We help IT Professionals succeed at work.
Get Started

access list on core switch for restricted guest access

1,960 Views
Last Modified: 2013-11-12
im having a problem understanding how this access list i have applied to vlan 997 and 999 is prohibiting access to my corporate network from the guest network (GuestWireless
, PhysicianAccess).
i have listed my running config from my core switch. i am running 3 cisco wireless lan controllers that are connected to this switch via etherchannel. I can however access my guest network from my other vlans (which is fine). I would really appreciate someone helping me understand how this works. Thanks for your responses.




Current configuration : 12597 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname BigBoy
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CST recurring
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
switch 3 provision ws-c3750g-12s
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.20.142.1 172.20.142.50
ip dhcp excluded-address 172.20.108.1 172.20.108.50
ip dhcp excluded-address 172.20.106.1 172.20.106.50
ip dhcp excluded-address 172.20.104.1 172.20.104.50
ip dhcp excluded-address 172.20.118.1 172.20.118.50
ip dhcp excluded-address 172.20.136.1 172.20.136.50
ip dhcp excluded-address 172.20.138.1 172.20.138.50
ip dhcp excluded-address 172.20.102.1 172.20.102.50
ip dhcp excluded-address 172.20.140.1 172.20.140.50
ip dhcp excluded-address 172.20.116.1 172.20.116.50
ip dhcp excluded-address 172.20.124.1 172.20.124.50
ip dhcp excluded-address 172.20.114.1 172.20.114.50
ip dhcp excluded-address 172.20.122.1 172.20.122.50
ip dhcp excluded-address 172.21.0.1 172.21.253.255
!
ip dhcp pool MAIN3rdFloor
   network 172.20.142.0 255.255.254.0
   default-router 172.20.142.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing8th
   network 172.20.108.0 255.255.254.0
   default-router 172.20.108.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool ICU6th
   network 172.20.106.0 255.255.254.0
   default-router 172.20.106.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing4th
   network 172.20.104.0 255.255.254.0
   default-router 172.20.104.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Surgery3rd
   network 172.20.118.0 255.255.254.0
   default-router 172.20.118.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCNorth3rd
   network 172.20.136.0 255.255.254.0
   default-router 172.20.136.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCSouth3rd
   network 172.20.138.0 255.255.254.0
   default-router 172.20.138.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Lab2nd
   network 172.20.102.0 255.255.254.0
   default-router 172.20.102.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Radiology2nd
   network 172.20.140.0 255.255.254.0
   default-router 172.20.140.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool RadiationOncalogy2nd
   network 172.20.116.0 255.255.254.0
   default-router 172.20.116.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Purchasing1st
   network 172.20.124.0 255.255.254.0
   default-router 172.20.124.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Auditorium1st
   network 172.20.114.0 255.255.254.0
   default-router 172.20.114.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool GuestWireless
   network 10.220.0.0 255.255.255.0
   default-router 10.220.0.1
   domain-name guest.net
   dns-server 204.153.217.68 204.153.217.69
!
ip dhcp pool CORPDATA
   network 172.21.0.0 255.255.0.0
   default-router 172.21.1.1
   dns-server 172.20.45.121 172.20.45.122
   netbios-name-server 172.20.45.121 172.20.45.122
   domain-name butta.org
!
ip dhcp pool ProfessionalBuilding1
   network 172.20.122.0 255.255.254.0
   default-router 172.20.122.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool PhysiciansAccess
   network 10.220.10.0 255.255.255.0
   dns-server 204.153.217.68 204.153.217.69
   domain-name rmc-physician.local
   default-router 10.220.10.1
!
!
!
!        
port-channel load-balance src-dst-ip
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
 description Connection to Nortel Passport 8010 Core
 switchport access vlan 160
!
interface Port-channel2
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
!
interface Port-channel3
 description Connection to WLC #2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
!
interface Port-channel4
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet1/0/2
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/3
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!        
interface GigabitEthernet1/0/4
