|
|
Question : access list on core switch for restricted guest access
|
|
|
|
im having a problem understanding how this access list i have applied to vlan 997 and 999 is prohibiting access to my corporate network from the guest network (GuestWireless , PhysicianAccess). i have listed my running config from my core switch. i am running 3 cisco wireless lan controllers that are connected to this switch via etherchannel. I can however access my guest network from my other vlans (which is fine). I would really appreciate someone helping me understand how this works. Thanks for your responses.
Current configuration : 12597 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log datetime no service password-encryption service sequence-numbers ! hostname BigBoy ! ! no aaa new-model clock timezone CST -6 clock summer-time CST recurring switch 1 provision ws-c3750g-12s switch 2 provision ws-c3750g-12s switch 3 provision ws-c3750g-12s system mtu routing 1500 ip subnet-zero ip routing no ip domain-lookup ip dhcp excluded-address 172.20.142.1 172.20.142.50 ip dhcp excluded-address 172.20.108.1 172.20.108.50 ip dhcp excluded-address 172.20.106.1 172.20.106.50 ip dhcp excluded-address 172.20.104.1 172.20.104.50 ip dhcp excluded-address 172.20.118.1 172.20.118.50 ip dhcp excluded-address 172.20.136.1 172.20.136.50 ip dhcp excluded-address 172.20.138.1 172.20.138.50 ip dhcp excluded-address 172.20.102.1 172.20.102.50 ip dhcp excluded-address 172.20.140.1 172.20.140.50 ip dhcp excluded-address 172.20.116.1 172.20.116.50 ip dhcp excluded-address 172.20.124.1 172.20.124.50 ip dhcp excluded-address 172.20.114.1 172.20.114.50 ip dhcp excluded-address 172.20.122.1 172.20.122.50 ip dhcp excluded-address 172.21.0.1 172.21.253.255 ! ip dhcp pool MAIN3rdFloor network 172.20.142.0 255.255.254.0 default-router 172.20.142.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Nursing8th network 172.20.108.0 255.255.254.0 default-router 172.20.108.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool ICU6th network 172.20.106.0 255.255.254.0 default-router 172.20.106.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Nursing4th network 172.20.104.0 255.255.254.0 default-router 172.20.104.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Surgery3rd network 172.20.118.0 255.255.254.0 default-router 172.20.118.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool WCNorth3rd network 172.20.136.0 255.255.254.0 default-router 172.20.136.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool WCSouth3rd network 172.20.138.0 255.255.254.0 default-router 172.20.138.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Lab2nd network 172.20.102.0 255.255.254.0 default-router 172.20.102.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Radiology2nd network 172.20.140.0 255.255.254.0 default-router 172.20.140.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool RadiationOncalogy2nd network 172.20.116.0 255.255.254.0 default-router 172.20.116.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Purchasing1st network 172.20.124.0 255.255.254.0 default-router 172.20.124.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool Auditorium1st network 172.20.114.0 255.255.254.0 default-router 172.20.114.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool GuestWireless network 10.220.0.0 255.255.255.0 default-router 10.220.0.1 domain-name guest.net dns-server 204.153.217.68 204.153.217.69 ! ip dhcp pool CORPDATA network 172.21.0.0 255.255.0.0 default-router 172.21.1.1 dns-server 172.20.45.121 172.20.45.122 netbios-name-server 172.20.45.121 172.20.45.122 domain-name butta.org ! ip dhcp pool ProfessionalBuilding1 network 172.20.122.0 255.255.254.0 default-router 172.20.122.1 domain-name butta.org dns-server 172.20.45.122 172.20.45.121 ! ip dhcp pool PhysiciansAccess network 10.220.10.0 255.255.255.0 dns-server 204.153.217.68 204.153.217.69 domain-name rmc-physician.local default-router 10.220.10.1 ! ! ! ! port-channel load-balance src-dst-ip no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface Port-channel1 description Connection to Nortel Passport 8010 Core switchport access vlan 160 ! interface Port-channel2 description Connection to WLC #1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk ! interface Port-channel3 