Solved

Cisco ACL's & VLANS

Posted on 2011-09-28
6
453 Views
Last Modified: 2012-05-12
Hi,
I have recently implemented ACL's into our VLAN network to stop Guests gaining acces to the rest of the network. But when I apply the ACL the Guests can no longer request a DHCP address or use DNS. If I set a static address they can ping the DHCP Server fine. I have copied my router config below just so you can see whats going on.

192.168.6.2 is the DHCP & DNS Server
192.168.15.0 is the Guest network subnet

Current configuration : 1981 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.6.2
 ip access-group 100 in
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
access-list 100 permit udp host 192.168.6.2 any
access-list 100 permit ip host 192.168.6.2 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
Comment
Question by:dan4132
  • 4
  • 2
6 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715632
You would need this access-list:

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp 192.168.15.0 0.0.0.255 192.168.6.2 eq domain
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715652
Sorry, I would suggest changing the first line to:

access-list 100 permit udp any eq bootpc host any eq bootps

for both unicats and broadcast communication with DHCP server
0
 
LVL 3

Author Comment

by:dan4132
ID: 36715702
Thanks for your help.

Unfortunatly the Guests still aren't getting the DHCP Requests with the new commands you have given.

for the permit udp eq bootpc host any eq bootps it wouldn't let me have any after host so I typed the Server IP in. My Access list now looks like this:

permit udp any eq bootpc host 192.168.6.2 eq bootps
permit udp 192.168.15.0 0.0.0.255 192.168.6.2 0.0.0.255 eq domain
deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36715724
No, it shouldn't be your DHCP server address, my mistake, sorry, try this:

access-list 100 permit udp any eq bootpc any eq bootps
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36715741
Thanks for your help!! You got it sorted for me!!
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715754
Good luck!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now