topic Re: Problems with ACLs. in Switches, Hubs, and Modems

Problems with ACLs.

MrMacro — Thu, 02 Dec 2010 16:56:17 GMT

Any help would be most appreciated. I have a 5406zl and 2600 switch configured with multiple VLANs. We have a perimeter firewall on the default vlan (id:1) and have recently introduced a Wireless/Guest VLAN (id:30).

What I would like to do, is to restrict all access from the Wireless/Guest VLAN to only the perimeter firewall and beyond.

So effectively, if the firewall is on 192.168.1.1 and the Guest VLAN is 192.168.10.0 I want all traffic coming from the 192.168.10.0 network to be restricted to the firewall on 192.168.1.1 and not be able to access anything else on the default vlan.

Any help would be most appreciated.

Thanks for looking.

Re: Problems with ACLs.

Pieter 't Hart — Fri, 03 Dec 2010 08:17:30 GMT

Simpelest way is NOT to configure routing between the gest VLAN and the default vlan.
Then you don't need to fiddle with ACL's.

- Only the firewall needs an ip-adress in this vlan.
- If the switch is configured for routing, don't give it an ip-adress in this guest vlan.
- Don't give any other switch an ip-adress in this guest vlan.

The switches will forward packets on layer-2 to other ports in the same vlan as if it was a physical separate network.

NB! you may want to add another vlan to make your access-point reachable for management.
Offcourse your AP's must support this.

Re: Problems with ACLs.

MrMacro — Mon, 06 Dec 2010 21:57:48 GMT

I like your bit of lateral thinking... however, though I don't doubt that your method doesn't work, I managed to implement the appropriate ACLs, but thanks for your help.

Re: Problems with ACLs.

Pieter 't Hart — Tue, 07 Dec 2010 07:32:49 GMT

As it was not the solution to your question, 10 points is a bit high.
But thanks very much, you flipped me over the 2500 points and changed my hat from wizzard to royalty.