Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List for WLAN Clients

I presently have a network where in WLAN and LAN is being based on the same network, utilizing the same DHCP server.

However, I feel that this risks my network and would like to separate my network using different IP subnets, with each having there own DHCP servers. The separation would be have to make the WLAN network look something like an External Network and the clients on LAN as part of the internal network.

The requirement being that in now way would there be any contact between the External and Internal network. Both the network connects to a UTM device on different ports, where both the ports are designated as LAN ports. However, there is a static route in the core ip route 0.0.0.0 0.0.0.0 UTM so that clients on LAN have access to internet.

Could anyone suggest solutions that can be useful for me in this setup ?

Thanks

9 REPLIES
New Member

DMZ, Access List ?

No one ?

DMZ, Access List ?

Why don't you just put the WLAN behind the firewall as a different interface and as a completely separate network?  So now if the users that are on the WLAN won't be able to access anything on the LAN unless you specify it.  You can also not even create SVI for the WLAN on your core and send the traffic stright to the firewall, so for the WLAN clients the default gateway would be the interface on the firewall instead of the SVI on the core.

I'm assuming you are looking to accomplish something like this?

New Member

Re: DMZ, Access List ?

I am not able to understand what putting the WLAN behind the firewall meant. Each switch over the organization is connected to the core. I would be required to place Access Points in different location. In such case how would I be able to route back without an SVI.

The requirement is for a hospital which plans to provide open access for patients. And I require to make sure that the LAN is safe from possible attacks. The other requirement being that the Core, edge switches, firewall and Internet connectivity all have to be share, with no additional hardware other than access points.

New Member

DMZ, Access List ?

Hey John,

I would like to know some more about the options we have over that setup, we can simply go for multiple vlans and forward specific dhcp broadcast to a dedicated dhcp server /scope.

Second, your static routes can be defined accordingly, i.e. your vlan 1 carries wired computers where as vlan 2 carries wireless computers.

Vlan 1 - wired - 10..x.x.x /8, 10.1.1.1 (gateway)

Vlan 2 - wireless 11.x.x.x./8, 11.1.1.1 (gateway)

The gateway is vlan ip address and the same can be configured on a layer 3 device, the vlan interface (svi) will forward the dhcp request to a particular server ip address.

and as far as the firewall is concerned, you can have that but that is not your exact query all about.

Thanks and have a nice time !!

Parvesh

Note: Do not forget to rate the post helpful if so.

New Member

Re: DMZ, Access List ?

Parvesh Paliwal wrote:

Hey John,

I would like to know some more about the options we have over that setup, we can simply go for multiple vlans and forward specific dhcp broadcast to a dedicated dhcp server /scope.

Pravesh, as of my configuration is just like you have mentioned. But I do not want any sort of communication form the wired network to the wireless or vice versa.

Application of an access-list has not done any good either. The internal application, are also available over Internet. the wireless clients clients however continue to hunt for possible routes with the core switch that being trying to access the firewall.

Here are parts my present configurations which does not do the job as required

vlan internal allocation policy ascending

!

vlan 14

name Tower_3rd_floor

!

vlan 100

name MANAGEMENT

!

vlan 200

name WIFI_VLAN

interface GigabitEthernet4/1 #The port to which DHCP server for the WLAN is connected

switchport access vlan 200

switchport mode access

interface Vlan1 #Primary VLAN

ip address 128.1.x.200 255.x.x.0

ip helper-address 172.18.x.21 #DHCP server for LAN clients

ip helper-address 172.18.x.75 #DHCP server for LAN clients

!

interface Vlan14 #SVI for a floor in the buliding

ip address 172.18.4.254 255.x.x.0 #acting as the default-gateway for the edge VLAN

ip helper-address 172.18.x.21

ip helper-address 172.18.x.75

!

interface Vlan200 #WLAN VLAN

description WIFI_VLAN

ip address 10.0.0.254 255.255.255.0

ip access-group wireless in #access-list to seperate WLAN and LAN

ip helper-address 10.0.0.1 #DHCP server for wireless clients

ip route 0.0.0.0 0.0.0.0 128.1.x.15 #static-route for UTM (Firewall)

ip http server

!

