https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888366#M911793 <P>You're welcome. &nbsp;It would be great if you could rate helpful posts and mark responses.</P> Tue, 05 Jul 2016 23:35:50 GMT Philip D'Ath 2016-07-05T23:35:50Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888360#M911770 <P>Hi there,</P> <P>I'm attempting to set up ACLs on my VLANs to block access to all other VLANs but allow traffic to the servers and the internet. As soon as I apply the ACL to the SVI it stops new connections i.e. they can't get an IP address from the DHCP server on the server network. Already connected devices have all other traffic controlled as I wanted. Any pointers as to how I can rectify the situation will be greatly appreciated.</P> <P>Servers are on 10.10.0.0/23 and 10.20.0.0/23, NGFW is 10.80.1.254.</P> <P>Below is how I structured a test VACL for Vlan 500 (10.50.0.0/20):</P> <P>no ip access-list extended pen-wifi-vacl-in<BR />ip access-list extended pen-wifi-vacl-in<BR />&nbsp;remark *** Allow server access ***<BR />&nbsp;permit ip 10.50.0.0 0.0.15.255 10.10.0.0 0.0.1.255<BR />&nbsp;permit ip 10.50.0.0 0.0.15.255 10.20.0.0 0.0.1.255<BR />&nbsp;permit ip 10.50.0.0 0.0.15.255 host 10.80.1.254<BR />&nbsp;remark *** Deny access to other VLANs ***<BR />&nbsp;remark * Wired VLANs *<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.12.0.0 0.0.0.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.13.0.0 0.0.1.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.15.0.0 0.0.1.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.22.1.0 0.0.255.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.23.0.0 0.0.0.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.25.0.0 0.0.3.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.30.0.0 0.0.1.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.60.0.0 0.0.1.255 log<BR />&nbsp;remark * BYOD and Wi-Fi *<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.26.0.0 0.0.3.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.27.0.0 0.0.3.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.28.0.0 0.0.3.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.29.0.0 0.0.1.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.36.0.0 0.0.3.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.70.0.0 0.0.15.255 log<BR />&nbsp;remark * VoIP and management *<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.31.0.0 0.0.0.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.61.0.0 0.0.0.255 log<BR />&nbsp;deny&nbsp;&nbsp; ip 10.50.0.0 0.0.15.255 10.252.0.0 0.3.255.255 log<BR />&nbsp;remark *** Permit access to the internet ***<BR />&nbsp;permit ip 10.50.0.0 0.0.15.255 any<BR />&nbsp;!<BR />&nbsp;interface Vlan500<BR />&nbsp;no ip access-group pen-wifi-vacl-in in<BR />&nbsp;ip access-group pen-wifi-vacl-in in<BR />exit</P> <P></P> <P>Regards,<BR />David</P> Fri, 21 Feb 2020 13:51:38 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888360#M911770 David Waters 2020-02-21T13:51:38Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888361#M911777 <P>I don't see any DHCP forwarding commands, so I'm not sure how your clients get their request to the DHCP server; but to begin with clients have no IP address. &nbsp;So they send a packet from 0.0.0.0 to 255.255.255.255. &nbsp;On the whole, I would just add a rule to allow "any to 255.255.255.255" so that broadcast traffic is allowed in general.</P> Tue, 05 Jul 2016 05:51:21 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888361#M911777 Philip D'Ath 2016-07-05T05:51:21Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888362#M911782 <P>Thanks Philip,</P> <P>I'm configuring the ACLs on a 3850 stack and a 3750 stack. I'm guessing you're talking about the dhcprelay commands (not familiar with the use of these as yet).</P> <P>By adding the rule I'm assuming I tack it on the end of the ACL?</P> <P>Cheers<BR />David</P> Tue, 05 Jul 2016 05:59:11 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888362#M911782 David Waters 2016-07-05T05:59:11Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888363#M911784 Yes, you could add it to the end of the ACL. Tue, 05 Jul 2016 06:11:55 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888363#M911784 Philip D'Ath 2016-07-05T06:11:55Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888364#M911787 <P>After more research I'm thinking I should add the following:</P> <P>permit udp any any eq 67<BR />permit udp any any eq 68</P> <P>This should allow all DHCP (UDP ports 67 [bootps] for server and 68 [bootpc] for client) but still keep the ACLs nice and tight security wise.</P> <P>I'll try this first and let you know the outcome.</P> <P>Cheers<BR />David</P> Tue, 05 Jul 2016 23:10:57 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888364#M911787 David Waters 2016-07-05T23:10:57Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888365#M911790 <P>Hi Philip,</P> <P>I'm pleased to report the two lines I added have done the trick without opening any other ports.</P> <P>Thank you for your assistance and for stimulating me to look deeper.</P> <P>Regards</P> <P>David</P> Tue, 05 Jul 2016 23:26:40 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888365#M911790 David Waters 2016-07-05T23:26:40Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888366#M911793 <P>You're welcome. &nbsp;It would be great if you could rate helpful posts and mark responses.</P> Tue, 05 Jul 2016 23:35:50 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888366#M911793 Philip D'Ath 2016-07-05T23:35:50Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888367#M911795 <P>Questionnaire filled in. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 05 Jul 2016 23:49:10 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888367#M911795 David Waters 2016-07-05T23:49:10Z https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888368#M911798 <P>Worth noting is this article I found which outlines VACLs including allowing DNS and DHCP traffic. I found it invaluable for the task.</P> <P style="margin: 0in; font-family: Calibri; font-size: 9.0pt; color: #595959;" lang="en-GB"><A href="http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/818-cisco-switches-vlan-security.html">http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/818-cisco-switches-vlan-security.html</A></P> Wed, 06 Jul 2016 00:58:32 GMT https://community.cisco.com/t5/network-security/acl-is-blocking-dhcp-traffic/m-p/2888368#M911798 David Waters 2016-07-06T00:58:32Z