[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

Cisco ACL's & VLANS

Hi,
I have recently implemented ACL's into our VLAN network to stop Guests gaining acces to the rest of the network. But when I apply the ACL the Guests can no longer request a DHCP address or use DNS. If I set a static address they can ping the DHCP Server fine. I have copied my router config below just so you can see whats going on.

192.168.6.2 is the DHCP & DNS Server
192.168.15.0 is the Guest network subnet

Current configuration : 1981 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.6.2
 ip access-group 100 in
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
access-list 100 permit udp host 192.168.6.2 any
access-list 100 permit ip host 192.168.6.2 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
dan4132
Asked:
dan4132
  • 4
  • 2
1 Solution
 
fgasimzadeCommented:
You would need this access-list:

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp 192.168.15.0 0.0.0.255 192.168.6.2 eq domain
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
0
 
fgasimzadeCommented:
Sorry, I would suggest changing the first line to:

access-list 100 permit udp any eq bootpc host any eq bootps

for both unicats and broadcast communication with DHCP server
0
 
dan4132Author Commented:
Thanks for your help.

Unfortunatly the Guests still aren't getting the DHCP Requests with the new commands you have given.

for the permit udp eq bootpc host any eq bootps it wouldn't let me have any after host so I typed the Server IP in. My Access list now looks like this:

permit udp any eq bootpc host 192.168.6.2 eq bootps
permit udp 192.168.15.0 0.0.0.255 192.168.6.2 0.0.0.255 eq domain
deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
fgasimzadeCommented:
No, it shouldn't be your DHCP server address, my mistake, sorry, try this:

access-list 100 permit udp any eq bootpc any eq bootps
0
 
dan4132Author Commented:
Thanks for your help!! You got it sorted for me!!
0
 
fgasimzadeCommented:
Good luck!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now