NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ChristopheVL's avatar
ChristopheVL
Aspirant
May 26, 2016
Solved

ACL vlan M4100

Dear,   We would like to create an access list to isolate our Guest Wifi network from all the other vlan. When i do so, the other SSID's diseapper from our laptops.   I have applied the access l...
Troubleshooting
  • Retired_Member's avatar
    Retired_Member
    Jun 01, 2016

    Maybe it's filtering the DHCP packets.

    To troubleshoot, try to add a rule to allow DHCP packets.

    Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)

     

     

    ip access-list Deny_Guest_Intervlan_Routing
      permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
      permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68
  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
  permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
exit

    If this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):

    ip access-list Deny_Guest_Intervlan_Routing
      ! DHCPDISCOVER
      permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
      ! DHCPOFFER
      permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
      ! DHCPINFORM
      permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
      ! DHCPACK
      permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
      permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
      ! Internal traffic
  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
      ! Internet traffic
  permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
exit

     

DaneA's avatar
DaneA
NETGEAR Employee Retired
May 26, 2016

Hi ChristopheVL,

 

Welcome to the community! :) 

 

Kindly answer the questions below:

 

a. Was this working fine before?

b. Does the ACL works even though the SSIDs do not appear on the laptops?

 

Let me share this article as reference guide and check if the SSIDs will be detected by the laptops when ACLs are applied.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

  • ChristopheVL's avatar
    ChristopheVL
    Aspirant
    May 27, 2016

    Hi DaneA,

     

    A. This is a new config!

    B. No it doesn't work.

     

    Can you give me an article for this switch, because this is a L2+ with router capibilities

    Can you give me an example on how you configure it true cli?

     

    Thanks in advance

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More