NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
ACL vlan M4100
Dear,
We would like to create an access list to isolate our Guest Wifi network from all the other vlan.
When i do so, the other SSID's diseapper from our laptops.
I have applied the access list to our Guest SVI direction in
!System Description "M4100-24G-POE+ ProSafe 24-port Gigabit L2+ Managed Switch w ith PoE+, 10.0.2.13, B1.0.1.1"
!System Software Version "10.0.2.13"
!System Up Time "28 days 22 hrs 39 mins 58 secs"
!Additional Packages QOS,IPv6 Management,Routing
!Current SNTP Synchronized Time: SNTP Last Attempt Status Is Not Successful
!
vlan database
vlan 99,200-208,455-456,999
vlan name 99 "TEST"
vlan name 200 "Clients"
vlan name 201 "Telefonie"
vlan name 202 "Guest"
vlan name 203 "Productie"
vlan name 204 "TD"
vlan name 205 "DMZ"
vlan name 206 "Printers"
vlan name 207 "Media"
vlan name 208 "Wireless"
vlan name 999 "3com"
vlan routing 1 1
--More-- or (q)uit
vlan routing 200 2
vlan routing 201 3
vlan routing 202 4
vlan routing 203 5
vlan routing 204 6
vlan routing 205 7
vlan routing 206 8
vlan routing 207 9
vlan routing 208 10
vlan routing 455 11
vlan routing 456 12
vlan routing 99 13
exit
network mgmt_vlan 203
ip http secure-server
configure
time-range
ip default-gateway 10.253.255.1
username "admin" password 483f42190380e8780a9d32a3c63d31b86d6ad49b870db8306af86a9ce3e06cd9a39f66e666e86f0aaab777b0ab9fe571908247c31d904463d1a0767400f8e763 level 15 encrypted
username "secit" password 912ba98d721224814ea15db6dec1701819e75dfcafa635831e9eab148c105c20ba85dc61882dd47a65eb66dff6cf0005a1a2232b6957ec898cd6187c6bdbb510 level 15 encrypted
line console
exit
--More-- or (q)uit
line telnet
exit
line ssh
exit
spanning-tree bpduguard
!
ip access-list ACL_Wizard_IPv4_0
exit
ip access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.1.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.3.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.4.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.5.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.6.0 0.0.0.255
--More-- or (q)uit
deny ip 10.253.2.0 0.0.0.255 10.253.7.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.8.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.9.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.11.0 0.0.0.255
permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
exit
class-map match-all ClassVoiceVLAN ipv4
match vlan 201
exit
policy-map PolicyVoiceVLAN in
class ClassVoiceVLAN
assign-queue 3
exit
exit
interface 0/1
description 'ACCESSPORTS'
vlan participation include 200-201
vlan tagging 201
--More-- or (q)uit
exit
interface 0/2
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 1000000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/3
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201,204
vlan tagging 201
--More-- or (q)uit
ip mtu 1500
exit
interface 0/4
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/5
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 1000000
vlan pvid 99
vlan participation include 99,200-201
--More-- or (q)uit
vlan tagging 201
ip mtu 1500
exit
interface 0/6
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/7
voice vlan 201
service-policy in PolicyVoiceVLAN
description 'ACCESSPORTS'
vlan pvid 203
--More-- or (q)uit
vlan participation include 200-201
vlan tagging 201
exit
interface 0/8
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/9
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
--More-- or (q)uit
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/10
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/11
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
--More-- or (q)uit
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/12
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/13
voice vlan 201
service-policy in PolicyVoiceVLAN
--More-- or (q)uit
bandwidth 100000
vlan pvid 200
vlan participation auto 1
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/14
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation auto 1
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
--More-- or (q)uit
interface 0/15
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation auto 1
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/16
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 202
vlan participation auto 1
vlan participation include 201-202
vlan tagging 201
ip mtu 1500
exit
--More-- or (q)uit
interface 0/17
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 200
vlan participation include 200-201
vlan tagging 201
ip mtu 1500
exit
interface 0/18
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 203
vlan participation include 200-201,203
vlan tagging 201
ip mtu 1500
--More-- or (q)uit
exit
interface 0/19
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 206
vlan participation auto 1
vlan participation include 201,206
vlan tagging 201
ip mtu 1500
exit
interface 0/20
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 999
vlan participation include 200-201,204-207,455-456,999
--More-- or (q)uit
vlan tagging 200-201,204-207,455-456
ip mtu 1500
exit
interface 0/21
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
vlan pvid 455
vlan participation auto 1
vlan participation include 200-204,455-456
vlan tagging 200-204
ip mtu 1500
exit
interface 0/22
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
--More-- or (q)uit
switchport mode trunk
switchport trunk native vlan 456
vlan pvid 456
vlan participation auto 1
vlan participation include 200-204,456
vlan tagging 200-204
ip mtu 1500
exit
interface 0/23
voice vlan 201
service-policy in PolicyVoiceVLAN
bandwidth 100000
switchport mode trunk
