cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7351
Views
5
Helpful
5
Replies

Help Configuring VLan for Internet Only Traffic

jhiggins2001
Level 1
Level 1

I have a Cisco Catalyst 3750 Switch with a 2500 series Wireless Controller. I have multiple vlans, and 3 wireless networks. I have created a new vlan and wireless network, both work just like the other vlans and wireless. The problem is when I try to apply ACLs to limit traffic to internet only neither will work.

Subnets I don’t what access to:

172.16.2.0/23

172.16.4.0/23

172.16.6.0/24

10.10.10.0/24

Subnet to go to Internet:

172.18.20. 0/22

My goals are these:

1. Limit the new subnet to Internet only access

2. Be able to receive DHCP addresses on new subnet

3. DNS is optional as I have external DNS servers in the DHCP options

4. Be able to use wired or wireless on new subnet.

Any help is greatly appreciated.

1 Accepted Solution

Accepted Solutions

You have the source and destination flipped for DHCP:

access-list 120 permit udp any host 10.10.10.5 eq bootpc

access-list 120 permit udp any host 10.10.10.5 eq bootps

Also, as the last line of the ACL, you can add the line:

deny ip any any log

This will create a log of traffic that doesn't hit one of the rules. It can be helpful in diagnosing issues with ACLs. You don't need to leave it there permanently. I typically will add it only if/when there are issues with traffic hitting an element in the ACL. You'll need to remove the permit any any to make this work.

View solution in original post

5 Replies 5

rfalconer.sffcu
Level 3
Level 3

Write an ACL with a source of 172.18.20.0/22 that does the following in this order:

Permits DHCP to specific DHCP server(s)

Deny IP to the subnets that you want to protect

Permit internet traffic (www,https,dns at a minimum) to anywhere

Apply ACL to the SVI for 172.18.20.0/22

Robert, Thanks for the reply.

OK, I tried doing as you said, but I still can'e get an IP when I have ACL applied. What should my Permit DHCP statement look like? I have:

access-list 120 permit udp host 10.10.10.5 any eq bootpc

access-list 120 permit udp host 10.10.10.5 any eq bootps

Where 10.10.10.5 is my DHCP

Then I have deny statements on the rest of my subnets followed by Permit:

access-list 120 permit ip any any

?

Thanks,

John

Hi.

ip access-list extended TO-The-Net

deny ip 172.18.20.0 0.0.3.255  172.16.2.0 0.0.1.255

deny ip 172.18.20.0 0.0.3.255  172.16.4.0 0.0.1.255

deny ip 172.18.20.0 0.0.3.255  172.16.6.0 0.0.0.255

deny ip 172.18.20.0 0.0.3.255  172.16.10.0 0.0.0.255

permit ip 172.18.20.0 0.0.3.255 any

This acl , applyed in ingress to the SVI, should meet your needs.

HTH

Regards

Carlo

Please rate all helpful posts

"The more you help the more you learn"

Please rate all helpful posts "The more you help the more you learn"

You have the source and destination flipped for DHCP:

access-list 120 permit udp any host 10.10.10.5 eq bootpc

access-list 120 permit udp any host 10.10.10.5 eq bootps

Also, as the last line of the ACL, you can add the line:

deny ip any any log

This will create a log of traffic that doesn't hit one of the rules. It can be helpful in diagnosing issues with ACLs. You don't need to leave it there permanently. I typically will add it only if/when there are issues with traffic hitting an element in the ACL. You'll need to remove the permit any any to make this work.

That did the trick. Thanks.

Thanks to Carlo as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco