Question : access list on core switch for restricted guest access

im having a problem understanding how this access list i have applied to vlan 997 and 999 is prohibiting access to my corporate network from the guest network (GuestWireless
, PhysicianAccess). i have listed my running config from my core switch. i am running 3 cisco wireless lan controllers that are connected to this switch via etherchannel. I can however access my guest network from my other vlans (which is fine). I would really appreciate someone helping me understand how this works. Thanks for your responses.

Current configuration : 12597 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname BigBoy
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CST recurring
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
switch 3 provision ws-c3750g-12s
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.20.142.1 172.20.142.50
ip dhcp excluded-address 172.20.108.1 172.20.108.50
ip dhcp excluded-address 172.20.106.1 172.20.106.50
ip dhcp excluded-address 172.20.104.1 172.20.104.50
ip dhcp excluded-address 172.20.118.1 172.20.118.50
ip dhcp excluded-address 172.20.136.1 172.20.136.50
ip dhcp excluded-address 172.20.138.1 172.20.138.50
ip dhcp excluded-address 172.20.102.1 172.20.102.50
ip dhcp excluded-address 172.20.140.1 172.20.140.50
ip dhcp excluded-address 172.20.116.1 172.20.116.50
ip dhcp excluded-address 172.20.124.1 172.20.124.50
ip dhcp excluded-address 172.20.114.1 172.20.114.50
ip dhcp excluded-address 172.20.122.1 172.20.122.50
ip dhcp excluded-address 172.21.0.1 172.21.253.255
!
ip dhcp pool MAIN3rdFloor
network 172.20.142.0 255.255.254.0
default-router 172.20.142.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing8th
network 172.20.108.0 255.255.254.0
default-router 172.20.108.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool ICU6th
network 172.20.106.0 255.255.254.0
default-router 172.20.106.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing4th
network 172.20.104.0 255.255.254.0
default-router 172.20.104.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Surgery3rd
network 172.20.118.0 255.255.254.0
default-router 172.20.118.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCNorth3rd
network 172.20.136.0 255.255.254.0
default-router 172.20.136.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCSouth3rd
network 172.20.138.0 255.255.254.0
default-router 172.20.138.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Lab2nd
network 172.20.102.0 255.255.254.0
default-router 172.20.102.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Radiology2nd
network 172.20.140.0 255.255.254.0
default-router 172.20.140.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool RadiationOncalogy2nd
network 172.20.116.0 255.255.254.0
default-router 172.20.116.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Purchasing1st
network 172.20.124.0 255.255.254.0
default-router 172.20.124.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Auditorium1st
network 172.20.114.0 255.255.254.0
default-router 172.20.114.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool GuestWireless
network 10.220.0.0 255.255.255.0
default-router 10.220.0.1
domain-name guest.net
dns-server 204.153.217.68 204.153.217.69
!
ip dhcp pool CORPDATA
network 172.21.0.0 255.255.0.0
default-router 172.21.1.1
dns-server 172.20.45.121 172.20.45.122
netbios-name-server 172.20.45.121 172.20.45.122
domain-name butta.org
!
ip dhcp pool ProfessionalBuilding1
network 172.20.122.0 255.255.254.0
default-router 172.20.122.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool PhysiciansAccess
network 10.220.10.0 255.255.255.0
dns-server 204.153.217.68 204.153.217.69
domain-name rmc-physician.local
default-router 10.220.10.1
!
!
!
!
port-channel load-balance src-dst-ip
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
description Connection to Nortel Passport 8010 Core
switchport access vlan 160
!
interface Port-channel2
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
!
interface Port-channel3
description Connection to WLC #2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
!
interface Port-channel4
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet1/0/2
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet1/0/3
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/4
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet1/0/7
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/8
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet2/0/1
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet2/0/2
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet2/0/3
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet2/0/4
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet2/0/7
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet2/0/8
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 104,160
switchport mode trunk
!
interface GigabitEthernet3/0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 106,160
switchport mode trunk
!
interface GigabitEthernet3/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 108,160
switchport mode trunk
!
interface GigabitEthernet3/0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 114,160
switchport mode trunk
!
interface GigabitEthernet3/0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 124,160
switchport mode trunk
!
interface GigabitEthernet3/0/6
description Professional Plaza
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 122,160
switchport mode trunk
!
interface GigabitEthernet3/0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 140,160
switchport mode trunk
!
interface GigabitEthernet3/0/8
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 102,160
switchport mode trunk
!
interface GigabitEthernet3/0/9
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 138,160
switchport mode trunk
!
interface GigabitEthernet3/0/10
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 136,160
switchport mode trunk
!
interface GigabitEthernet3/0/11
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 118,160
switchport mode trunk
!
interface GigabitEthernet3/0/12
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 142,160
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan102
ip address 172.10.102.1 255.255.254.0 secondary
ip address 172.20.102.1 255.255.254.0
!
interface Vlan104
ip address 172.10.104.1 255.255.254.0 secondary
ip address 172.20.104.1 255.255.254.0
!
interface Vlan106
ip address 172.10.106.1 255.255.254.0 secondary
ip address 172.20.106.1 255.255.254.0
!
interface Vlan108
ip address 172.10.108.1 255.255.254.0 secondary
ip address 172.20.108.1 255.255.254.0
!
interface Vlan114
ip address 172.20.114.1 255.255.254.0
!
interface Vlan118
ip address 172.10.118.1 255.255.254.0 secondary
ip address 172.20.118.1 255.255.254.0
!
interface Vlan122
ip address 172.10.122.1 255.255.254.0 secondary
ip address 172.20.122.1 255.255.254.0
!
interface Vlan124
ip address 172.10.124.1 255.255.254.0 secondary
ip address 172.20.124.1 255.255.254.0
!
interface Vlan136
ip address 172.10.136.1 255.255.254.0 secondary
ip address 172.20.136.1 255.255.254.0
!
interface Vlan138
ip address 172.10.138.1 255.255.254.0 secondary
ip address 172.20.138.1 255.255.254.0
!
interface Vlan140
ip address 172.10.140.1 255.255.254.0 secondary
ip address 172.20.140.1 255.255.254.0
!
interface Vlan142
ip address 172.20.142.1 255.255.254.0
!
interface Vlan160
ip address 172.20.160.2 255.255.254.0
!
interface Vlan997
ip address 10.220.10.1 255.255.255.0
!
interface Vlan998
ip address 172.21.1.1 255.255.0.0
!
interface Vlan999
ip address 10.220.0.1 255.255.255.0
ip access-group GuestWireless in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.160.1
ip http server
!
ip access-list extended GuestWireless
deny udp any 10.0.0.0 0.255.255.255 eq domain
deny udp any 172.16.0.0 0.15.255.255 eq domain
deny udp any 192.168.0.0 0.0.255.255 eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any host 10.220.0.1 eq bootps
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any
ip access-list extended Physicians
deny udp any 10.0.0.0 0.255.255.255 eq domain
deny udp any 172.16.0.0 0.15.255.255 eq domain
deny udp any 192.168.0.0 0.0.255.255 eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any host 10.220.10.1 eq bootps
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any
!
tftp-server 172.20.23.110
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password
logging synchronous
login local
length 0
line vty 5
password
login local
line vty 6 15
password
login
!
ntp server 172.20.44.18 key 0 prefer
end

Answer : access list on core switch for restricted guest access

Ok so here goes. First of all there is no acl being applied on vlan 997 so I will deal only with 999

interface Vlan999
ip address 10.220.0.1 255.255.255.0
ip access-group GuestWireless in
!

ip access-list extended GuestWireless
deny udp any 10.0.0.0 0.255.255.255 eq domain
deny udp any 172.16.0.0 0.15.255.255 eq domain
deny udp any 192.168.0.0 0.0.255.255 eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any host 10.220.0.1 eq bootps
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any

so the basics of each command is permit / deny and either tcp/udp/ip then the source ip address/network followed by the destination ip address/network and then possibly the specific tcp/udp port.

so if we look at the first line:
deny udp any 10.0.0.0 0.255.255.255 eq domain

We will deny any source ip address that is destined for the 10.x.x.x network using udp port 53 (dns lookups)

You also need to keep in mind how the access-list is applied.. in or out. your acl is applied inbound, meaning traffic heading into the interface vlan 999. So this would be traffic that was generated on that vlan heading into the layer vlan 999 in order to get out somewhere else...

So your second line does the same thing, except blocks anything from getting to the 172.16.x.x networks and the 3rd line the same thing except blocks the 192.168.x.x networks. Then after that we let you do dns queries to anything.

The order of the acl is important. The first line we match is the action we will take. So first we block traffic from doing dns queries to our internal network then we allow all other dns queries to work so this is most likely to an external dns server on the internet.

Then we allow bootp which is basically allowing dhcp to function.

Then we block any traffic coming in to the layer 3 interface of vlan 999 from reaching the same 3 networks that were blocked previously on anything using IP.

Then we allow it to get to everything else.

So basically the flow is block what we don't want then open up what else remains, which should be anything on the internet.

I hope that helps.

Random Solutions

Windows Mobile OWA Secure setup?

How to use dynamic variables in sed

Select rows based on XML.exist with multiple values

IIS 7 - redirect HTTP to HTTPS

Move an Option Group object

Seting up routing connectors in exchange 2003

What encryption type is this ?

Problems with date function PHP

Progress Bar will not fire while tree is loading in vb.net windows application

Change $NtUninstall path permanently