We have a new WLC set up at a remote office controlling 4 access points and we need to restrict access to our Guest SSID to only internet access. This is the way the network is currently configured:
Two layer 3 vlans, one for Corporate access to the inside network and internet and one Guest access to internet only. Both of these have helper addresses on them pointing to our DHCP server which has scopes for both the Guest and Corporate vlans. The controller is on a trunk port with an address on our management subnet and the AP's are on access ports on the same management subnet. The subnets are as follows:
10.80.27.0 - Wireless Corporate (vlan 27)
10.80.28.0 - Wireless Guest (vlan 28)
10.80.10.0 - Management (vlan 10)
(In addition, we have multiple other vlans on both a 172.16.0.0/16 and the 10.80.X.0/24 network)
In order to restrict access for the Guest wireless clients, I tried to add the following ACL on vlan 28 thinking this would allow DHCP and DNS requests for wireless clients as well as web access while denying access to all other inside network resources:
ip access-list extended UNTRUSTED-ACL
permit udp 10.80.28.0 0.0.0.255 any eq domain
permit udp 10.80.28.0 0.0.0.255 any eq bootps bootpc
permit tcp 10.80.28.0 0.0.0.255 any eq www
permit tcp 10.80.0.0 0.0.255.255 any eq 443
deny ip 10.80.28.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.80.28.0 0.0.0.255 172.16.0.0 0.0.255.255
So basically, without the ACL applied, a client receives an address from DHCP without issue and is able to surf the internet as well as all inside resources. When I apply the ACL to the vlan, clients can no longer recieve an IP from DHCP. However, if a client had already received an address prior to applying the ACL, that client is able to surf while being denied access to the inside network when the ACL is applied. Which is the desired effect. So it would seem that the issue is with access to the DHCP server when the ACL is in place. Is my ACL misconfigured or am I just going about this entirely the wrong way?
(apologies for the overly verbose explanation, wanted to be sure I got enough detail in there)
First, lets be clear. You have a WLC, correct. Did you turn off DHCP proxy on the WLC? This is enabled by default. If proxy is enabled your ip helpers are not being used for your wireless clients. Because the WLC will unicast for the DHCP for the client.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...