Solved

Cisco ACL's & VLANS

Posted on 2011-09-28
6
460 Views
Last Modified: 2012-05-12
Hi,
I have recently implemented ACL's into our VLAN network to stop Guests gaining acces to the rest of the network. But when I apply the ACL the Guests can no longer request a DHCP address or use DNS. If I set a static address they can ping the DHCP Server fine. I have copied my router config below just so you can see whats going on.

192.168.6.2 is the DHCP & DNS Server
192.168.15.0 is the Guest network subnet

Current configuration : 1981 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.6.2
 ip access-group 100 in
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
access-list 100 permit udp host 192.168.6.2 any
access-list 100 permit ip host 192.168.6.2 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
Comment
Question by:dan4132
  • 4
  • 2
6 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715632
You would need this access-list:

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp 192.168.15.0 0.0.0.255 192.168.6.2 eq domain
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715652
Sorry, I would suggest changing the first line to:

access-list 100 permit udp any eq bootpc host any eq bootps

for both unicats and broadcast communication with DHCP server
0
 
LVL 3

Author Comment

by:dan4132
ID: 36715702
Thanks for your help.

Unfortunatly the Guests still aren't getting the DHCP Requests with the new commands you have given.

for the permit udp eq bootpc host any eq bootps it wouldn't let me have any after host so I typed the Server IP in. My Access list now looks like this:

permit udp any eq bootpc host 192.168.6.2 eq bootps
permit udp 192.168.15.0 0.0.0.255 192.168.6.2 0.0.0.255 eq domain
deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36715724
No, it shouldn't be your DHCP server address, my mistake, sorry, try this:

access-list 100 permit udp any eq bootpc any eq bootps
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36715741
Thanks for your help!! You got it sorted for me!!
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715754
Good luck!
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Clarification about access via WAN 6 45
managing a small network 6 103
Dlink-DIR 816 router 4 39
migrate cisco cat configs 3 28
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question