• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 798
  • Last Modified:

Why are my access-lists on VLANS mucking up ip helper?

I'm in a hotel which doesn't allow vpn out, so I don't have the config to post right now.  Hopefully my explanation will give enough information to get some good feedback.

4 VLANS on Cisco 3560 switch.
VLAN 100, 111, 112, 113

DHCP Server is 192.168.100.3

I configured each VLAN with the ip helper to 192.168.100.3.  inter-VLAN routing is working fine.

Hosts on VLAN 111 can not get an IP address from the DHCP server.
If I remove the access-lists from both VLANs then everything works, so I'm thinking thre access-list is blocking some necessary port.  We tried allowing the two dhcp related UDP ports through but it didn't work.  Wondering what other ports to try.  

For a variety of reasons I need to block access between the VLANs all but the absolutely necessary ports.

I do not know if the virtual intefaces are configured for ip directed broadcasts or not.  I'll check that tomorrow.

Any suggestions on what else to look for?  

0
averyb
Asked:
averyb
  • 2
  • 2
  • 2
  • +2
1 Solution
 
pjtemplinCommented:
What addresses were permitted when you allowed the two DHCP-related (bootp-related?) UDP ports?  You can't allow the traffic assuming it's coming from a local IP address - it'll come from 0.0.0.0 (I think) and go to 255.255.255.255 (I think).
0
 
Don JohnstonInstructorCommented:
Short of seeing the ACL, I can't think of anything else.
0
 
averybAuthor Commented:
I am trying to allow hsots on VLAN 112 to get an IP address from a DHCP on VLAN 100.
Access-list 112 grouped on VLAN 112 gateway
   10 permit icmp any any
    20 permit udp any host 192.168.100.3 eq bootps
    30 permit udp any host 192.168.100.3 eq bootpc
    40 permit ip any 192.168.10.240 0.0.0.7
    50 permit ip any 192.168.10.248 0.0.0.3
    60 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
    70 permit tcp any any eq ftp
    80 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
    90 permit ip host 192.168.112.10 host 192.168.100.240
    100 permit ip host 192.168.112.10 host 192.168.100.3
    110 permit tcp host 192.168.112.10 any eq smtp
    120 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
    130 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
    140 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
    150 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
    160 permit tcp host 192.168.112.10 any eq www
    170 permit tcp 192.168.112.32 0.0.0.31 any eq www
    180 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255

Access list 100 applied to VLAN 100 gateway
    10 permit icmp any any (4 matches)
    20 permit udp host 192.168.100.3 any eq bootps (52 matches)
    30 permit udp host 192.168.100.3 any eq bootpc (59 matches)
    40 permit tcp any any eq ftp
    50 permit tcp any any eq 3389
    60 permit tcp any any eq 2000
    70 permit ip host 192.168.100.151 any
    80 permit ip host 192.168.100.152 any
    90 permit ip any 192.168.111.32 0.0.0.31
    100 permit ip any 192.168.112.32 0.0.0.31
    110 permit ip any 192.168.113.32 0.0.0.31
    120 permit ip host 192.168.100.3 host 192.168.111.10
    130 permit ip host 192.168.100.3 host 192.168.112.10
    140 permit ip host 192.168.100.3 host 192.168.113.10
    150 permit ip host 192.168.100.240 host 192.168.111.10
    160 permit ip host 192.168.100.240 host 192.168.112.10
    170 permit ip host 192.168.100.240 host 192.168.113.10
    180 deny ip any 192.168.111.0 0.0.0.255
    190 deny ip any 192.168.112.0 0.0.0.255 (1 match)
    200 deny ip any 192.168.113.0 0.0.0.255

The matches on the ace's are left over from some testing.  If no access-list is applied to either VLAN interface then everythin works.

interface Vlan100
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in

interface Vlan112
 ip address 192.168.112.1 255.255.255.0
 ip access-group 112 in
 ip helper-address 192.168.100.3

Does ip directed broadcasts need to be configured for the interfaces?



0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Don JohnstonInstructorCommented:
Change lines 20 & 30 on ACL 100

    20 permit udp host 192.168.100.3 eq bootps any
    30 permit udp host 192.168.100.3 eq bootpc any

0
 
pjtemplinCommented:
And/or simply write the entries twice, once in each direction.
0
 
mikebernhardtCommented:
I think the problem is that the ACLs are applied before the ip helper-address is applied, so as mentioned earlier, the destination address is a broadcast 255.255.255.255. So aside from donjohnston's changes above, also do this on access-list 112

    20 permit udp any host 192.168.100.3 eq bootps    
    25 permit udp any host 255.255.255.255 eq bootps
    30 permit udp any host 192.168.100.3 eq bootpc
    35 permit udp any host 255.255.255.255 eq bootpc

Once the client knows who the server is, he will talk to it. But until then he will send a broadcast and you need to allow for that.
0
 
PennGwynCommented:
DHCP requests are sent from the clients as broadcasts.  They will not (cannot) be routed.

The helper captures the broadcast requests, and re-sends them as (routable) UDP unicasts.  To service such a relayed request, the DHCP server needs to know what subnet the request was relayed from (i.e., relaying device's IP address on the interface that saw the broadcast), and have a scope that lies within that subnet.

0
 
mikebernhardtCommented:
Doesn't matter. He's using ip helper. The current access-list will cause the router to drop the broadcasts and not even process them, so they never get converted to unicast.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now