[c-nsp] Wireless vlans and ACL

Dave Lim dave.daturax at gmail.com
Thu Mar 30 10:05:40 EST 2006 

bridge irb

After studying the configuration, i realised that I am doing
integrated routing and bridging on this router, thus, all non-routable
traffic will be flooded on all forwarding interfaces in the bridge
group. Thus I am already briding this in layer 2, thus this layer 3
acl wouldn't work.

someone correct me if I am wrong.


On 3/30/06, Church, Chuck <cchurch at netcogov.com> wrote:
> You access-list 102 for inbound traffic is applied to the main radio
> interface, rather than the subint that has the IP address on it.  Try
> moving it to the .2 interface.  The outbound one on the subint isn't
> doing anything.
>
>
> Chuck Church
> Network Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services
> Enterprise Network Engineering
> Home Office - 864-335-9473
> Cell - 864-266-3978
> cchurch at netcogov.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dave Lim
> Sent: Thursday, March 30, 2006 9:27 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Wireless vlans and ACL
>
> Hi guys,
>
> I am trying to apply and acl on a wireless vlan. I have 2 vlans, vlan1
> (192.168.1.0/24) and vlan2 (192.168.2.0/24) Simple, I am trying to
> prevent vlan2 from accessing vlan1 but it can do a PAT overload to
> access the internet.
>
> I have tried applying the acl on interface dot11radio0.2 but to no
> avail. Traffic still goes through.
>
> Here's my config. Anyone?
>
> router1#sh run
> Building configuration...
>
> Current configuration : 6936 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname router1
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200 warnings
> enable secret 5 $1$.0JF$MvriWPwkHm5wdw7hsjGaX/
> !
> aaa new-model
> !
> !
> aaa group server radius rad_eap
> !
> aaa group server radius rad_mac
> !
> aaa group server radius rad_acct
> !
> aaa group server radius rad_admin
> !
> aaa group server tacacs+ tac_admin
> !
> aaa group server radius rad_pmip
> !
> aaa group server radius dummy
> !
> aaa authentication login eap_methods group rad_eap
> aaa authentication login mac_methods local
> aaa authorization ipmobile default group rad_pmip
> aaa accounting network acct_methods start-stop group rad_acct
> !
> aaa session-id common
> !
> resource policy
> !
> clock timezone PCTime 8
> !
> !
> ip cef
> no ip dhcp use vrf connected
> ip dhcp excluded-address 10.10.10.1
> ip dhcp excluded-address 192.168.1.201 192.168.1.254
> ip dhcp excluded-address 192.168.1.1 192.168.1.100
> ip dhcp excluded-address 192.168.2.1 192.168.2.99
> !
> ip dhcp pool xxxxx at KA
>    import all
>    network 192.168.1.0 255.255.255.0
>    dns-server 210.193.2.34 210.193.2.36
>    default-router 192.168.1.1
> !
> ip dhcp pool xxxGuest
>    import all
>    network 192.168.2.0 255.255.255.0
>    dns-server 210.193.2.34 210.193.2.36
>    default-router 192.168.2.1
> !
> !
> no ip domain lookup
> ip domain name xxxxxxx
> ip name-server 210.193.2.34
> !
>
> !
> !
> !
> bridge irb
> !
> !
> !
> interface FastEthernet0
>  ip address 10.10.1.1 255.255.255.0
>  duplex auto
>  speed auto
> !
> interface BRI0
>  no ip address
>  encapsulation hdlc
>  shutdown
> !
> interface FastEthernet1
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface FastEthernet4
> !
> interface FastEthernet5
> !
> interface FastEthernet6
> !
> interface FastEthernet7
> !
> interface FastEthernet8
> !
> interface Dot11Radio0
>  no ip address
>  ip access-group 102 in
>  !
>
>  encryption vlan 2 mode ciphers tkip
>  !
>  ssid xxxGuest
>     vlan 2
>     authentication open
>     authentication key-management wpa
>     guest-mode
>     wpa-psk ascii 7 xxxxxxxx
>  !
>  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
> 36.0 48.0 54.0
>  station-role root
> !
> interface Dot11Radio0.2
>  ip address 192.168.2.1 255.255.255.0
> ip access-group 102 out
>  encapsulation dot1Q 2
>  ip nat inside
>  ip virtual-reassembly
>  no snmp trap link-status
>  no cdp enable
> !
> interface Dot11Radio0.100
>  no cdp enable
> !
> interface Dot11Radio0.120
>  no cdp enable
> !
> interface Dot11Radio1
>  no ip address
>  shutdown
>  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
>  station-role root
>  no dot11 extension aironet
> !
> interface ATM0
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  no atm ilmi-keepalive
>  dsl operating-mode auto
> !
> interface ATM0.1 point-to-point
>  description $ES_WAN$$FW_OUTSIDE$
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>
>  pvc 0/100
>   encapsulation aal5mux ppp dialer
>   dialer pool-member 1
>  !
> !
> interface Vlan1
>  description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
>  ip address 192.168.1.1 255.255.255.0
>  ip nat inside
>  ip virtual-reassembly
> !
> interface Vlan2
>  no ip address
> !
> interface Dialer0
>  description $FW_OUTSIDE$
>  ip address negotiated
>  ip access-group 101 in
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip mtu 1452
> ip nat outside
>  ip virtual-reassembly
>  encapsulation ppp
>  ip route-cache flow
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication pap callin
>  ppp pap sent-username xxxxxxxxxpassword 7xxxxxxxx
> !
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip route 192.168.10.0 255.255.255.0 FastEthernet0
> !
> !
> ip http server
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 5 life 86400 requests 10000
> ip nat inside source list 1 interface Dialer0 overload
> !
> access-list 1 remark INSIDE_IF=Vlan1
> access-list 1 remark SDM_ACL Category=2
> access-list 1 permit 192.168.1.0 0.0.0.255
> access-list 1 permit any
> access-list 100 permit ip any any
> access-list 101 permit udp host 210.193.2.36 eq domain any
> access-list 101 permit udp host 210.193.2.34 eq domain any
> access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any
> access-list 101 permit icmp any any unreachable
> access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
> access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny   ip host 255.255.255.255 any
> access-list 101 deny   ip host 0.0.0.0 any
> access-list 101 deny   ip any 192.168.1.0 0.0.0.255
> access-list 101 permit ip any any
> access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 102 permit ip any any
> dialer-list 1 protocol ip permit
> no cdp run
>
> radius-server attribute 32 include-in-access-req format %h
> radius-server vsa send accounting
> !
> control-plane
> !
> !
> line con 0
> line aux 0
> line vty 0 4
>  privilege level 15
>  transport input telnet ssh
> line vty 5 15
>  privilege level 15
>  transport input telnet ssh
> !
> !
> webvpn context Default_context
>  ssl authenticate verify all
>  !
>  no inservice
> !
> end
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list