?
Solved

VLAN ACL assistance

Posted on 2008-10-29
4
Medium Priority
?
1,194 Views
Last Modified: 2008-10-31
Hi,

I have the following VLAN's defined on my Catalyst 3560e (l3) switch.

*****
interface Vlan2
 description QC-VLAN
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan3
 description Workstation-VLAN
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan4
 description Security-VLAN
 ip address 192.168.4.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan5
 description Server-VLAN
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 description VoIP-VLAN
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan7
 description Engineering-VLAN
 ip address 130.130.130.1 255.255.0.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
******

I also have the following ACL's configured to control the flow of traffic between VLAN's

*****
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******

Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!

****
interface VLAN2
access-group 111 in

interface VLAN3
access-group 112 in

interface VLAN4
access-group 114 in

interface VLAN6
access-group 116 in

interface VLAN7
access-group 130 in
*******
0
Comment
Question by:netman70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 22837546
Your ACL is blocking traffic based on the source and destination address. DHCP requests don't have a valid source IP address. Since the request is not coming from an allowed address, it's denied.

Change the last line of each ACL to:

access-list # permit ip any any

and it'll get an IP address.
0
 

Author Comment

by:netman70
ID: 22837975
Thanks! I'll check it out tomorrow.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22841091
Although adding a IP any any to the end will (should) work, but that could end up allowing a bunch of traffic that you may not want to allow.

It might be better to add "permit udp any any range bootps bootpc" to each access-list.
0
 

Author Comment

by:netman70
ID: 22849937
Thanks! Working now..
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question