1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: ACL for public WiFi not working when applied to trunk?

Discussion in 'Networking' started by cerveza1980, Jan 17, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. cerveza1980

    cerveza1980 Thread Starter

    Joined:
    Jan 17, 2012
    Messages:
    2
    So there are two VLAN's traveling over the port attached to the controller (User vlan 100, and Guest vlan 102). I need to block the guest from everything but the internet allowing the free flow of everything else on the User vlan. All info sanitized of course. I think I have the ACL's correct for what I am trying to accomplish I just can not get this ACL to work on a trunk port. Confirmed the ACL to work correctly on access ports however.
    ip access-list extended Wireless
    permit ip 172.100.0.0 0.0.255.255 any
    permit udp any any eq bootpc
    permit udp any any eq bootps
    permit udp any any eq domain
    permit tcp any any eq domain
    deny ip 172.102.0.0 0.0.255.255 10.5.6.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.5.5.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.5.4.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.5.3.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.5.2.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.5.1.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.5.0.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.100.0.0 0.0.0.255
    deny ip 172.102.0.0 0.0.255.255 10.101.0.0 0.0.0.255
    permit ip any any
    interface GigabitEthernet0/19
    description MERU Controller
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100
    switchport trunk allowed vlan 100,102
    switchport mode trunk
    no ip address
    ip access-group Wireless in
    no mdix auto
    spanning-tree portfast
    interface FastEthernet0/22
    description MERU AP 8
    switchport access vlan 100
    switchport trunk native vlan 100
    switchport mode access
    no ip address
    ip access-group Wireless in
    Edit: basic network diagram. Both ports attached to the controller and the AP are trunks. [1] http://i.imgur.com/H7yBE.jpg
    So there is no router in this topology. Only a core switch running layer 3 Directly connected routing table.
    Edit2: No router to apply the ACL to. Only a core switch running LYR3 with directly connected routing table. I tried to apply a variant of the ACL to a VLAN interface and still nothing was blocked.

    I have also tried applying the ACL to the VLAN interface on the core switch that is doing the lyr3 routing.

    So I have applied a modified ACL to the VLAN interface for the public wifi and found that I can block traffic now. Only that the ACL blocks traffic to the internet now. below is the ACL i am applying it to.

    permit ip 172.100.0.0 0.0.255.255 any
    permit ip 172.101.0.0 0.0.255.255 any
    permit ip 172.5.6.0 0.0.0.255 any
    permit ip 172.5.3.0 0.0.0.255 any
    permit ip 172.5.2.0 0.0.0.255 any
    permit ip 172.5.1.0 0.0.0.255 any
    permit ip 172.5.0.0 0.0.0.255 any
    permit udp any any eq bootpc
    permit udp any any eq bootps
    permit udp any any eq domain
    permit tcp any any eq domain
    Deny ip 172.102.0.0 0.0.255.255 any
    permit ip any any
     
  2. cerveza1980

    cerveza1980 Thread Starter

    Joined:
    Jan 17, 2012
    Messages:
    2
    I finally figured it out. Still do not know why you cant apply an ACL to a trunk but what ever.

    Solution: Created an ACL for the inbound VLAN interface of the Public VLAN. Deleted the Deny ip any any statement and created a deny statement for each individual subnet that I do not what the Public VLAN to have access.

    permit ip 172.100.0.0 0.0.255.255 any
    permit ip 172.101.0.0 0.0.255.255 any
    permit ip 172.5.6.0 0.0.0.255 any
    permit ip 172.5.3.0 0.0.0.255 any
    permit ip 172.5.2.0 0.0.0.255 any
    permit ip 172.5.1.0 0.0.0.255 any
    permit ip 172.5.0.0 0.0.0.255 any
    permit udp any any eq bootpc
    permit udp any any eq bootps
    permit udp any any eq domain
    permit tcp any any eq domain
    Deny ip 172.102.0.0 0.0.255.255 172.100.0.0 0.0.255.255
    Deny ip 172.102.0.0 0.0.255.255 172.101.0.0 0.0.255.255
    Deny ip 172.102.0.0 0.0.255.255 172.5.6.0 0.0.0.255
    Deny ip 172.102.0.0 0.0.255.255 172.5.3.0 0.0.0.255
    Deny ip 172.102.0.0 0.0.255.255 172.5.2.0 0.0.0.255
    Deny ip 172.102.0.0 0.0.255.255 172.5.1.0 0.0.0.255
    Deny ip 172.102.0.0 0.0.255.255 172.5.0.0 0.0.0.255
    permit ip any any
     
  3. zx10guy

    zx10guy Trusted Advisor

    Joined:
    Mar 30, 2008
    Messages:
    5,704
    The reason why you can't apply ACLs to trunk port is because a trunk port is a layer 2 interface. ACLs are a layer 3 function and therefore require a router interface. The exception to this is if you use VACL which are ACLs applied to VLANs at a layer 2 level.

    You may also want to use the established option with your extended access lists.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved public WiFi
  1. charlescdean
    Replies:
    1
    Views:
    119
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1036794

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice