This post is more than 5 years old
1 Message
0
3940
Public WiFi ACL setup for 6224
Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4
I'm trying to setup some ACLs to limit access on our Public WiFi VLAN (ID 174). Basically we want this VLAN to be able to get an IP address from DCHP but not be able to get to internal networks (only access the Internet).
I think the logic should be:
Allow 192.168.174.0/255.255.255.0 access to the IP 192.168.168.33 for DCHP
Deny 192.168.174.0/255.255.255.0 access to the network 192.168.0.0/255.255.0.0
Allow 192.168.174.0/255.255.255.0 access to anything else
I created the rules and applied it to the VLAN but I can’t get an IP from DHCP nor can I get to the internet (basically I can’t do anything). Below are the relevant lines from the running config. Can you see what I might be doing wrong?
access-list PublicWireless permit udp 192.168.174.0 255.255.255.0 eq 68 192.168.168.3 255.255.255.0 eq 67
access-list PublicWireless deny ip 192.168.174.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list PublicWireless permit ip 192.168.174.0 255.255.255.0 0.0.0.0 0.0.0.0
name "Surprise - Public Wireless"
routing
ip address 192.168.174.1 255.255.255.0
ip access-group PublicWireless in 1
exit
Anaraendil
72 Posts
1
March 17th, 2011 01:00
Hi,
Your wireless clients can't get IPs with this configuration. You're permitting DHCP-traffic from 192.168.174.0/24 subnet but they do not have this IP address when they send DHCP requests. Nor they have such destination as 192.168.168.3. Approximately an year ago I have the same issue. Correct access control entry for this:
access-list PublicWireless permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67
Other thing I noticed in your vlan config: you don't have ip helper address. If you need more explanation about this just tell.
And one more commentary: maybe it's better to explicitly allow traffic to some host (probably internet gateway) and deny to all others.