Announcement

Collapse
No announcement yet.

ACL Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL Issues

    Sorry for the long post
    I have 11 vlans configured on my switch, 4 of which are isolated via access lists, 5 that aren't isolated but have access lists so they can't talk to the isolated vlans and 2 that don't have an access list. I want to use ip helper-address for DHCP between vlans that are not isolated from eachother. I have setup the required scopes on my dhcp server. If I add the IP Helper address to a vlan without an access list, I get an address, If I put the ip helper-address on a vlan that does have an access-list, I don't get an address. The vlan with the dhcp server is on a vlan with an access list but the vlan that the client is on is not part of the deny statement. Here is the access list for the server vlan (172.16.26.0)
    Extended IP access list 104
    10 deny ip 172.16.26.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.26.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.26.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.26.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.26.0 0.0.0.255 any (795221 matches)

    Here is the access list for the client vlan (172.16.25.0)
    Extended IP access list 103
    10 deny ip 172.16.25.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.25.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.25.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 permit ip 172.16.25.0 0.0.0.255 any (190129 matches)

    Vlan 172.16.27.0, 172.16.29.0, 172.16.30.0 and 172.16.15.0 are all isolated from the 172.16.26.0 vlan which is the server vlan
    Vlan 172.16.27.0, 172.16.29.0, 172.16.30.0 are all isolated from the client vlan. If I set the port to vlan 11 it works
    interface Vlan11
    description Monitor - No ACL
    ip address 172.16.11.1 255.255.255.0
    ip helper-address 172.16.26.5

    but if I set the port to vlan 25, I get the message unable to contact your dhcp server on a ipconfig /renew
    interface Vlan25
    description Users - ACL 15, 27, 29, 30
    ip address 172.16.25.1 255.255.255.0
    ip access-group 103 in
    ip helper-address 172.16.26.5

    and here the access lists
    C4006#sh access-l
    Extended IP access list 101
    10 deny ip 172.16.10.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.10.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.10.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.10.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.10.0 0.0.0.255 any
    Extended IP access list 102
    10 deny ip 172.16.15.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.15.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.15.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.15.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.15.0 0.0.0.255 any
    Extended IP access list 103
    10 deny ip 172.16.25.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.25.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.25.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 permit ip 172.16.25.0 0.0.0.255 any (205328 matches)
    Extended IP access list 104
    10 deny ip 172.16.26.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.26.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.26.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.26.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.26.0 0.0.0.255 any (844528 matches)
    Extended IP access list 105
    10 deny ip 172.16.28.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.28.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.28.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.28.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.28.0 0.0.0.255 any (67008 matches)
    Extended IP access list 106
    10 deny ip 172.16.29.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.29.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.29.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.29.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.29.0 0.0.0.255 any
    Extended IP access list 107
    10 deny ip 172.16.30.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 deny ip 172.16.30.0 0.0.0.255 172.16.29.0 0.0.0.255
    30 deny ip 172.16.30.0 0.0.0.255 172.16.30.0 0.0.0.255
    40 deny ip 172.16.30.0 0.0.0.255 172.16.15.0 0.0.0.255
    50 permit ip 172.16.30.0 0.0.0.255 any
    Extended IP access list 108
    10 deny ip 172.16.27.0 0.0.0.255 172.16.10.0 0.0.0.255
    20 deny ip 172.16.27.0 0.0.0.255 172.16.15.0 0.0.0.255
    30 deny ip 172.16.27.0 0.0.0.255 172.16.25.0 0.0.0.255
    40 deny ip 172.16.27.0 0.0.0.255 172.16.26.0 0.0.0.255
    50 deny ip 172.16.27.0 0.0.0.255 172.16.28.0 0.0.0.255
    60 deny ip 172.16.27.0 0.0.0.255 172.16.29.0 0.0.0.255
    70 deny ip 172.16.27.0 0.0.0.255 172.16.30.0 0.0.0.255
    80 deny ip 172.16.29.0 0.0.0.255 172.16.10.0 0.0.0.255
    90 deny ip 172.16.29.0 0.0.0.255 172.16.15.0 0.0.0.255
    100 deny ip 172.16.29.0 0.0.0.255 172.16.25.0 0.0.0.255
    110 deny ip 172.16.29.0 0.0.0.255 172.16.26.0 0.0.0.255
    120 deny ip 172.16.29.0 0.0.0.255 172.16.28.0 0.0.0.255
    130 deny ip 172.16.29.0 0.0.0.255 172.16.29.0 0.0.0.255
    140 deny ip 172.16.29.0 0.0.0.255 172.16.30.0 0.0.0.255
    150 deny ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255
    160 deny ip 172.16.30.0 0.0.0.255 172.16.15.0 0.0.0.255
    170 deny ip 172.16.30.0 0.0.0.255 172.16.25.0 0.0.0.255
    180 deny ip 172.16.30.0 0.0.0.255 172.16.26.0 0.0.0.255
    190 deny ip 172.16.30.0 0.0.0.255 172.16.28.0 0.0.0.255
    200 deny ip 172.16.30.0 0.0.0.255 172.16.29.0 0.0.0.255
    210 deny ip 172.16.30.0 0.0.0.255 172.16.30.0 0.0.0.255
    220 deny ip 172.16.15.0 0.0.0.255 172.16.10.0 0.0.0.255
    230 deny ip 172.16.15.0 0.0.0.255 172.16.15.0 0.0.0.255
    240 deny ip 172.16.15.0 0.0.0.255 172.16.25.0 0.0.0.255
    250 deny ip 172.16.15.0 0.0.0.255 172.16.26.0 0.0.0.255
    260 deny ip 172.16.15.0 0.0.0.255 172.16.28.0 0.0.0.255
    270 deny ip 172.16.15.0 0.0.0.255 172.16.29.0 0.0.0.255
    280 deny ip 172.16.15.0 0.0.0.255 172.16.30.0 0.0.0.255
    290 permit ip 172.16.27.0 0.0.0.255 any (4842212 matches)
    300 permit ip 172.16.29.0 0.0.0.255 any
    310 permit ip 172.16.30.0 0.0.0.255 any
    320 permit ip 172.16.15.0 0.0.0.255 any
    330 deny ip 172.16.27.0 0.0.0.255 172.16.24.0 0.0.0.255
    Extended IP access list 109
    10 deny ip 172.16.24.0 0.0.0.255 172.16.27.0 0.0.0.255
    20 permit ip 172.16.24.0 0.0.0.255 any
    C4006#

    Any Ideas?

  • #2
    Re: ACL Issues

    I found the solution to my own problem...

    Yes, the ip helper-address get the packet to the dhcp server, but it wasn't getting back to the client, so by adding

    access-list 103 permit udp any any eq 67
    access-list 103 permit udp any any eq 68

    I am now getting dhcp addresses on vlans that have access lists. You have to put this on the client access list

    Comment

    Working...
    X