We help IT Professionals succeed at work.

access list on core switch for restricted guest access

im having a problem understanding how this access list i have applied to vlan 997 and 999 is prohibiting access to my corporate network from the guest network (GuestWireless
, PhysicianAccess).
i have listed my running config from my core switch. i am running 3 cisco wireless lan controllers that are connected to this switch via etherchannel. I can however access my guest network from my other vlans (which is fine). I would really appreciate someone helping me understand how this works. Thanks for your responses.




Current configuration : 12597 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname BigBoy
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CST recurring
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
switch 3 provision ws-c3750g-12s
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 172.20.142.1 172.20.142.50
ip dhcp excluded-address 172.20.108.1 172.20.108.50
ip dhcp excluded-address 172.20.106.1 172.20.106.50
ip dhcp excluded-address 172.20.104.1 172.20.104.50
ip dhcp excluded-address 172.20.118.1 172.20.118.50
ip dhcp excluded-address 172.20.136.1 172.20.136.50
ip dhcp excluded-address 172.20.138.1 172.20.138.50
ip dhcp excluded-address 172.20.102.1 172.20.102.50
ip dhcp excluded-address 172.20.140.1 172.20.140.50
ip dhcp excluded-address 172.20.116.1 172.20.116.50
ip dhcp excluded-address 172.20.124.1 172.20.124.50
ip dhcp excluded-address 172.20.114.1 172.20.114.50
ip dhcp excluded-address 172.20.122.1 172.20.122.50
ip dhcp excluded-address 172.21.0.1 172.21.253.255
!
ip dhcp pool MAIN3rdFloor
   network 172.20.142.0 255.255.254.0
   default-router 172.20.142.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing8th
   network 172.20.108.0 255.255.254.0
   default-router 172.20.108.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool ICU6th
   network 172.20.106.0 255.255.254.0
   default-router 172.20.106.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Nursing4th
   network 172.20.104.0 255.255.254.0
   default-router 172.20.104.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Surgery3rd
   network 172.20.118.0 255.255.254.0
   default-router 172.20.118.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCNorth3rd
   network 172.20.136.0 255.255.254.0
   default-router 172.20.136.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool WCSouth3rd
   network 172.20.138.0 255.255.254.0
   default-router 172.20.138.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Lab2nd
   network 172.20.102.0 255.255.254.0
   default-router 172.20.102.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Radiology2nd
   network 172.20.140.0 255.255.254.0
   default-router 172.20.140.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool RadiationOncalogy2nd
   network 172.20.116.0 255.255.254.0
   default-router 172.20.116.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Purchasing1st
   network 172.20.124.0 255.255.254.0
   default-router 172.20.124.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool Auditorium1st
   network 172.20.114.0 255.255.254.0
   default-router 172.20.114.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool GuestWireless
   network 10.220.0.0 255.255.255.0
   default-router 10.220.0.1
   domain-name guest.net
   dns-server 204.153.217.68 204.153.217.69
!
ip dhcp pool CORPDATA
   network 172.21.0.0 255.255.0.0
   default-router 172.21.1.1
   dns-server 172.20.45.121 172.20.45.122
   netbios-name-server 172.20.45.121 172.20.45.122
   domain-name butta.org
!
ip dhcp pool ProfessionalBuilding1
   network 172.20.122.0 255.255.254.0
   default-router 172.20.122.1
   domain-name butta.org
   dns-server 172.20.45.122 172.20.45.121
!
ip dhcp pool PhysiciansAccess
   network 10.220.10.0 255.255.255.0
   dns-server 204.153.217.68 204.153.217.69
   domain-name rmc-physician.local
   default-router 10.220.10.1
!
!
!
!        
port-channel load-balance src-dst-ip
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
 description Connection to Nortel Passport 8010 Core
 switchport access vlan 160
!
interface Port-channel2
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
!
interface Port-channel3
 description Connection to WLC #2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
!
interface Port-channel4
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet1/0/2
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/3
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!        
interface GigabitEthernet1/0/4
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/7
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet1/0/8
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet2/0/1
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet2/0/2
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet2/0/3
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet2/0/4
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
 description Connection to WLC #1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet2/0/7
 description Connection to WLC# 2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 3 mode on
!
interface GigabitEthernet2/0/8
 description Connection to WLC# 3
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 160,997-999
 switchport mode trunk
 channel-group 4 mode on
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
 switchport access vlan 160
 channel-group 1 mode on
!
interface GigabitEthernet3/0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 104,160
 switchport mode trunk
!
interface GigabitEthernet3/0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 106,160
 switchport mode trunk
!
interface GigabitEthernet3/0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 108,160
 switchport mode trunk
!
interface GigabitEthernet3/0/4
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 114,160
 switchport mode trunk
!
interface GigabitEthernet3/0/5
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 124,160
 switchport mode trunk
!
interface GigabitEthernet3/0/6
 description Professional Plaza
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 122,160
 switchport mode trunk
!
interface GigabitEthernet3/0/7
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 140,160
 switchport mode trunk
!
interface GigabitEthernet3/0/8
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 102,160
 switchport mode trunk
!
interface GigabitEthernet3/0/9
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 138,160
 switchport mode trunk
!
interface GigabitEthernet3/0/10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 136,160
 switchport mode trunk
!
interface GigabitEthernet3/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 118,160
 switchport mode trunk
!
interface GigabitEthernet3/0/12
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 160
 switchport trunk allowed vlan 142,160
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan102
 ip address 172.10.102.1 255.255.254.0 secondary
 ip address 172.20.102.1 255.255.254.0
!
interface Vlan104
 ip address 172.10.104.1 255.255.254.0 secondary
 ip address 172.20.104.1 255.255.254.0
!
interface Vlan106
 ip address 172.10.106.1 255.255.254.0 secondary
 ip address 172.20.106.1 255.255.254.0
!
interface Vlan108
 ip address 172.10.108.1 255.255.254.0 secondary
 ip address 172.20.108.1 255.255.254.0
!
interface Vlan114
 ip address 172.20.114.1 255.255.254.0
!
interface Vlan118
 ip address 172.10.118.1 255.255.254.0 secondary
 ip address 172.20.118.1 255.255.254.0
!
interface Vlan122
 ip address 172.10.122.1 255.255.254.0 secondary
 ip address 172.20.122.1 255.255.254.0
!
interface Vlan124
 ip address 172.10.124.1 255.255.254.0 secondary
 ip address 172.20.124.1 255.255.254.0
!
interface Vlan136
 ip address 172.10.136.1 255.255.254.0 secondary
 ip address 172.20.136.1 255.255.254.0
!
interface Vlan138
 ip address 172.10.138.1 255.255.254.0 secondary
 ip address 172.20.138.1 255.255.254.0
!
interface Vlan140
 ip address 172.10.140.1 255.255.254.0 secondary
 ip address 172.20.140.1 255.255.254.0
!
interface Vlan142
 ip address 172.20.142.1 255.255.254.0
!
interface Vlan160
 ip address 172.20.160.2 255.255.254.0
!
interface Vlan997
 ip address 10.220.10.1 255.255.255.0
!
interface Vlan998
 ip address 172.21.1.1 255.255.0.0
!
interface Vlan999
 ip address 10.220.0.1 255.255.255.0
 ip access-group GuestWireless in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.160.1
ip http server
!
ip access-list extended GuestWireless
 deny   udp any 10.0.0.0 0.255.255.255 eq domain
 deny   udp any 172.16.0.0 0.15.255.255 eq domain
 deny   udp any 192.168.0.0 0.0.255.255 eq domain
 permit udp any any eq domain
 permit udp any any eq bootpc
 permit udp any host 10.220.0.1 eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 permit ip any any
ip access-list extended Physicians
 deny   udp any 10.0.0.0 0.255.255.255 eq domain
 deny   udp any 172.16.0.0 0.15.255.255 eq domain
 deny   udp any 192.168.0.0 0.0.255.255 eq domain
 permit udp any any eq domain
 permit udp any any eq bootpc
 permit udp any host 10.220.10.1 eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 permit ip any any
!
tftp-server 172.20.23.110
!
control-plane
!
!
line con 0
 logging synchronous
line vty 0 4
 password
 logging synchronous
 login local
 length 0
line vty 5
 password
 login local
line vty 6 15
 password
 login
!
ntp server 172.20.44.18 key 0 prefer
end

