Good point. Overconfiguration, which should not cause lost points, but
could eat up time. Of course, if you don't remember that last bit under the
SSID ("access-group HTTP in",) then the ACL on the interface could be used.
If there was a requirement that did not allow ACLs on the interface or
subinterface, the single line under the SSID would be your only option.
Jason Boyers - CCIE #26024 (Wireless)
Technical Instructor - IPexpert, Inc.
Mailto: *[email protected]
*
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat <*
http://www.ipexpert.com/chat*>
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Wireless, Security & Service Provider) certification(s)
with training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities <*http://www.ipexpert.com/communities*> and
our public website at www.ipexpert.com <*http://www.ipexpert.com/*>
On Wed, Jun 8, 2011 at 7:54 AM, Victor Platov (viplatov) <[email protected]
> wrote:
> Hi Jason,
>
>
>
> In DSG for LAB 3.2 (Configuring SSIDs and MBSSIDs) in order to restrict all
> traffic except HTTP and HTTPS to the proxy server you apply the ACL to
> Dot0.11 subinterface. In fact, you actually don’t have to do that.
>
> Configuration Guide says:
>
> “(Optional) Specify an ACL to apply to the redirection of packets. Only
> packets sent to the specific UDP or TCP ports defined in the ACL are
> redirected. The access point discards all received packets that
>
> do not match the settings defined in the ACL. The *in *parameter specifies
> that the ACL is applied to the access point’s incoming interface.”
>
>
>
> Hence we only have to specify the ACL in ssid definition like this:
>
> dot11 ssid Test1
>
> vlan HQGuest1
>
> authentication open
>
> ip redirection host 10.10.210.6 access-group Web in
>
>
>
> and no need to apply the ACL to sub-if as your DSG suggested:
>
>
>
> interface do0.11
>
> encapsulation dot1q 11
>
> bridge-group 11
>
> ip access-group HTTP in
>
>
>
> I’ve also checked it in my lab, it works as expected.
>
>
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
