Only the swithtching on DHCP clients get the problem.
Now there is a question. How to update the ACL to permit DHCP?
I thought the
permit ip any 192.168.10.0 0.0.0.255
should allow DHCP also. Isn't it? Because
interface BVI1 ip address 192.168.10.1 255.255.255.0 If anything, the DHCP will lease the IPs via the BVI