Solved

VLAN ACL assistance

Posted on 2008-10-29
4
1,180 Views
Last Modified: 2008-10-31
Hi,

I have the following VLAN's defined on my Catalyst 3560e (l3) switch.

*****
interface Vlan2
 description QC-VLAN
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan3
 description Workstation-VLAN
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan4
 description Security-VLAN
 ip address 192.168.4.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan5
 description Server-VLAN
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 description VoIP-VLAN
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan7
 description Engineering-VLAN
 ip address 130.130.130.1 255.255.0.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
******

I also have the following ACL's configured to control the flow of traffic between VLAN's

*****
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******

Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!

****
interface VLAN2
access-group 111 in

interface VLAN3
access-group 112 in

interface VLAN4
access-group 114 in

interface VLAN6
access-group 116 in

interface VLAN7
access-group 130 in
*******
0
Comment
Question by:netman70
  • 2
4 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 22837546
Your ACL is blocking traffic based on the source and destination address. DHCP requests don't have a valid source IP address. Since the request is not coming from an allowed address, it's denied.

Change the last line of each ACL to:

access-list # permit ip any any

and it'll get an IP address.
0
 

Author Comment

by:netman70
ID: 22837975
Thanks! I'll check it out tomorrow.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22841091
Although adding a IP any any to the end will (should) work, but that could end up allowing a bunch of traffic that you may not want to allow.

It might be better to add "permit udp any any range bootps bootpc" to each access-list.
0
 

Author Comment

by:netman70
ID: 22849937
Thanks! Working now..
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question