description Connection to WLC #2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk ! interface Port-channel4 description Connection to WLC# 3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk ! interface GigabitEthernet1/0/1 switchport access vlan 160 channel-group 1 mode on ! interface GigabitEthernet1/0/2 description Connection to WLC #1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 2 mode on ! interface GigabitEthernet1/0/3 description Connection to WLC# 2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 3 mode on ! interface GigabitEthernet1/0/4 description Connection to WLC# 3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 4 mode on ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 description Connection to WLC #1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 2 mode on ! interface GigabitEthernet1/0/7 description Connection to WLC# 2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 3 mode on ! interface GigabitEthernet1/0/8 description Connection to WLC# 3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 4 mode on ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 switchport access vlan 160 channel-group 1 mode on ! interface GigabitEthernet2/0/1 switchport access vlan 160 channel-group 1 mode on ! interface GigabitEthernet2/0/2 description Connection to WLC #1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 2 mode on ! interface GigabitEthernet2/0/3 description Connection to WLC# 2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 3 mode on ! interface GigabitEthernet2/0/4 description Connection to WLC# 3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 4 mode on ! interface GigabitEthernet2/0/5 ! interface GigabitEthernet2/0/6 description Connection to WLC #1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 2 mode on ! interface GigabitEthernet2/0/7 description Connection to WLC# 2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 3 mode on ! interface GigabitEthernet2/0/8 description Connection to WLC# 3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 160,997-999 switchport mode trunk channel-group 4 mode on ! interface GigabitEthernet2/0/9 ! interface GigabitEthernet2/0/10 ! interface GigabitEthernet2/0/11 ! interface GigabitEthernet2/0/12 switchport access vlan 160 channel-group 1 mode on ! interface GigabitEthernet3/0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 104,160 switchport mode trunk ! interface GigabitEthernet3/0/2 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 106,160 switchport mode trunk ! interface GigabitEthernet3/0/3 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 108,160 switchport mode trunk ! interface GigabitEthernet3/0/4 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 114,160 switchport mode trunk ! interface GigabitEthernet3/0/5 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 124,160 switchport mode trunk ! interface GigabitEthernet3/0/6 description Professional Plaza switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 122,160 switchport mode trunk ! interface GigabitEthernet3/0/7 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 140,160 switchport mode trunk ! interface GigabitEthernet3/0/8 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 102,160 switchport mode trunk ! interface GigabitEthernet3/0/9 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 138,160 switchport mode trunk ! interface GigabitEthernet3/0/10 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 136,160 switchport mode trunk ! interface GigabitEthernet3/0/11 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 118,160 switchport mode trunk ! interface GigabitEthernet3/0/12 switchport trunk encapsulation dot1q switchport trunk native vlan 160 switchport trunk allowed vlan 142,160 switchport mode trunk ! interface Vlan1 no ip address shutdown ! interface Vlan102 ip address 172.10.102.1 255.255.254.0 secondary ip address 172.20.102.1 255.255.254.0 ! interface Vlan104 ip address 172.10.104.1 255.255.254.0 secondary ip address 172.20.104.1 255.255.254.0 ! interface Vlan106 ip address 172.10.106.1 255.255.254.0 secondary ip address 172.20.106.1 255.255.254.0 ! interface Vlan108 ip address 172.10.108.1 255.255.254.0 secondary ip address 172.20.108.1 255.255.254.0 ! interface Vlan114 ip