Solved

VLAN ACL assistance

Posted on 2008-10-29
4
1,174 Views
Last Modified: 2008-10-31
Hi,

I have the following VLAN's defined on my Catalyst 3560e (l3) switch.

*****
interface Vlan2
 description QC-VLAN
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan3
 description Workstation-VLAN
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan4
 description Security-VLAN
 ip address 192.168.4.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan5
 description Server-VLAN
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 description VoIP-VLAN
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan7
 description Engineering-VLAN
 ip address 130.130.130.1 255.255.0.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
******

I also have the following ACL's configured to control the flow of traffic between VLAN's

*****
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******

Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!

****
interface VLAN2
access-group 111 in

interface VLAN3
access-group 112 in

interface VLAN4
access-group 114 in

interface VLAN6
access-group 116 in

interface VLAN7
access-group 130 in
*******
0
Comment
Question by:netman70
  • 2
4 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 22837546
Your ACL is blocking traffic based on the source and destination address. DHCP requests don't have a valid source IP address. Since the request is not coming from an allowed address, it's denied.

Change the last line of each ACL to:

access-list # permit ip any any

and it'll get an IP address.
0
 

Author Comment

by:netman70
ID: 22837975
Thanks! I'll check it out tomorrow.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22841091
Although adding a IP any any to the end will (should) work, but that could end up allowing a bunch of traffic that you may not want to allow.

It might be better to add "permit udp any any range bootps bootpc" to each access-list.
0
 

Author Comment

by:netman70
ID: 22849937
Thanks! Working now..
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now