Help with an ACL to isolate our wireless newtork
Hello Cisco Experts,
I'm having troubles completely isolating our wireless network with ACLs on our Cisco 3850 switch. Here is what I have:
- The guest wireless network is vlan 261.
- The SVI for the guest wireless has an IP address of 10.200.161.254 255.255.255.0.
- We have 38 vlans from which we need to block access from the guest wireless network. To keep this post short, I'm only going to reference one of these vlans (vlan 10). This is the vlan is for our accounting department. This vlan uses the 10.100.10.0 255.255.255.0 address range.
The ACL I have created is as follows:
ip access-list extended MYCOMPANY-GUEST-WIRELESS
remark ACL used to prevent traffic from the guest wireless from accessing the internal network.
deny ip any 10.110.10.0 0.0.0.255
permit ip any any
I have applied the access list above to the SVI for the guest wireless newtork as follows:
config t
interface vlan 261
ip access-group MYCOMAPNY-GUEST-WIRELESS in
This configuration appears to have worked. However, our security team wants an ACL that will do the following:
1. Prevent traffic initiating from the internal network from reaching the guest wireless network.
2. Prevent the internal network from being able to ping any address in the guest network. The way things are configured right now I can't ping my laptop on the guest network, but I can ping the 10.200.161.254 address.
I know I could configure an access list as follow and then apply it to each vlan's SVI:
ip access-list extended CONTROL-TRAFFIC-INSIDE-THE
deny ip any 10.200.161.0 0.0.0.255
deny icmp any 10.200.161.0 0.0.0.255
permit ip any any
The problem with applying the CONTROL-TRAFFIC-INSIDE-THE
I read the following post on the Cisco forums that made me think I could apply an outbound ACL on the vlan 261 SVI to accomplish the same thing, but it is not working as I expected. My outbound ACL is as follows:
ip access-list extended CONTROL-TRAFFIC-TO-GUEST-W
deny ip 10.110.10.0 0.0.0.255 any
deny icmp 10.110.10.0 0.0.0.255 any
permit ip any any
I applied the ACL with the following command:
config t
interface vlan 261
ip access-group CONTROL-TRAFFIC-TO-GUEST-W
The running configuration of my vlan interface 261 is now as follows:
interface vlan261
description GUEST WIRELESS
ip address 10.200.161.254 255.255.255.0
ip access-group MYCOMPANY-GUEST-WIRELESS in
ip access-group CONTROL-TRAFFIC-TO-GUEST-W
With this configuration, I can still ping the 10.200.161.254 address.
How can I create an ACL that will block all traffic, including icmp, originating from the internal network to the guest wireless?
Sorry for the long explaination.
Thanks in advance for your help.
Nick
I'm having troubles completely isolating our wireless network with ACLs on our Cisco 3850 switch. Here is what I have:
- The guest wireless network is vlan 261.
- The SVI for the guest wireless has an IP address of 10.200.161.254 255.255.255.0.
- We have 38 vlans from which we need to block access from the guest wireless network. To keep this post short, I'm only going to reference one of these vlans (vlan 10). This is the vlan is for our accounting department. This vlan uses the 10.100.10.0 255.255.255.0 address range.
The ACL I have created is as follows:
ip access-list extended MYCOMPANY-GUEST-WIRELESS
remark ACL used to prevent traffic from the guest wireless from accessing the internal network.
deny ip any 10.110.10.0 0.0.0.255
permit ip any any
I have applied the access list above to the SVI for the guest wireless newtork as follows:
config t
interface vlan 261
ip access-group MYCOMAPNY-GUEST-WIRELESS in
This configuration appears to have worked. However, our security team wants an ACL that will do the following:
1. Prevent traffic initiating from the internal network from reaching the guest wireless network.
2. Prevent the internal network from being able to ping any address in the guest network. The way things are configured right now I can't ping my laptop on the guest network, but I can ping the 10.200.161.254 address.
I know I could configure an access list as follow and then apply it to each vlan's SVI:
ip access-list extended CONTROL-TRAFFIC-INSIDE-THE
deny ip any 10.200.161.0 0.0.0.255
deny icmp any 10.200.161.0 0.0.0.255
permit ip any any
The problem with applying the CONTROL-TRAFFIC-INSIDE-THE
I read the following post on the Cisco forums that made me think I could apply an outbound ACL on the vlan 261 SVI to accomplish the same thing, but it is not working as I expected. My outbound ACL is as follows:
ip access-list extended CONTROL-TRAFFIC-TO-GUEST-W
deny ip 10.110.10.0 0.0.0.255 any
deny icmp 10.110.10.0 0.0.0.255 any
permit ip any any
I applied the ACL with the following command:
config t
interface vlan 261
ip access-group CONTROL-TRAFFIC-TO-GUEST-W
The running configuration of my vlan interface 261 is now as follows:
interface vlan261
description GUEST WIRELESS
ip address 10.200.161.254 255.255.255.0
ip access-group MYCOMPANY-GUEST-WIRELESS in
ip access-group CONTROL-TRAFFIC-TO-GUEST-W
With this configuration, I can still ping the 10.200.161.254 address.