address 172.20.114.1 255.255.254.0 ! interface Vlan118 ip address 172.10.118.1 255.255.254.0 secondary ip address 172.20.118.1 255.255.254.0 ! interface Vlan122 ip address 172.10.122.1 255.255.254.0 secondary ip address 172.20.122.1 255.255.254.0 ! interface Vlan124 ip address 172.10.124.1 255.255.254.0 secondary ip address 172.20.124.1 255.255.254.0 ! interface Vlan136 ip address 172.10.136.1 255.255.254.0 secondary ip address 172.20.136.1 255.255.254.0 ! interface Vlan138 ip address 172.10.138.1 255.255.254.0 secondary ip address 172.20.138.1 255.255.254.0 ! interface Vlan140 ip address 172.10.140.1 255.255.254.0 secondary ip address 172.20.140.1 255.255.254.0 ! interface Vlan142 ip address 172.20.142.1 255.255.254.0 ! interface Vlan160 ip address 172.20.160.2 255.255.254.0 ! interface Vlan997 ip address 10.220.10.1 255.255.255.0 ! interface Vlan998 ip address 172.21.1.1 255.255.0.0 ! interface Vlan999 ip address 10.220.0.1 255.255.255.0 ip access-group GuestWireless in ! ip classless ip route 0.0.0.0 0.0.0.0 172.20.160.1 ip http server ! ip access-list extended GuestWireless deny udp any 10.0.0.0 0.255.255.255 eq domain deny udp any 172.16.0.0 0.15.255.255 eq domain deny udp any 192.168.0.0 0.0.255.255 eq domain permit udp any any eq domain permit udp any any eq bootpc permit udp any host 10.220.0.1 eq bootps deny ip any 10.0.0.0 0.255.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 permit ip any any ip access-list extended Physicians deny udp any 10.0.0.0 0.255.255.255 eq domain deny udp any 172.16.0.0 0.15.255.255 eq domain deny udp any 192.168.0.0 0.0.255.255 eq domain permit udp any any eq domain permit udp any any eq bootpc permit udp any host 10.220.10.1 eq bootps deny ip any 10.0.0.0 0.255.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 permit ip any any ! tftp-server 172.20.23.110 ! control-plane ! ! line con 0 logging synchronous line vty 0 4 password logging synchronous login local length 0 line vty 5 password login local line vty 6 15 password login ! ntp server 172.20.44.18 key 0 prefer end
|
|
|
|
Answer : access list on core switch for restricted guest access
|
|
Ok so here goes. First of all there is no acl being applied on vlan 997 so I will deal only with 999
interface Vlan999 ip address 10.220.0.1 255.255.255.0 ip access-group GuestWireless in !
ip access-list extended GuestWireless deny udp any 10.0.0.0 0.255.255.255 eq domain deny udp any 172.16.0.0 0.15.255.255 eq domain deny udp any 192.168.0.0 0.0.255.255 eq domain permit udp any any eq domain permit udp any any eq bootpc permit udp any host 10.220.0.1 eq bootps deny ip any 10.0.0.0 0.255.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 permit ip any any
so the basics of each command is permit / deny and either tcp/udp/ip then the source ip address/network followed by the destination ip address/network and then possibly the specific tcp/udp port.
so if we look at the first line: deny udp any 10.0.0.0 0.255.255.255 eq domain
We will deny any source ip address that is destined for the 10.x.x.x network using udp port 53 (dns lookups)
You also need to keep in mind how the access-list is applied.. in or out. your acl is applied inbound, meaning traffic heading into the interface vlan 999. So this would be traffic that was generated on that vlan heading into the layer vlan 999 in order to get out somewhere else...
So your second line does the same thing, except blocks anything from getting to the 172.16.x.x networks and the 3rd line the same thing except blocks the 192.168.x.x networks. Then after that we let you do dns queries to anything.
The order of the acl is important. The first line we match is the action we will take. So first we block traffic from doing dns queries to our internal network then we allow all other dns queries to work so this is most likely to an external dns server on the internet.
Then we allow bootp which is basically allowing dhcp to function.
Then we block any traffic coming in to the layer 3 interface of vlan 999 from reaching the same 3 networks that were blocked previously on anything using IP.
Then we allow it to get to everything else.
So basically the flow is block what we don't want then open up what else remains, which should be anything on the internet.
I hope that helps.
|
|
|
|