1 Reply Latest reply: Apr 1, 2011 9:15 AM by Keith Barker - CCIE RS/Security, CISSP RSS

    ip access-group in|out

    Darius

      Hello,

       

      I have problems understanding ACL which is made for GUEST wifi users :

       

      interface Vlan112

      description wifi guests

      ip address 192.168.211.126 255.255.255.192

      ip access-group acl_lan_112_out out

      ip helper-address 192.168.210.82

      standby 112 ip 192.168.211.65

       

       

      ip access-list extended acl_lan_112_out

      permit ip host 192.168.210.145 any (it's wlc)

      permit ip host 192.168.210.81 any (domain controller)

      permit ip any host 192.168.211.66 ( access point)

      deny   ip 192.168.0.0 0.0.255.255 any log

      permit ip any any

       

      Cnfiguration is correct. Just I can understand, how it works.

      So only the traffic out is filtered by ACL.  Can't understand the line "deny   ip 192.168.0.0 0.0.255.255 any log" . it does that guest users can't access anything internal. But what I understand if I look to this ACL: if  source is 192.168.0.0 traffic is denied . So no internet? Because that ip is from wifi subnet. . I would write ACL "deny any 192.168.0.0 0.0.255.255" that says from any location deny to 192.168.0.0, but it's not correct, what I don't understand.