im having a problem understanding how this access list i have applied to vlan 997 and 999 is prohibiting access to my corporate network from the guest network (GuestWireless
, PhysicianAccess). i have listed my running config from my core switch. i am running 3 cisco wireless lan controllers that are connected to this switch via etherchannel. I can however access my guest network from my other vlans (which is fine). I would really appreciate someone helping me understand how this works. Thanks for your responses.
Current configuration : 12597 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname BigBoy
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CST recurring
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
switch 3 provision ws-c3750g-12s
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.20.142.1 172.20.142.50
ip dhcp excluded-address 172.20.108.1 172.20.108.50
ip dhcp excluded-address 172.20.106.1 172.20.106.50
ip dhcp excluded-address 172.20.104.1 172.20.104.50
ip dhcp excluded-address 172.20.118.1 172.20.118.50
ip dhcp excluded-address 172.20.136.1 172.20.136.50
ip dhcp excluded-address 172.20.138.1 172.20.138.50
ip dhcp excluded-address 172.20.102.1 172.20.102.50
ip dhcp excluded-address 172.20.140.1 172.20.140.50
ip dhcp excluded-address 172.20.116.1 172.20.116.50
ip dhcp excluded-address 172.20.124.1 172.20.124.50
ip dhcp excluded-address 172.20.114.1 172.20.114.50
ip dhcp excluded-address 172.20.122.1 172.20.122.50
ip dhcp excluded-address 172.21.0.1 172.21.253.255
!
ip dhcp pool MAIN3rdFloor
network 172.20.142.0 255.255.254.0
default-router 172.20.142.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing8th
network 172.20.108.0 255.255.254.0
default-router 172.20.108.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool ICU6th
network 172.20.106.0 255.255.254.0
default-router 172.20.106.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing4th
network 172.20.104.0 255.255.254.0
default-router 172.20.104.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Surgery3rd
network 172.20.118.0 255.255.254.0
default-router 172.20.118.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCNorth3rd
network 172.20.136.0 255.255.254.0
default-router 172.20.136.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCSouth3rd
network 172.20.138.0 255.255.254.0
default-router 172.20.138.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Lab2nd
network 172.20.102.0 255.255.254.0
default-router 172.20.102.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Radiology2nd
network 172.20.140.0 255.255.254.0
default-router 172.20.140.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool RadiationOncalogy2nd
network 172.20.116.0 255.255.254.0
default-router 172.20.116.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Purchasing1st
network 172.20.124.0 255.255.254.0
default-router 172.20.124.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Auditorium1st
network 172.20.114.0 255.255.254.0
default-router 172.20.114.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool GuestWireless
network 10.220.0.0 255.255.255.0
default-router 10.220.0.1
domain-name guest.net
dns-server 204.153.217.68 204.153.217.69
!
ip dhcp pool CORPDATA
network 172.21.0.0 255.255.0.0
default-router 172.21.1.1
dns-server 172.20.45.121 172.20.45.122
netbios-name-server 172.20.45.121 172.20.45.122
domain-name butta.org
!
ip dhcp pool ProfessionalBuilding1
network 172.20.122.0 255.255.254.0
default-router 172.20.122.1
domain-name butta.org
dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool PhysiciansAccess
network 10.220.10.0 255.255.255.0
dns-server 204.153.217.68 204.153.217.69
domain-name rmc-physician.local
default-router 10.220.10.1
!
!
!
!
port-channel load-balance src-dst-ip
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
description Connection to Nortel Passport 8010 Core
switchport access vlan 160
!
interface Port-channel2
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
!
interface Port-channel3
description Connection to WLC #2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
!
interface Port-channel4
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet1/0/2
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet1/0/3
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/4
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet1/0/7
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/8
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet2/0/1
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet2/0/2
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet2/0/3
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet2/0/4
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
description Connection to WLC #1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet2/0/7
description Connection to WLC# 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet2/0/8
description Connection to WLC# 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 160,997-999
switchport mode trunk
channel-group 4 mode on
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
switchport access vlan 160
channel-group 1 mode on
!
interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 104,160
switchport mode trunk
!
interface GigabitEthernet3/0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 106,160
switchport mode trunk
!
interface GigabitEthernet3/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 108,160
switchport mode trunk
!
interface GigabitEthernet3/0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 114,160
switchport mode trunk
!
interface GigabitEthernet3/0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 124,160
switchport mode trunk
!
interface GigabitEthernet3/0/6
description Professional Plaza
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 122,160
switchport mode trunk
!
interface GigabitEthernet3/0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 140,160
switchport mode trunk
!
interface GigabitEthernet3/0/8
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 102,160
switchport mode trunk
!
interface GigabitEthernet3/0/9
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 138,160
switchport mode trunk
!
interface GigabitEthernet3/0/10
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 136,160
switchport mode trunk
!
interface GigabitEthernet3/0/11
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 118,160
switchport mode trunk
!
interface GigabitEthernet3/0/12
switchport trunk encapsulation dot1q
switchport trunk native vlan 160
switchport trunk allowed vlan 142,160
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan102
ip address 172.10.102.1 255.255.254.0 secondary
ip address 172.20.102.1 255.255.254.0
!
interface Vlan104
ip address 172.10.104.1 255.255.254.0 secondary
ip address 172.20.104.1 255.255.254.0
!
interface Vlan106
ip address 172.10.106.1 255.255.254.0 secondary
ip address 172.20.106.1 255.255.254.0
!
interface Vlan108
ip address 172.10.108.1 255.255.254.0 secondary
ip address 172.20.108.1 255.255.254.0
!
interface Vlan114
ip address 172.20.114.1 255.255.254.0
!
interface Vlan118
ip address 172.10.118.1 255.255.254.0 secondary
ip address 172.20.118.1 255.255.254.0
!
interface Vlan122
ip address 172.10.122.1 255.255.254.0 secondary
ip address 172.20.122.1 255.255.254.0
!
interface Vlan124
ip address 172.10.124.1 255.255.254.0 secondary
ip address 172.20.124.1 255.255.254.0
!
interface Vlan136
ip address 172.10.136.1 255.255.254.0 secondary
ip address 172.20.136.1 255.255.254.0
!
interface Vlan138
ip address 172.10.138.1 255.255.254.0 secondary
ip address 172.20.138.1 255.255.254.0
!
interface Vlan140
ip address 172.10.140.1 255.255.254.0 secondary
ip address 172.20.140.1 255.255.254.0
!
interface Vlan142
ip address 172.20.142.1 255.255.254.0
!
interface Vlan160
ip address 172.20.160.2 255.255.254.0
!
interface Vlan997
ip address 10.220.10.1 255.255.255.0
!
interface Vlan998
ip address 172.21.1.1 255.255.0.0
!
interface Vlan999
ip address 10.220.0.1 255.255.255.0
ip access-group GuestWireless in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.160.1
ip http server
!
ip access-list extended GuestWireless
deny udp any 10.0.0.0 0.255.255.255 eq domain
deny udp any 172.16.0.0 0.15.255.255 eq domain
deny udp any 192.168.0.0 0.0.255.255 eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any host 10.220.0.1 eq bootps
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any
ip access-list extended Physicians
deny udp any 10.0.0.0 0.255.255.255 eq domain
deny udp any 172.16.0.0 0.15.255.255 eq domain
deny udp any 192.168.0.0 0.0.255.255 eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any host 10.220.10.1 eq bootps
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip any any
!
tftp-server 172.20.23.110
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
password
logging synchronous
login local
length 0
line vty 5
password
login local
line vty 6 15
password
login
!
ntp server 172.20.44.18 key 0 prefer
end