[c-nsp] Wireless vlans and ACL

Church, Chuck cchurch at netcogov.com
Thu Mar 30 09:56:00 EST 2006 

You access-list 102 for inbound traffic is applied to the main radio
interface, rather than the subint that has the IP address on it.  Try
moving it to the .2 interface.  The outbound one on the subint isn't
doing anything. 


Chuck Church
Network Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services
Enterprise Network Engineering
Home Office - 864-335-9473 
Cell - 864-266-3978
cchurch at netcogov.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dave Lim
Sent: Thursday, March 30, 2006 9:27 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Wireless vlans and ACL

Hi guys,

I am trying to apply and acl on a wireless vlan. I have 2 vlans, vlan1
(192.168.1.0/24) and vlan2 (192.168.2.0/24) Simple, I am trying to
prevent vlan2 from accessing vlan1 but it can do a PAT overload to
access the internet.

I have tried applying the acl on interface dot11radio0.2 but to no
avail. Traffic still goes through.

Here's my config. Anyone?

router1#sh run
Building configuration...

Current configuration : 6936 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$.0JF$MvriWPwkHm5wdw7hsjGaX/
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 8
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.201 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool xxxxx at KA
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 210.193.2.34 210.193.2.36
   default-router 192.168.1.1
!
ip dhcp pool xxxGuest
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 210.193.2.34 210.193.2.36
   default-router 192.168.2.1
!
!
no ip domain lookup
ip domain name xxxxxxx
ip name-server 210.193.2.34
!

!
!
!
bridge irb
!
!
!
interface FastEthernet0
 ip address 10.10.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Dot11Radio0
 no ip address
 ip access-group 102 in
 !
	
 encryption vlan 2 mode ciphers tkip
 !
 ssid xxxGuest
    vlan 2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 xxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.2
 ip address 192.168.2.1 255.255.255.0 	
ip access-group 102 out
 encapsulation dot1Q 2
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface Dot11Radio0.100
 no cdp enable
!
interface Dot11Radio0.120
 no cdp enable
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 no dot11 extension aironet
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp

 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 no ip address
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxxxxxxpassword 7xxxxxxxx
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.10.0 255.255.255.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit any
access-list 100 permit ip any any
access-list 101 permit udp host 210.193.2.36 eq domain any
access-list 101 permit udp host 210.193.2.34 eq domain any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list