Hi, I'm learning about ACLs for the CCNA.
Vlan 10 on my home network is dedicated to wireless clients.
192.168.1.1/24 is the IP address of my Cisco router
192.168.1.2/24 is the address of a DD-WRT wireless router connected to the Cisco and working in Access Point pass through mode.
Another Vlan has a subnet of 192.168.0.0/29 with an ADSL modem at 192.168.0.2 which is the default route out to the Internet
The ACL config below is incomplete (because I need help) and shows the access I have permitted on vlan 10.
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip access-group ACL-VLAN10-WIRELESS-IN in
ip nat inside
ip virtual-reassembly in
ip access-list extended ACL-VLAN10-WIRELESS-IN
remark * Allow all wireless clients to reach router *
permit ip host 192.168.1.1 192.168.1.0 0.0.0.255
remark * Allow all wireless clients to communicate with each other *
permit ip 192.168.1.3 0.0.0.252 192.168.1.3 0.0.0.252
remark * Allow following IPs to manage AP *
permit ip host 192.168.1.2 10.10.10.8 0.0.0.4 log-input
How do I allow all wireless clients access to the Internet, whilst still blocking access to the AP at 192.168.1.2?
If I add the line:
permit ip any any
Will that defeat the implicit deny of ACLs and allow all wireless clients access to all IPs?
Thanks in advance.
I don't think it is possible using your configuration since the AP and wireless clients are on the same subnet. This means traffic is never routed to the router SVI for the ACL to take effect.
You either need to apply an ACL on the AP itself, or create two VLANs, one of managment/ control of the AP and a second for AP client traffic. Route both of these VLANs on the router and you will be able to create the necessary ACLs to filter traffic between the two.