09-27-2007 07:09 AM - edited 03-05-2019 06:44 PM
Got a good one for you, a customer has atonomous AP's here in a Wireless VLAN, 491 to be exact. Now the controller is all setup and the LWAAP AP's land and all is happy.
Customer has a an access-list on the Wireless VLAN, no, with the access-list removed, my LWAPP assotiation is fine and DHCP works fine and all is good. However, with the access-list on, LWAPP AP is fine (we added the LWAPP protocol), however, I can associate, but cannot get a DHCP address.
Now, before you say it is the access-list (which it is), I can associate to the Autonomous AP's and get a DHCP address no problem, same access list. All ports Cisco recommended to be open are on the access-list.
Any ideas?
Here is the access-list:
ip access-list extended GUEST-WIRELESS
10 permit udp any any eq 12222
20 permit udp any any eq 12223
30 permit udp any any range 16666 16667
40 permit udp any host 255.255.255.255 eq bootpc
50 permit udp any host 255.255.255.255 eq bootps
60 deny ip any 10.0.0.0 0.255.255.255
70 deny ip any 192.168.0.0 0.0.255.255
80 deny ip any 172.16.0.0 0.15.255.255
90 permit tcp 10.24.48.128 0.0.0.127 any eq www
100 permit tcp 10.24.48.128 0.0.0.127 any eq 443
110 permit tcp 10.24.48.128 0.0.0.127 any eq 22
120 permit tcp 10.24.48.128 0.0.0.127 any eq telnet
130 permit tcp 10.24.48.128 0.0.0.127 any eq pop3
140 permit tcp 10.24.48.128 0.0.0.127 any eq ftp
150 permit tcp 10.24.48.128 0.0.0.127 any eq ftp-data
160 permit udp 10.24.48.128 0.0.0.127 host 209.202.110.121 eq domain
170 permit udp 10.24.48.128 0.0.0.127 host 209.202.110.120 eq domain
180 permit tcp 10.24.48.128 0.0.0.127 155.201.0.0 0.0.255.255 eq 11160
190 permit udp any host 224.0.0.2 eq 1985
Solved! Go to Solution.
09-27-2007 07:34 AM
The only denies you have in the list are;
60 deny ip any 10.0.0.0 0.255.255.255
70 deny ip any 192.168.0.0 0.0.255.255
80 deny ip any 172.16.0.0 0.15.255.255
Add logs to those to see what is being dropped. The log should tell you what port etc is being blocked.
09-27-2007 07:25 AM
When trying to figure out why an access list is not working, I usually add the deny at the end, and add the log keyword, so I can see if it is something I have forgotten to permit. I would also add log to the end of any I suspect of getting in the way.
Paul.
09-27-2007 07:27 AM
Thanks, I know that trick from years ago, however, in this case, I get no hits, so it must being denied further up the list.
09-27-2007 07:34 AM
The only denies you have in the list are;
60 deny ip any 10.0.0.0 0.255.255.255
70 deny ip any 192.168.0.0 0.0.255.255
80 deny ip any 172.16.0.0 0.15.255.255
Add logs to those to see what is being dropped. The log should tell you what port etc is being blocked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide