Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ACL's & VLANS

Posted on 2011-09-28
6
Medium Priority
?
463 Views
Last Modified: 2012-05-12
Hi,
I have recently implemented ACL's into our VLAN network to stop Guests gaining acces to the rest of the network. But when I apply the ACL the Guests can no longer request a DHCP address or use DNS. If I set a static address they can ping the DHCP Server fine. I have copied my router config below just so you can see whats going on.

192.168.6.2 is the DHCP & DNS Server
192.168.15.0 is the Guest network subnet

Current configuration : 1981 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$enozEsWcnsc1Y5..Q4jiD/
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
!
interface FastEthernet0/0.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/0.15
 encapsulation dot1Q 15
 ip address 192.168.15.1 255.255.255.0
 ip helper-address 192.168.6.2
 ip access-group 100 in
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 192.168.6.2
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1/0
 switchport mode access
 shutdown
!
interface FastEthernet0/1/1
 switchport mode access
 shutdown
!
interface FastEthernet0/1/2
 switchport mode access
 shutdown
!
interface FastEthernet0/1/3
 switchport mode access
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router rip
!
ip classless
!
!
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
access-list 100 permit udp host 192.168.6.2 any
access-list 100 permit ip host 192.168.6.2 any
!
no cdp run
!
!
!
!
!
line con 0
 password ***
 login
line vty 0 4
 password ***
 login
line vty 5 15
 password ***
 login
!
!
!
end
0
Comment
Question by:dan4132
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715632
You would need this access-list:

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp 192.168.15.0 0.0.0.255 192.168.6.2 eq domain
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715652
Sorry, I would suggest changing the first line to:

access-list 100 permit udp any eq bootpc host any eq bootps

for both unicats and broadcast communication with DHCP server
0
 
LVL 3

Author Comment

by:dan4132
ID: 36715702
Thanks for your help.

Unfortunatly the Guests still aren't getting the DHCP Requests with the new commands you have given.

for the permit udp eq bootpc host any eq bootps it wouldn't let me have any after host so I typed the Server IP in. My Access list now looks like this:

permit udp any eq bootpc host 192.168.6.2 eq bootps
permit udp 192.168.15.0 0.0.0.255 192.168.6.2 0.0.0.255 eq domain
deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Accepted Solution

by:
fgasimzade earned 2000 total points
ID: 36715724
No, it shouldn't be your DHCP server address, my mistake, sorry, try this:

access-list 100 permit udp any eq bootpc any eq bootps
0
 
LVL 3

Author Closing Comment

by:dan4132
ID: 36715741
Thanks for your help!! You got it sorted for me!!
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36715754
Good luck!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question