switchport trunk native vlan 456
vlan pvid 456
vlan participation include 200-204,456
vlan tagging 200-204
ip mtu 1500
exit
--More-- or (q)uit
interface 0/24
bandwidth 100000
switchport mode trunk
switchport trunk native vlan 999
vlan pvid 999
vlan participation include 200-208,455-456,999
vlan tagging 200-207,455-456
ip mtu 1500
exit
interface vlan 1
routing
ip address dhcp
exit
interface vlan 200
routing
--More-- or (q)uit
ip address 10.253.0.1 255.255.255.0
exit
interface vlan 201
routing
ip address 10.253.1.1 255.255.255.0
exit
interface vlan 202
routing
ip address 10.253.2.1 255.255.255.0
ip access-group Deny_Guest_Intervlan_Routing vlan 202 in
exit
interface vlan 203
routing
ip address 10.253.3.1 255.255.255.0
exit
--More-- or (q)uit
interface vlan 204
routing
ip address 10.253.4.1 255.255.255.0
exit
interface vlan 205
routing
ip address 10.253.5.1 255.255.255.0
exit
interface vlan 206
routing
ip address 10.253.6.1 255.255.255.0
exit
--More-- or (q)uit
interface vlan 207
routing
ip address 10.253.7.1 255.255.255.0
exit
interface vlan 208
routing
ip address 10.253.8.1 255.255.255.0
exit
interface vlan 455
routing
ip address 10.253.255.2 255.255.255.0
exit
interface vlan 456
--More-- or (q)uit
routing
ip address 10.253.11.1 255.255.255.0
exit
interface vlan 99
routing
ip address 10.253.9.1 255.255.255.0
exit
ip management vlan 203
service dhcp
ip dhcp pool "Telefonie"
lease 7 0 0
dns-server 8.8.8.8 8.8.4.4
default-router 10.253.1.1
network 10.253.1.0 255.255.255.0
domain-name secit.be
netbios-node-type b-node
exit
--More-- or (q)uit
ip dhcp pool "Guest"
lease 0 12 0
dns-server 8.8.8.8 8.8.4.4
default-router 10.253.2.1
network 10.253.2.0 255.255.255.0
domain-name secit-guest.be
netbios-node-type b-node
exit
ip dhcp pool "Media"
lease 0 12 0
dns-server 10.253.3.2 8.8.4.4
default-router 10.253.7.1
network 10.253.7.0 255.255.255.0
domain-name secit-media.be
netbios-node-type b-node
exit
ip dhcp pool "TD"
lease 0 14 0
dns-server 10.253.3.2 8.8.4.4
default-router 10.253.4.1
network 10.253.4.0 255.255.255.0
--More-- or (q)uit
domain-name secit-td.be
netbios-node-type b-node
exit
ip dhcp pool "Internal"
lease 7 0 0
dns-server 10.253.3.2
default-router 10.253.0.1
network 10.253.0.0 255.255.255.0
domain-name fixitsolutions.local
netbios-node-type b-node
exit
exit
Maybe it's filtering the DHCP packets.
To troubleshoot, try to add a rule to allow DHCP packets.
Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)
ip access-list Deny_Guest_Intervlan_Routing
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68 deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exitIf this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):
ip access-list Deny_Guest_Intervlan_Routing
! DHCPDISCOVER
permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPOFFER
permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
! DHCPINFORM
permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPACK
permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
! Internal traffic deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
! Internet traffic permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exit
8 Replies
Hi ChristopheVL,
Welcome to the community! :)
Kindly answer the questions below:
a. Was this working fine before?
b. Does the ACL works even though the SSIDs do not appear on the laptops?
Let me share this article as reference guide and check if the SSIDs will be detected by the laptops when ACLs are applied.
Regards,
DaneA
NETGEAR Community Team
Hi DaneA,
A. This is a new config!
B. No it doesn't work.
Can you give me an article for this switch, because this is a L2+ with router capibilities
Can you give me an example on how you configure it true cli?
Thanks in advance
- For the ACL, if you only want guest to talk to Internet, you could use supernetting to simplify your ACL:
ip access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
exit
interface vlan 202
routing
ip address 10.253.2.1 255.255.255.0
ip access-group Deny_Guest_Intervlan_Routing vlan 202 in
exit
(Wireless client separation on the AP is also a good idea)
It sounds really weird that applying an ACL on a switch disable a broadcasted SSID on an AP.
Something I've seen before: on NETGEAR APs, in IP settings, there is an option called Network Integrity Check. If you enable that and the AP can't reach the network (I presume its default gateway), it turns off the radio. For example, if your AP is wrongly in the guest VLAN and you filter its traffic, it would create this.Hi Jak,
I tried to apply the ACL again.
SSID stays, but i get APIPA addres. No DHCP server found.
I applied it inbound on SVI 202.
Whenever i do this ACL's on Cisco catalyst i don't have any problem.
This string notations are very similair on this netgear.
Maybe it's filtering the DHCP packets.
To troubleshoot, try to add a rule to allow DHCP packets.
Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)
ip access-list Deny_Guest_Intervlan_Routing
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68 deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exitIf this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):
ip access-list Deny_Guest_Intervlan_Routing
! DHCPDISCOVER
permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPOFFER
permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
! DHCPINFORM
permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPACK
permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
! Internal traffic deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
! Internet traffic permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exit
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
