IP-Based ACL on 6024 to block Vlan Traffic.

It would be easier to figure out what's happening if you could just post the configurations for both of your switches.

Cuong.

I may not fully comprehend your setup since I can't tell how the ports are connected from the configuration.  But I think maybe I see the problem.  The ACL works only on ingress.  Meaning that the ACL filter will cause packets to be dropped as it comes into the switch not as it goes out of the switch.

So you should apply your ACL at the incoming port on your 3348 (if port 38 is where the guest user is connected then you should apply the ACL there).  At this point you should set up the ACL to deny any packet where the destination is one of the IP address on your protected network.

Alternatively since you already put the guest user on VLAN 10 which is already isolated from other users on the 3348, you can wait until it gets to the 6024 before you apply the ACL, but you must still apply the ACL on the incoming interface which in this case is VLAN 10 not the outgoing port (you applied the ACL to port 1 - I'm assuming this is your internet port) if you want to block this user from accessing other hosts on your private network.  So you need to put the ACL on VLAN 10 where you block access from any source address to the destination address on your private network.

The key here is to make sure you apply the ACL on incoming packet so that the packet is filtered before it enters the switch.

Cuong.

I got it to work applying it to the vlans.  However, I still have an issue.  I have setup the acl to allow dhcp on udp ports 67 and 68 and dns on udp and tcp port 53 to our server.  Then I denied all other traffic to the server and the subnet.  It allows me to use dhcp and dns, but it also allows all traffic to the server.  It doesn't allow any traffic to any other computer on the subnet, but I can ping, print, and connect to files on the server.  Shouldn't you only be able to use the ports that are open? Here's my acl's.

It's easier to figure out what's going on if you give me a more detail scenario, here are some thoughts first:

• Remember that the rules applies in order from first to last.  If the first rule matches then the next one is not even considered.  So make sure you look through all the rules and make sure you understand how the rules apply to your packets.  I'm not sure about the purpose of the first two rules in your "guest" ACL.  Also where are you applying your two ACLs?  All on the same set of interfaces?
• The easiest way to debug the ACL is to think about the path your packet takes.  So think about a system that has a source IP X which tries to communicate with destination IP Y.  Now walk the packet through the network and consider what happens when it enters the switch and the ACL rules apply.  Then consider what happens when the response packet comes back, remember that the ACL rule applies only on ingress, so the ACL rule that applies to the request packet is not necessarily applicable to the response packet.

If you walk the packet through the switches and ports you will see how the rules apply and be able to figure out the problem.

For example, what is the IP address of your guest system and what port is it connected to and what IP address is it trying to get to.  Now consider when the packet enters the switch and then forwarded to the 6024, what VLAN does it comes into and what port.  Look at the ACL and think about which ACL rule applies and what should happen to the packet.  Is it having the affect you expect?  If you think that it should work as you defined it then go through your thoughts here and present me with the same scenario and let's see if I can see what's happening.

Cuong.

Quick questions:

• Are the traffic from the AP to the 5212 sent tagged or untagged?  What is the 5212 PVID set to for the incoming port from the AP?  The reason I asked is because if the traffic from AP to 5212 is sent untagged and the PVID on the 5212 for that port is set to VLAN 1 then the traffic from AP to 5212 is sent on VLAN 1 not on VLAN 10.
• Are you certain that the traffic from the guest computer to the 6024 is on VLAN 10?  One way to check would be to see if you can ping from the guest computer to the systems on VLAN 1.  If you can then you might be on VLAN 1 not 10.
• If the intention is that the traffic from the AP to the 5212 is only for VLAN 10 then you might want to make sure the port from AP to 5212 is configured for only VLAN 10.

If your traffic is actually coming into VLAN 1 instead of VLAN 10 then probably your ACL is not being applied as you would think.  Your guest system may actually have full access to everything.

Cuong.

Sorry dustinn3, I've been busy with a few other things and I haven't had a chance to get back to this.  I'll email you directly so you can forward the configs for all your switches to me, let me see if I can reproduce the problem.

Cuong.