Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ACL problem

Hi, I'm learning about ACLs for the CCNA.

Vlan 10 on my home network is dedicated to wireless clients. is the IP address of my Cisco router is the address of a DD-WRT wireless router connected to the Cisco and working in Access Point pass through mode.

Another Vlan has a subnet of with an ADSL modem at which is the default route out to the Internet

The ACL config below is incomplete (because I need help) and shows the access I have permitted on vlan 10.

interface FastEthernet0.10

description TO-VLAN10-WIRELESS

encapsulation dot1Q 10

ip address

ip access-group ACL-VLAN10-WIRELESS-IN in

ip nat inside

ip virtual-reassembly in

ip access-list extended ACL-VLAN10-WIRELESS-IN

remark * Allow all wireless clients to reach router *

permit ip host

remark *

remark * Allow all wireless clients to communicate with each other *

permit ip

remark *

remark * Allow following IPs to manage AP *

permit ip host log-input


How do I allow all wireless clients access to the Internet, whilst still blocking access to the AP at

If I add the line:

permit ip any any

Will that defeat the implicit deny of ACLs and allow all wireless clients access to all IPs?

Thanks in advance.

Version history
Revision #:
1 of 1
Last update:
‎07-28-2013 10:11 AM
Updated by:
Labels (1)
Everyone's tags (1)

Hi there,

I don't think it is possible using your configuration since the AP and wireless clients are on the same subnet. This means traffic is never routed to the router SVI for the ACL to take effect.

You either need to apply an ACL on the AP itself, or create two VLANs, one of managment/ control of the AP and a second for AP client traffic. Route both of these VLANs on the router and you will be able to create the necessary ACLs to filter traffic between the two.