NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
ACL vlan M4100
Dear, We would like to create an access list to isolate our Guest Wifi network from all the other vlan. When i do so, the other SSID's diseapper from our laptops. I have applied the access l...
Maybe it's filtering the DHCP packets.
To troubleshoot, try to add a rule to allow DHCP packets.
Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)
ip access-list Deny_Guest_Intervlan_Routing
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68 deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exitIf this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):
ip access-list Deny_Guest_Intervlan_Routing
! DHCPDISCOVER
permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPOFFER
permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
! DHCPINFORM
permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPACK
permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
! Internal traffic deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
! Internet traffic permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exit
Hi Jak,
I tried to apply the ACL again.
SSID stays, but i get APIPA addres. No DHCP server found.
I applied it inbound on SVI 202.
Whenever i do this ACL's on Cisco catalyst i don't have any problem.
This string notations are very similair on this netgear.
Maybe it's filtering the DHCP packets.
To troubleshoot, try to add a rule to allow DHCP packets.
Example: (this is obviously NOT the exact rule to match only DHCP packets, but just a simple rule for the test)
ip access-list Deny_Guest_Intervlan_Routing
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68 deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exit
If this ACL works (you can get DHCP address), then you'll have to write the proper ACL, something like (this is just an example):
ip access-list Deny_Guest_Intervlan_Routing
! DHCPDISCOVER
permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPOFFER
permit udp <dhcp_server_ip> 0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
! DHCPINFORM
permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
! DHCPACK
permit udp 10.253.2.0 0.0.0.255 eq 67 <dhcp_server_ip> 0.0.0.0 eq 68
permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
! Internal traffic deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
! Internet traffic permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0 exit
Hi Jak,
For some reason i do receive IP again with just a normal acl
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
but on the NIC it's "marked limited".
IP 10.253.2.19 255.255.255.0 gateway 10.253.2.1
dns 8.8.8.8
I don't understand why it's blocking network access if i compare it with cisco acl. It's obviously correct
Do you see something wrong in my config on the first post?
ChristopheVL wrote:deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255 permit ip 10.253.2.0 0.0.0.255 0.0.0.0 0.0.0.0
This ACL is enough to block all local traffic from 10.253.2.0/24 (to 10.253.0.0/16), and allow Internet traffic from the same subnet.
Even though, you don't need to allow traffic from 10.253.2.0/24 to its default gateway, you do need to allow traffic to the DNS server (if they're in 10.253.0.0/16).
In the initial config, you had:
ip dhcp pool "Guest" lease 0 12 0 dns-server 8.8.8.8 8.8.4.4 default-router 10.253.2.1 network 10.253.2.0 255.255.255.0 domain-name secit-guest.be netbios-node-type b-node exit
Which would mean that you're using external DNS server. If you're not, you'll have to allow traffic from 10.253.2.0/24 to the DNS server(s), deny to 10.253.0.0/16, and allow Internet.
The NIC being marked as "limited" is not enough information to debug what's happening.
- Can you ping the DNS servers while the ACL is disabled (should be yes)? enabled (should be yes)?
- Can you ping the default gateway while the ACL is disabled (should be yes)? enabled (should be no)?
- Can you resolve google.com while the ACL is disabled (should be yes)? enabled (should be yes)?
- Do you get correct IP, gateway, DNS from the DHCP server while the ACL is disabled (should be yes)? enabled (should be yes)?
- Can you browse Internet (despite the NIC being marked as "limited" while the ACL is disabled (should be yes)? enabled (should be yes)?
- Try ipconfig /release, ipconfig /renew, and verify above again.
etc.
Hi Jak,
Would you have an update for me?
Kind regards,
christophe
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
