Solved

VLAN ACL assistance

Posted on 2008-10-29
4
1,186 Views
Last Modified: 2008-10-31
Hi,

I have the following VLAN's defined on my Catalyst 3560e (l3) switch.

*****
interface Vlan2
 description QC-VLAN
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan3
 description Workstation-VLAN
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan4
 description Security-VLAN
 ip address 192.168.4.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan5
 description Server-VLAN
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 description VoIP-VLAN
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
!
interface Vlan7
 description Engineering-VLAN
 ip address 130.130.130.1 255.255.0.0
 ip helper-address 192.168.5.22
 ip helper-address 192.168.5.21
******

I also have the following ACL's configured to control the flow of traffic between VLAN's

*****
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny   ip 192.168.2.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny   ip 192.168.4.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 any
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny   ip 192.168.6.0 0.0.0.255 130.130.130.0 0.0.0.255
access-list 116 permit ip 192.168.6.0 0.0.0.255 any
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.1 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.63 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.192 0.0.0.7 192.168.5.0 0.0.0.255
access-list 130 deny   ip host 130.130.130.200 192.168.5.0 0.0.0.255
access-list 130 deny   ip 130.130.130.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 130 permit ip 130.130.130.0 0.0.0.255 any
*******

Everthing works great except when I apply the ACL's to the VLAN interface (see below). When I do that, none of the stations on any VLAN (except, of course, the server VLAN) can get a DHCP address. Please help! Thanks!!

****
interface VLAN2
access-group 111 in

interface VLAN3
access-group 112 in

interface VLAN4
access-group 114 in

interface VLAN6
access-group 116 in

interface VLAN7
access-group 130 in
*******
0
Comment
Question by:netman70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 22837546
Your ACL is blocking traffic based on the source and destination address. DHCP requests don't have a valid source IP address. Since the request is not coming from an allowed address, it's denied.

Change the last line of each ACL to:

access-list # permit ip any any

and it'll get an IP address.
0
 

Author Comment

by:netman70
ID: 22837975
Thanks! I'll check it out tomorrow.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22841091
Although adding a IP any any to the end will (should) work, but that could end up allowing a bunch of traffic that you may not want to allow.

It might be better to add "permit udp any any range bootps bootpc" to each access-list.
0
 

Author Comment

by:netman70
ID: 22849937
Thanks! Working now..
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Show IP BGP Information 10 73
Error after upgrade of 3850s 15 94
Unable to login to Cisco C800 Ver 15.3(3)M4 8 54
Routers to buy for MDT Multitasking 6 76
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question