!

!

ip access-list extended wireless

permit ip host 10.0.0.1 host 172.18.x.23 #access for my workstation to the WLAN DHCP server

permit ip 10.0.0.0 0.255.255.255 host 172.18.x.23 #access for my workstation to the wireless network

permit ip 10.0.0.0 0.255.255.255 host 128.1.x.15 #access for wireless clients to firewall

permit ip 10.0.0.0 0.255.255.255 host 128.1.x.200 #access to the core switch

deny   ip 10.0.0.0 0.255.255.255 172.18.0.0 0.0.x.255

deny   ip 10.0.0.0 0.255.255.255 128.1.0.0 0.0.x.255

permit ip any any

deny   icmp any 172.18.0.0 0.0.x.255

I also planned on assigning port 4/2 also to VLAN 200 and connect it to a port on the UTM, but in this case I cannot specify a static route say

ip route 0.0.0.0 0.0.0.0 10.0.0.15 for the wireless clients either. This will mean that I have a separate switch as the core for WLAN, which doesn't seems logical. More over with the edges switches,to which the access points are added, connecting to the C4507 I have no idea how a switch just for doing static route for the WLAN workout.

New Member

Re: DMZ, Access List ?

Help :(

Sent from Cisco Technical Support iPad App

New Member

Re: DMZ, Access List ?

So, what is the current situation ?

Your wireless and wired systems are on different subnets ?

All the clients are able to get to the gateway ?

what is the tracert from different vlans ??

New Member

Re: DMZ, Access List ?

Parvesh Paliwal wrote:

So, what is the current situation ?

The current configuration as below

vlan 100

name MANAGEMENT

!

vlan 101

name CORE_VLAN

!

vlan 113

name WLAN_Corp

!

vlan 200

name WLAN_Management

!

interface GigabitEthernet4/1 #Port where the WLAN DHCP Server is connected

switchport access vlan 200

!

interface GigabitEthernet4/5 #Port if needed to be configured to connect with UTM for WLAN

shutdown

!

interface Vlan1

ip address 128.x.x.200 255.255.x.0

ip helper-address 172.18.x.x5

!

interface Vlan101

description CORE_VLAN

ip address 172.18.x.254 255.255.x.0

ip helper-address 172.18.x.x5

!

interface Vlan113

description WLAN_Corp

ip address 10.3.1.254 255.255.254.0

ip helper-address 10.0.0.1

!

interface Vlan200

description WLAN_Management

ip address 10.0.0.254 255.255.255.0

ip access-group wlan in

ip helper-address 10.0.0.1

!

ip route 0.0.0.0 0.0.0.0 128.1.x.x5 #Static route to forward all internet traffic to UTM

ip http server

!

!

!

ip access-list extended wlan

permit ip 10.0.0.0 0.255.255.255 host 172.19.x.x3

deny   ip 10.0.0.0 0.255.255.255 172.18.0.0 0.0.x.255

deny   ip 10.0.0.0 0.255.255.255 172.19.0.0 0.0.x.255

deny   ip 10.0.0.0 0.255.255.255 128.1.0.0 0.0.x.255

permit udp any eq bootpc any eq bootps

permit ip any any

!

!

end

This is IP and ping from a workstation on the external network

       

      

The following form an Internal workstation

     

    

What in the access-list is wrong that both the external client cannot show similar result as the internal workstation ?

New Member

Re: DMZ, Access List ?


How should my access-list be modified so that from an external source I receive a time out for internal network.

Would ip route 10.0.0.0 0.0.0.255 10.0.0.15 route all traffic from the scope to 10.0.0.15 ?

Sent from Cisco Technical Support iPad App

827
Views
0
Helpful
9
Replies
CreatePlease login to create content