INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

qos ip-acl and Inter VLAN traffic filtering 4826GTS

qos ip-acl and Inter VLAN traffic filtering 4826GTS

(OP)
I have a 4826GTS with Operational Software: FW:5.8.0.1 SW:v5.6.3.024.

I have 6 VLANS with following IP assignment:
1: Data & managment 10.10.80.0/24
211: Voice 172.16.0.0 /16
212: Printer 10.10.85.0/24
213: AP 10.10.82.0/24
214: Internet 10.10.83.0 GW 10.10.83.1 / DHCP
215: Extern users 10.10.84.0/24

Inter VLAN routing is on.

Switch01#sh ip route
0.0.0.0 0.0.0.0 10.10.80.230 1 1 16 S IB 5
172.16.80.0 255.255.255.0 172.16.80.228 1 211 ---- C DB 0
10.10.80.0 255.255.255.0 10.10.80.228 1 1 ---- C DB 0
10.10.83.0 255.255.255.0 10.10.83.228 1 214 ---- C DB 0
10.10.85.0 255.255.255.0 10.10.85.228 1 212 ---- C DB 0
10.10.86.0 255.255.255.0 10.10.86.228 1 213 ---- C DB 0

Data VLAN has his own default routing and Internet VLAN has his own Gateway that is assigne per DHCP.
I have 2 access points that they are connected to port 22,23 and PVID ist set 213.
Ports 22,23 are member of VLAN 1,214,214,215.
Internet modem is connected to port 24 and PVID is set to 214.

My requirements:
WiFi users must have only acces to internet and printer VLANS.
Printers should be available also for Data VLAN.
Data VLAN users could not get access to the Internet or Internet VLAN.

I provided following access list on AP ports 22,23. As applied this ACL WiFi clients could not reach to the networks.

qos ip-acl name test_filtering dst-ip 10.10.85.0/24 block b1
qos ip-acl name test_filtering dst-ip 10.10.83.0/24 block b1
qos ip-acl name test_filtering dst-ip 10.10.0.0/16 drop-action enable block b2
qos ip-acl name test_filtering drop-action disable
qos acl-assign port 22-23 acl-type ip name test_filtering

I know this ACL could not filter data users from accessing to the VLAN of Internet.

Is there any miss configuration on this ACL? Should I change something?

Please let me know If I can provide you more details about this network plan.

Thanks in advance.


Switch01#show qos ip-acl

Id: 1
Name: test_filtering
Block: b1
Address Type: IPv4
Destination Addr/Mask: 10.10.83.0/24
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: test_filtering
Block: b1
Address Type: IPv4
Destination Addr/Mask: 10.10.85.0/24
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 3
Name: test_filtering
Block: b2
Address Type: IPv4
Destination Addr/Mask: 10.10.0.0/16
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 4
Name: test_filtering
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile
Switch01#

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close