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/7
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet1/0/8
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet2/0/1
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet2/0/2
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet2/0/3
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet2/0/4
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet2/0/7
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet2/0/8
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet3/0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 104,160
 switchport mode trunk
!
interface GigabitEthernet3/0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 106,160
 switchport mode trunk
!
interface GigabitEthernet3/0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 108,160
 switchport mode trunk
!
interface GigabitEthernet3/0/4
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 114,160
 switchport mode trunk
!
interface GigabitEthernet3/0/5
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 124,160
 switchport mode trunk
!
interface GigabitEthernet3/0/6
 description Professional Plaza
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 122,160
 switchport mode trunk
!
interface GigabitEthernet3/0/7
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 140,160
 switchport mode trunk
!
interface GigabitEthernet3/0/8
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 102,160
 switchport mode trunk
!
interface GigabitEthernet3/0/9
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 138,160
 switchport mode trunk
!
interface GigabitEthernet3/0/10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 136,160
 switchport mode trunk
!
interface GigabitEthernet3/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 118,160
 switchport mode trunk
!
interface GigabitEthernet3/0/12
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 142,160
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan102
 ip address 172.10.102.1 255.255.254.0 secondary
 ip address 172.20.102.1 255.255.254.0
!
interface Vlan104
 ip address 172.10.104.1 255.255.254.0 secondary
 ip address 172.20.104.1 255.255.254.0
!
interface Vlan106
 ip address 172.10.106.1 255.255.254.0 secondary
 ip address 172.20.106.1 255.255.254.0
!
interface Vlan108
 ip address 172.10.108.1 255.255.254.0 secondary
 ip address 172.20.108.1 255.255.254.0
!
interface Vlan114
 ip address 172.20.114.1 255.255.254.0
!
interface Vlan118
 ip address 172.10.118.1 255.255.254.0 secondary
 ip address 172.20.118.1 255.255.254.0
!
interface Vlan122
 ip address 172.10.122.1 255.255.254.0 secondary
 ip address 172.20.122.1 255.255.254.0
!
interface Vlan124
 ip address 172.10.124.1 255.255.254.0 secondary
 ip address 172.20.124.1 255.255.254.0
!
interface Vlan136
 ip address 172.10.136.1 255.255.254.0 secondary
 ip address 172.20.136.1 255.255.254.0
!
interface Vlan138
 ip address 172.10.138.1 255.255.254.0 secondary
 ip address 172.20.138.1 255.255.254.0
!
interface Vlan140
 ip address 172.10.140.1 255.255.254.0 secondary
 ip address 172.20.140.1 255.255.254.0
!
interface Vlan142
 ip address 172.20.142.1 255.255.254.0
!
interface Vlan160
 ip address 172.20.160.2 255.255.254.0
!
interface Vlan997
 ip address 10.220.10.1 255.255.255.0
!
interface Vlan998
 ip address 172.21.1.1 255.255.0.0
!
interface Vlan999
 ip address 10.220.0.1 255.255.255.0
 ip access-group GuestWireless in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.160.1
ip http server
!
ip access-list extended GuestWireless
 deny   udp any 10.0.0.0 0.255.255.255 eq domain
 deny   udp any 172.16.0.0 0.15.255.255 eq domain
 deny   udp any 192.168.0.0 0.0.255.255 eq domain
 permit udp any any eq domain
 permit udp any any eq bootpc
 permit udp any host 10.220.0.1 eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 permit ip any any
ip access-list extended Physicians
 deny   udp any 10.0.0.0 0.255.255.255 eq domain
 deny   udp any 172.16.0.0 0.15.255.255 eq domain
 deny   udp any 192.168.0.0 0.0.255.255 eq domain
 permit udp any any eq domain
 permit udp any any eq bootpc
 permit udp any host 10.220.10.1 eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 permit ip any any
!
tftp-server 172.20.23.110
!
control-plane
!
!
line con 0
 logging synchronous
line vty 0 4
 password
 logging synchronous
 login local
 length 0
line vty 5
 password
 login local
line vty 6 15
 password
 login
!
ntp server 172.20.44.18 key 0 prefer
end

Comment
Watch Question
Network Consultant
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE