Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎06-01-2012

Problem with Extended Access List on FGS648P-PoE

Ok, I have a total of 4 subnets:

10.0.0.0/24 -- default LAN

10.0.1.0/24 -- internal wireless customers

10.0.2.0/24 -- voice-vlan

10.0.3.0/24 -- wireless guests

DHCP server is 10.0.0.10

DNS servers are 10.0.0.10 & 10.0.0.11

The egress point (firewall) is 10.0.0.1

One of my switches is being used as an ISR router.  The wireless guest vlan uses router interface ve103 with IP address 10.0.3.42.

I'm trying to allow guests internet access, but deny them from accessing any internal subnets.  Obviously, these guests need DHCP, DNS, and access to the egress point.  I wrote an extended access list and applied it to ve103, but it's not working.

access-list 103 permit ip any 10.0.3.0 0.0.0.255

access-list 103 permit udp any 10.0.3.0 0.0.0.255

access-list 103 permit tcp any 10.0.3.0 0.0.0.255

access-list 103 permit icmp any 10.0.3.0 0.0.0.255

access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.0.0.1

access-list 103 permit udp 10.0.3.0 0.0.0.255 host 10.0.0.1

access-list 103 permit tcp 10.0.3.0 0.0.0.255 host 10.0.0.1

access-list 103 permit icmp 10.0.3.0 0.0.0.255 host 10.0.0.1

access-list 103 permit udp 10.0.3.0 0.0.0.255 eq bootps host 10.0.0.10

access-list 103 permit tcp 10.0.3.0 0.0.0.255 eq dns host 10.0.0.10

access-list 103 permit tcp 10.0.3.0 0.0.0.255 eq dns host 10.0.0.11

access-list 103 permit udp 10.0.3.0 0.0.0.255 eq dns host 10.0.0.10

access-list 103 permit udp 10.0.3.0 0.0.0.255 eq dns host 10.0.0.11

access-list 103 deny ip 10.0.3.0 0.0.0.255 10.0.0.0 0.0.2.255

access-list 103 permit ip any any

access-list 103 permit udp any any

access-list 103 permit tcp any any

access-list 103 permit icmp any any

Some of the items seem redundant, but I was trying virtually anything to get it to work.

DCHP works, DNS doesn't work, I can ping anything on 10.0.3.0/24 and I can ping the firewall at 10.0.0.1.  What else do I need to give guests access?

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Problem with Extended Access List on FGS648P-PoE

hmm, does the firewall have a return route for network 10.0.3.x?

Thanks

Michael.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook