[c-nsp] Wireless vlans and ACL

Dave Lim dave.daturax at gmail.com
Thu Mar 30 09:26:37 EST 2006 

Hi guys,

I am trying to apply and acl on a wireless vlan. I have 2 vlans, vlan1
(192.168.1.0/24) and vlan2 (192.168.2.0/24) Simple, I am trying to
prevent vlan2 from accessing vlan1 but it can do a PAT overload to
access the internet.

I have tried applying the acl on interface dot11radio0.2 but to no
avail. Traffic still goes through.

Here's my config. Anyone?

router1#sh run
Building configuration...

Current configuration : 6936 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$.0JF$MvriWPwkHm5wdw7hsjGaX/
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 8
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.201 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool xxxxx at KA
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 210.193.2.34 210.193.2.36
   default-router 192.168.1.1
!
ip dhcp pool xxxGuest
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 210.193.2.34 210.193.2.36
   default-router 192.168.2.1
!
!
no ip domain lookup
ip domain name xxxxxxx
ip name-server 210.193.2.34
!

!
!
!
bridge irb
!
!
!
interface FastEthernet0
 ip address 10.10.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Dot11Radio0
 no ip address
 ip access-group 102 in
 !
	
 encryption vlan 2 mode ciphers tkip
 !
 ssid xxxGuest
    vlan 2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 xxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.2
 ip address 192.168.2.1 255.255.255.0 	
ip access-group 102 out
 encapsulation dot1Q 2
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface Dot11Radio0.100
 no cdp enable
!
interface Dot11Radio0.120
 no cdp enable
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 no dot11 extension aironet
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp

 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 no ip address
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxxxxxxpassword 7xxxxxxxx
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.10.0 255.255.255.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit any
access-list 100 permit ip any any
access-list 101 permit udp host 210.193.2.36 eq domain any
access-list 101 permit udp host 210.193.2.34 eq domain any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

More information about the cisco-nsp mailing list