Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

2010Lois

1 Rookie

 • 

7 Posts

48410

January 28th, 2013 14:00

Access Control List for a WIFI Guest VLAN

I am trying to allow my VLAN 70 (GUESTWIFI) access only to the Internet and deny access to the LAN.

I have configured the ACL below but I can't seem to Route out through my Firewall ( it has 2 interfaces, 1 is a sub-interface)

Can anyone advise what I am doing wrong

SW>en

SW#configure t

SW(config)#access-list GUESTWIFI permit ip any 10.0.1.41 0.0.0.0

SW(config)#access-list GUESTWIFI permit ip any 10.0.1.42 0.0.0.0

SW(config)#access-list GUESTWIFI deny ip any 10.0.0.0 0.255.255.255

SW(config)#access-list GUESTWIFI deny ip any 192.168.0.0 0.0.255.255

SW(config)#access-list GUESTWIFI deny ip any 172.16.0.0 0.31.255.255

SW(config)#access-list GUESTWIFI permit ip any any

SW(config)#interface vlan 70

SW(config-if-vlan70)#ip access-group GUESTWIFI in 1

SW(config-if-vlan70)#exit

SW(config)#exit

SW#show ip access-lists

Current number of ACLs: 2 Maximum number of ACLs: 100

 ACL Name Rules Interface(s) Direction
------------------------------- ----- ------------------------- ---------
GUESTWIFI 6 vlan 70 Inbound

SW#show ip access-lists GUESTWIFI

IP ACL Name: GUESTWIFI

Inbound VLAN(s):
 70

Rule Number: 1
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 10.0.1.41
Destination IP Mask............................ 0.0.0.0

Rule Number: 2
Action......................................... permit
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 10.0.1.42
Destination IP Mask............................ 0.0.0.0

Rule Number: 3
Action......................................... deny


Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 10.0.0.0
Destination IP Mask............................ 0.255.255.255

Rule Number: 4
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 192.168.0.0
Destination IP Mask............................ 0.0.255.255

Rule Number: 5
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 255(ip)
Source IP Address.............................. any
Destination IP Address......................... 172.16.0.0
Destination IP Mask............................ 0.31.255.255

Rule Number: 6


Action......................................... permit
Match All...................................... TRUE

SW#

Thanks L

2010Lois
1 Rookie
 • 
7 Posts
January 31st, 2013 05:00
this resolved it
 

SW(config)#access-list GUESTWIFI permit ip any 10.0.70.0 0.0.0.255 10.0.1.41 0.0.0.0
 

SW(config)#access-list GUESTWIFI permit ip 10.0.70.0 0.0.0.255 10.0.1.42 0.0.0.0
 

SW(config)#access-list GUESTWIFI deny ip 10.0.70.0 0.0.0.255 10.0.1.0 0.0.0.255
 

SW(config)#access-list GUESTWIFI permit ip any any
DELL-Willy M
802 Posts
January 28th, 2013 15:00
Could you provide further information on what the subnet is for the guest wifi? What is the subnets(s) for your LAN?  What specific switch are you configuring?
 

When writing the ACE statements you typically want to start with the more specific statements at the beginning.
 

The switch is going to run down the ACE list and filter traffic as it goes from top to bottom.  Once the traffic matches a statement it does not proceed any further.  
 

If you are wanting to block your guest wifi from the LAN you might give this a try.
 

access-list GUESTWIFI deny ip (ip address and wildcard mask of wifi network) (ip address and wildcard mask of LAN network)
 

#access-list GUESTWIFI permit ip any any
 

instead of using the broad statement of any
 

Here are some articles discussing ACLs on the PowerConnect switches:
 

www.dell.com/.../pwcnt_IP_ACLs.pdf 
 

www.dell.com/.../app_note_10.pdf
 

www.dell.com/.../app_note_3.pdf
 

Hope this helps,
2010Lois
1 Rookie
 • 
7 Posts
January 29th, 2013 01:00
Hello.
 

Thanks for your reply.
 

Subnet for guest WIFI is 10.0.70.0/24
 

Subnet for LAN is 10.0.1.0/24
 

Re your suggestion, I am not sure if that will work because the firewall interfaces (10.0.1.41 & 10.0.1.42) are in the same subnet as the LAN. I thought by including these ACE's at the top of the ACL that they will apply first, then ACE on line 3 "access-list GUESTWIFI deny ip any 10.0.0.0 0.255.255.255" will deny the rest of the LAN subnet.
 

I will take a look at the articles you suggested in the meantime
 

 
 

Regards
 

L
DELL-Willy M
802 Posts
January 31st, 2013 09:00
Excellent,  glad to see you have it working!
 

Thanks for updating the post with your resolution.
Was this post helpful?
View All
0 events found
No Events found!


      
                             
       

      
      

  
    
  
  
Top