Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VLAN Filter - configuration assistance

I am trying to create the most simplest of VLAN filters out there, yet it doesn't work.  My goal is to filter the traffic on VLAN 3060 to only allow DHCP (so client can get an IP address from our server) DNS, HTTP and HTTPS only.  Nothing else.

My configuration below allows my client device to get an IP address, but that's where it ends.  I cannot do an nslookup from the DNS server, etc.

Can someone see the error I have overlooked?

vlan filter Guest_WLAN_Protocol_Restriction vlan-list 3060

vlan access-map Guest_WLAN_Protocol_Restriction 10

match ip address Guest_WLAN_Protocol_Restriction

action forward

ip access-list extended Guest_WLAN_Protocol_restriction

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp any any eq domain

permit tcp any any eq domain

permit udp any any eq 80

permit tcp any any eq www

permit tcp any any eq 443

deny ip any any

Thanks,

Tim

2 REPLIES
Community Member

Re: VLAN Filter - configuration assistance

Hi Tim,

I believe you are missing the dns reply in your access-list, something similar to the following should work:

permit udp any eq domain any gt 1023

Regards,

Tim

Community Member

Re: VLAN Filter - configuration assistance

Tim,

I figured it out, and you were right on the money. I was missing the return path:

Here's my working solution:

vlan access-map Guest_WLAN_Protocol_Restriction 10

match ip address Guest_WLAN_Protocol_Restriction

action forward

!

vlan filter Guest_WLAN_Protocol_Restriction vlan-list 2099

ip access-list extended Guest_WLAN_Protocol_Restriction

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp 10.128.254.0 0.0.0.255 any eq domain

permit tcp 10.128.254.0 0.0.0.255 any eq domain

permit icmp 10.128.254.0 0.0.0.255 any echo

permit icmp 10.128.254.0 0.0.0.255 any echo-reply

permit icmp 10.128.254.0 0.0.0.255 any port-unreachable

permit udp 10.128.254.0 0.0.0.255 any eq 80

permit tcp 10.128.254.0 0.0.0.255 any eq www

permit tcp 10.128.254.0 0.0.0.255 any eq 443

deny ip 10.128.254.0 0.0.0.255 any

permit ip any 10.128.254.0 0.0.0.255

Thanks,

Tim

3020
Views
0
Helpful
2
Replies
CreatePlease to create content