How can I create an ACL that will block all traffic, including icmp, originating from the internal network to the guest wireless?
Sorry for the long explaination.
Thanks in advance for your help.
Nick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
deny ip - blocks all ip traffic including icmp
You can also block in opposite direction traffic from local hosts to wireless guests.
I copy pasted your error...
check names.. names do not match :)
You can also block in opposite direction traffic from local hosts to wireless guests.
I copy pasted your error...
check names.. names do not match :)
ip access-list extended MYCOMPANY-GUEST-WIRELESS
ip access-group MYCOMAPNY-GUEST-WIRELESS in
This ACL is blocking also new networks that you will maybe later create in private IP address space. There will no be need to rewrite IP address for newly added networks.
ASKER
How would I block from local hosts to the guest-wireless?
ip access-list extended STOP-LOCAL2WIRELESS
permit udp any any eq bootps
deny ip 10.0.0.0 0.255.255.255 any
*
*
*
interface vlan 261
ip access-group STOP-LOCAL2WIRELESS out
*** - the same like previous ACL but with reordered to <ip_address_range> any
:)
permit udp any any eq bootps
deny ip 10.0.0.0 0.255.255.255 any
*
*
*
interface vlan 261
ip access-group STOP-LOCAL2WIRELESS out
*** - the same like previous ACL but with reordered to <ip_address_range> any
:)
ASKER
I made the following ACL based on your information:
ip access-list extended STOP-INTERNAL2GUEST
deny ip 10.110.10.0 0.0.0.255 any
permit ip any any
I like your idea of blocking all private IP ranges. The problem is we have private IPs assigned to links that route traffic, so I will have to figure out which subnets to allow. However, to test, I just did the ACL above.
I apply it as follows:
interface vlan 261
ip access-group STOP-INTERNAL2GUEST
When I ping my laptop on the guest wireless I get no reply. I run the "show ip access-lists" command and see hits on the "deny ip 10.110.10.0 0.0.0.255 any" statement. That is good. However, I can still ping 10.200.161.254 (the IP of assigned to the SVI of vlan 261).
ip access-list extended STOP-INTERNAL2GUEST
deny ip 10.110.10.0 0.0.0.255 any
permit ip any any
I like your idea of blocking all private IP ranges. The problem is we have private IPs assigned to links that route traffic, so I will have to figure out which subnets to allow. However, to test, I just did the ACL above.
I apply it as follows:
interface vlan 261
ip access-group STOP-INTERNAL2GUEST
When I ping my laptop on the guest wireless I get no reply. I run the "show ip access-lists" command and see hits on the "deny ip 10.110.10.0 0.0.0.255 any" statement. That is good. However, I can still ping 10.200.161.254 (the IP of assigned to the SVI of vlan 261).
Replace
deny ip 10.110.10.0 0.0.0.255 any
with
deny 10.0.0.0 0.255.255.255 any
and try ping
Although I typically would prefer to use the first option:
Direction OUT is blocking traffic after Guests already pinged local hosts.
But, you can choose to create two ACLs (one for each direction) and apply them in proper directions. But be carefull not to kill all traffic.
:)
deny ip 10.110.10.0 0.0.0.255 any
with
deny 10.0.0.0 0.255.255.255 any
and try ping
Although I typically would prefer to use the first option:
ip access-list extended MYCOMPANY-GUEST-WIRELESS
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
interface vlan 261
ip access-group MYCOMPANY-GUEST-WIRELESS inDirection OUT is blocking traffic after Guests already pinged local hosts.
But, you can choose to create two ACLs (one for each direction) and apply them in proper directions. But be carefull not to kill all traffic.
:)
I've noticed my typo in ACL.
Instead of:
deny ip any 172.16.0.0 0.0.15.255
should be:
deny ip any 172.16.0.0 0.15.255.255
Instead of:
deny ip any 172.16.0.0 0.0.15.255
should be:
deny ip any 172.16.0.0 0.15.255.255
ASKER