netman70
asked on
VLAN ACL assistance
Hi,
I have the following VLAN's defined on my Catalyst 3560e (l3) switch.
*****
interface Vlan2
description QC-VLAN
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan3
description Workstation-VLAN
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan4
description Security-VLAN
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan5
description Server-VLAN
ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
description VoIP-VLAN
ip address 192.168.6.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan7
description Engineering-VLAN
ip address 130.130.130.1 255.255.0.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
******
I also have the following ACL's configured to control the flow of traffic between VLAN's
*****
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******
Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!
****
interface VLAN2
access-group 111 in
interface VLAN3
access-group 112 in
interface VLAN4
access-group 114 in
interface VLAN6
access-group 116 in
interface VLAN7
access-group 130 in
*******
I have the following VLAN's defined on my Catalyst 3560e (l3) switch.
*****
interface Vlan2
description QC-VLAN
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan3
description Workstation-VLAN
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan4
description Security-VLAN
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan5
description Server-VLAN
ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
description VoIP-VLAN
ip address 192.168.6.1 255.255.255.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
!
interface Vlan7
description Engineering-VLAN
ip address 130.130.130.1 255.255.0.0
ip helper-address 192.168.5.22
ip helper-address 192.168.5.21
******
I also have the following ACL's configured to control the flow of traffic between VLAN's
*****
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******
Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!
****
interface VLAN2
access-group 111 in
interface VLAN3
access-group 112 in
interface VLAN4
access-group 114 in
interface VLAN6
access-group 116 in
interface VLAN7
access-group 130 in
*******
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Although adding a IP any any to the end will (should) work, but that could end up allowing a bunch of traffic that you may not want to allow.
It might be better to add "permit udp any any range bootps bootpc" to each access-list.
It might be better to add "permit udp any any range bootps bootpc" to each access-list.
ASKER
Thanks! Working now..
ASKER