Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

qos ip-acl and Inter VLAN traffic filtering 4826GTS

Status
Not open for further replies.

nodeisup

Technical User
May 6, 2015
6
DE
I have a 4826GTS with Operational Software: FW:5.8.0.1 SW:v5.6.3.024.

I have 6 VLANS with following IP assignment:
1: Data & managment 10.10.80.0/24
211: Voice 172.16.0.0 /16
212: Printer 10.10.85.0/24
213: AP 10.10.82.0/24
214: Internet 10.10.83.0 GW 10.10.83.1 / DHCP
215: Extern users 10.10.84.0/24

Inter VLAN routing is on.

Switch01#sh ip route
0.0.0.0 0.0.0.0 10.10.80.230 1 1 16 S IB 5
172.16.80.0 255.255.255.0 172.16.80.228 1 211 ---- C DB 0
10.10.80.0 255.255.255.0 10.10.80.228 1 1 ---- C DB 0
10.10.83.0 255.255.255.0 10.10.83.228 1 214 ---- C DB 0
10.10.85.0 255.255.255.0 10.10.85.228 1 212 ---- C DB 0
10.10.86.0 255.255.255.0 10.10.86.228 1 213 ---- C DB 0

Data VLAN has his own default routing and Internet VLAN has his own Gateway that is assigne per DHCP.
I have 2 access points that they are connected to port 22,23 and PVID ist set 213.
Ports 22,23 are member of VLAN 1,214,214,215.
Internet modem is connected to port 24 and PVID is set to 214.

My requirements:
WiFi users must have only acces to internet and printer VLANS.
Printers should be available also for Data VLAN.
Data VLAN users could not get access to the Internet or Internet VLAN.

I provided following access list on AP ports 22,23. As applied this ACL WiFi clients could not reach to the networks.

qos ip-acl name test_filtering dst-ip 10.10.85.0/24 block b1
qos ip-acl name test_filtering dst-ip 10.10.83.0/24 block b1
qos ip-acl name test_filtering dst-ip 10.10.0.0/16 drop-action enable block b2
qos ip-acl name test_filtering drop-action disable
qos acl-assign port 22-23 acl-type ip name test_filtering

I know this ACL could not filter data users from accessing to the VLAN of Internet.

Is there any miss configuration on this ACL? Should I change something?

Please let me know If I can provide you more details about this network plan.

Thanks in advance.


Switch01#show qos ip-acl

Id: 1
Name: test_filtering
Block: b1
Address Type: IPv4
Destination Addr/Mask: 10.10.83.0/24
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: test_filtering
Block: b1
Address Type: IPv4
Destination Addr/Mask: 10.10.85.0/24
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 3
Name: test_filtering
Block: b2
Address Type: IPv4
Destination Addr/Mask: 10.10.0.0/16
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 4
Name: test_filtering
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile
Switch01#
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top