• November 26, 2020, 04:48:15 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: qos ip-acl and Inter VLAN traffic filtering 4826GTS  (Read 2275 times)

0 Members and 1 Guest are viewing this topic.

Offline nodeisup

  • Rookie
  • **
  • Posts: 14
qos ip-acl and Inter VLAN traffic filtering 4826GTS
« on: September 07, 2015, 08:50:12 AM »
I have a 4826GTS with Operational Software:  FW:5.8.0.1   SW:v5.6.3.024.

I have 6 VLANS with following IP assignment:
1: Data & managment 10.10.80.0/24
211: Voice 172.16.0.0 /16
212: Printer 10.10.85.0/24
213: AP 10.10.82.0/24
214: Internet 10.10.83.0 GW 10.10.83.1 / DHCP
215: Extern users 10.10.84.0/24

Inter VLAN routing is on.

Switch01#sh ip route
0.0.0.0         0.0.0.0         10.10.80.230  1        1    16    S  IB     5
172.16.80.0     255.255.255.0   172.16.80.228   1        211   ----  C  DB     0
10.10.80.0    255.255.255.0   10.10.80.228  1        1    ----  C  DB     0
10.10.83.0    255.255.255.0   10.10.83.228  1        214   ----  C  DB     0
10.10.85.0    255.255.255.0   10.10.85.228  1        212   ----  C  DB     0
10.10.86.0    255.255.255.0   10.10.86.228  1        213   ----  C  DB     0

Data VLAN has his own default routing and Internet VLAN has his own Gateway that is assigne per DHCP.
I have 2 access points that they are connected to port 22,23 and PVID ist set 213.
Ports 22,23 are member of VLAN 1,214,214,215.
Internet modem is connected to port 24 and PVID is set to 214.

My requirements:
WiFi users must have only acces to internet and printer VLANS.
Printers should be available also for Data VLAN.
Data VLAN users could not get access to the Internet or Internet VLAN.

I provided following access list on AP ports 22,23. As applied this ACL WiFi clients could not reach to the networks.

qos ip-acl name test_filtering dst-ip 10.10.85.0/24 block b1
qos ip-acl name test_filtering dst-ip 10.10.83.0/24 block b1
qos ip-acl name test_filtering dst-ip 10.10.0.0/16 drop-action enable block b2
qos ip-acl name test_filtering drop-action disable
qos acl-assign port 22-23 acl-type ip name test_filtering

I know this ACL could not filter data users from accessing to the VLAN of Internet.

Is there any miss configuration on this ACL? Should I change something?

Please let me know If I can provide you more details about this network plan.

Thanks in advance.


Switch01#show qos ip-acl

Id: 1
Name: test_filtering
Block: b1
Address Type: IPv4
Destination Addr/Mask: 10.10.83.0/24
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: test_filtering
Block: b1
Address Type: IPv4
Destination Addr/Mask: 10.10.85.0/24
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 3
Name: test_filtering
Block: b2
Address Type: IPv4
Destination Addr/Mask: 10.10.0.0/16
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 4
Name: test_filtering
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile
Switch01#