NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
ACL vlan M4100
Dear, We would like to create an access list to isolate our Guest Wifi network from all the other vlan. When i do so, the other SSID's diseapper from our laptops. I have applied the access l...
Maybe it's filtering the DHCP packets.
To troubleshoot, try to add a rule to allow DHCP packets.
Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)
ip access-list Deny_Guest_Intervlan_Routing
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68 deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exitIf this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):
ip access-list Deny_Guest_Intervlan_Routing
! DHCPDISCOVER
permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPOFFER
permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
! DHCPINFORM
permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPACK
permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
! Internal traffic deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
! Internet traffic permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exit
For the ACL, if you only want guest to talk to Internet, you could use supernetting to simplify your ACL:
ip access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
exit
interface vlan 202
routing
ip address 10.253.2.1 255.255.255.0
ip access-group Deny_Guest_Intervlan_Routing vlan 202 in
exit
(Wireless client separation on the AP is also a good idea)
It sounds really weird that applying an ACL on a switch disable a broadcasted SSID on an AP.
Something I've seen before: on NETGEAR APs, in IP settings, there is an option called Network Integrity Check. If you enable that and the AP can't reach the network (I presume its default gateway), it turns off the radio. For example, if your AP is wrongly in the guest VLAN and you filter its traffic, it would create this.
ip access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
exit
interface vlan 202
routing
ip address 10.253.2.1 255.255.255.0
ip access-group Deny_Guest_Intervlan_Routing vlan 202 in
exit
(Wireless client separation on the AP is also a good idea)
It sounds really weird that applying an ACL on a switch disable a broadcasted SSID on an AP.
Something I've seen before: on NETGEAR APs, in IP settings, there is an option called Network Integrity Check. If you enable that and the AP can't reach the network (I presume its default gateway), it turns off the radio. For example, if your AP is wrongly in the guest VLAN and you filter its traffic, it would create this.
Hi Jak,
I tried to apply the ACL again.
SSID stays, but i get APIPA addres. No DHCP server found.
I applied it inbound on SVI 202.
Whenever i do this ACL's on Cisco catalyst i don't have any problem.
This string notations are very similair on this netgear.
Maybe it's filtering the DHCP packets.
To troubleshoot, try to add a rule to allow DHCP packets.
Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)
ip access-list Deny_Guest_Intervlan_Routing
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68 deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exitIf this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):
ip access-list Deny_Guest_Intervlan_Routing
! DHCPDISCOVER
permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPOFFER
permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
! DHCPINFORM
permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPACK
permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
! Internal traffic deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
! Internet traffic permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exitHi Jak,
For some reason i do receive IP again with just a normal acl
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
but on the NIC it's "marked limited".
IP 10.253.2.19 255.255.255.0 gateway 10.253.2.1
dns 8.8.8.8
I don't understand why it's blocking network access if i compare it with cisco acl. It's obviously correct
Do you see something wrong in my config on the first post?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