Comment
Watch Question

Network Consultant
Commented:
Ok so here goes.  First of all there is no acl being applied on vlan 997 so I will deal only with 999

interface Vlan999
 ip address 10.220.0.1 255.255.255.0
 ip access-group GuestWireless in
!

ip access-list extended GuestWireless
 deny   udp any 10.0.0.0 0.255.255.255 eq domain
 deny   udp any 172.16.0.0 0.15.255.255 eq domain
 deny   udp any 192.168.0.0 0.0.255.255 eq domain
 permit udp any any eq domain
 permit udp any any eq bootpc
 permit udp any host 10.220.0.1 eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 permit ip any any

so the basics of each command is permit / deny and either tcp/udp/ip then the source ip address/network followed by the destination ip address/network and then possibly the specific tcp/udp port.

so if we look at the first line:
 deny   udp any 10.0.0.0 0.255.255.255 eq domain

We will deny any source ip address that is destined for the 10.x.x.x network using udp port 53 (dns lookups)

You also need to keep in mind how the access-list is applied.. in or out.  your acl is applied inbound, meaning traffic heading into the interface vlan 999.  So this would be traffic that was generated on that vlan heading into the layer vlan 999 in order to get out somewhere else...

So your second line does the same thing, except blocks anything from getting to the 172.16.x.x networks and the 3rd line the same thing except blocks the 192.168.x.x networks.  Then after that we let you do dns queries to anything.

The order of the acl is important.  The first line we match is the action we will take.  So first we block traffic from doing dns queries to our internal network then we allow all other dns queries to work so this is most likely to an external dns server on the internet.

Then we allow bootp which is basically allowing dhcp to function.

Then we block any traffic coming in to the layer 3 interface of vlan 999 from  reaching the same 3 networks that were blocked previously on anything using IP.

Then we allow it to get to everything else.

So basically the flow is block what we don't want then open up what else remains, which should be anything on the internet.

I hope that helps.

Author

Commented:
very informative thank you!