Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 469
  • Last Modified:

Cisco ACL's & VLANS

Hi,
I have recently implemented ACL's into our VLAN network to stop Guests gaining acces to the rest of the network. But when I apply the ACL the Guests can no longer request a DHCP address or use DNS. If I set a static address they can ping the DHCP Server fine. I have copied my router config below just so you can see whats going on.

192.168.6.2 is the DHCP & DNS Server
192.168.15.0 is the Guest network subnet

Current configuration : 1981 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.6.2
 ip access-group 100 in
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
access-list 100 permit udp host 192.168.6.2 any
access-list 100 permit ip host 192.168.6.2 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
dan4132
Asked:
dan4132
  • 4
  • 2
1 Solution
 
fgasimzadeCommented:
You would need this access-list:

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp 192.168.15.0 0.0.0.255 192.168.6.2 eq domain
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
0
 
fgasimzadeCommented:
Sorry, I would suggest changing the first line to:

access-list 100 permit udp any eq bootpc host any eq bootps

for both unicats and broadcast communication with DHCP server
0
 
dan4132Author Commented:
Thanks for your help.

Unfortunatly the Guests still aren't getting the DHCP Requests with the new commands you have given.

for the permit udp eq bootpc host any eq bootps it wouldn't let me have any after host so I typed the Server IP in. My Access list now looks like this:

permit udp any eq bootpc host 192.168.6.2 eq bootps
permit udp 192.168.15.0 0.0.0.255 192.168.6.2 0.0.0.255 eq domain
deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
fgasimzadeCommented:
No, it shouldn't be your DHCP server address, my mistake, sorry, try this:

access-list 100 permit udp any eq bootpc any eq bootps
0
 
dan4132Author Commented:
Thanks for your help!! You got it sorted for me!!
0
 
fgasimzadeCommented:
Good luck!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now