Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACL for Wireless Voice Vlan...

I am turning up a new wireless vlan using EAP-FAST for 7921's and 7925's. I am going to apply an ACL to the VLAN to prevent access to the servers or the network just incase someone makes it past the encryption.

Here is what I have but it doesn't seem to work. What am I leaving out?

IP access-list extended VLAN_100_OUTBOUND_ACL

permit icmp any any

permit udp 10.10.10.0 0.0.3.255 host 10.20.20.53 eq domain (DNS)

permit udp 10.10.10.0 0.0.3.255 host 10.20.20.52 eq bootps (DHCP)

permit tcp 10.10.10.0 0.0.3.255 host 10.20.20.52 eq 67 (DHCP)

permit udp 10.10.10.0 0.0.3.255 host 10.20.20.52 eq bootpc (DHCP)

permit tcp 10.10.10.0 0.0.3.255 host 10.20.20.52 eq 68 (DHCP)

permit tcp 10.10.10.0 0.0.3.255 host 10.30.20.50 eq 1812 (RADIUS)

permit tcp 10.10.10.0 0.0.3.255 host 10.30.20.50 eq 1812 (RADIUS)

permit udp 10.10.10.0 0.0.3.255 host 10.100.100.100 eq tftp (CALL MANAGER)

permit tcp 10.10.10.0 0.0.3.255 host 10.100.100.100 eq 2000 (CALL MANAGER)

permit tcp 10.10.10.0 0.0.3.255 host 10.100.100.100 eq www (CALL MANAGER)

permit tcp 10.10.10.0 0.0.3.255 host 10.100.100.100 eq 2443 (CALL MANAGER)

permit udp 10.10.10.0 0.0.3.255 any range 16384 32767 (PHONES)

deny ip any any

!

I also have another ACL for inbound that is just the opposite. I'm not sure what I need to add...

Thanks in advance.

Dave

2 REPLIES
Community Member

Re: ACL for Wireless Voice Vlan...

We used to use this one back when the phones only supported WEP.

ip access-list extended wireless_VoIP_ACL

permit udp any any eq 1985

permit ip any 172.27.246.0 0.0.1.255

permit udp any 172.16.2.0 0.15.253.255 range 16384 32767

permit udp any gt 1024 172.30.52.0 0.0.1.255 gt 1024

permit tcp any 172.30.52.0 0.0.1.255 eq 2000

permit udp any 172.30.52.0 0.0.1.255 eq tftp

permit udp any host 172.30.54.10 eq domain

permit udp any host 172.30.54.140 eq domain

permit udp any any eq 67

permit udp any any eq 68

deny ip any any

Hope this helps.

Re: ACL for Wireless Voice Vlan...

David, Can you fire me an email? I need to ask you a question...

242
Views
0
Helpful
2
Replies
CreatePlease to create content