Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1198
  • Last Modified:

VLAN ACL assistance

Hi,

I have the following VLAN's defined on my Catalyst 3560e (l3) switch.

*****
interface Vlan2
 description QC-VLAN
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan3
 description Workstation-VLAN
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan4
 description Security-VLAN
 ip address 192.168.4.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan5
 description Server-VLAN
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 description VoIP-VLAN
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan7
 description Engineering-VLAN
 ip address 130.130.130.1 255.255.0.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
******

I also have the following ACL's configured to control the flow of traffic between VLAN's

*****
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******

Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!

****
interface VLAN2
access-group 111 in

interface VLAN3
access-group 112 in

interface VLAN4
access-group 114 in

interface VLAN6
access-group 116 in

interface VLAN7
access-group 130 in
*******
0
netman70
Asked:
netman70
  • 2
1 Solution
 
Don JohnstonInstructorCommented:
Your ACL is blocking traffic based on the source and destination address. DHCP requests don't have a valid source IP address. Since the request is not coming from an allowed address, it's denied.

Change the last line of each ACL to:

access-list # permit ip any any

and it'll get an IP address.
0
 
netman70Author Commented:
Thanks! I'll check it out tomorrow.
0
 
giltjrCommented:
Although adding a IP any any to the end will (should) work, but that could end up allowing a bunch of traffic that you may not want to allow.

It might be better to add "permit udp any any range bootps bootpc" to each access-list.
0
 
netman70Author Commented:
Thanks! Working now..
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now