Solved: Access-list

shahalizada038889 · ‎05-10-2020

I have configured access-list on my router where only DHCP, DNS, and web traffic is allowed no other traffic.
As I apply the Access-list to the sub-interface it rejects DNS but I can reach the web traffic through the Server IP address.
What can be the problem that it can't resolve domain names?

Commands on the router...

Extended IP access list 101

10 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq www

20 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq bootps

30 permit tcp 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 eq domain

40 deny ip any any

Interface g0/0.20

ip access-group 101 in

Martin L · ‎05-10-2020

DNS also uses UDP protocol in additon to TCP. so, please try with another line of

permit udp any eq 53 any eq 53

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Martin L · ‎05-10-2020

DNS also uses UDP protocol in additon to TCP. so, please try with another line of

permit udp any eq 53 any eq 53

Regards, ML
**Please Rate All Helpful Responses **

luis_cordova · ‎05-10-2020

Hi @shahalizada038889

Compress your exercise (winzip) and attach it to check.

Regards

shahalizada038889 · ‎05-10-2020

Hi!
Thanks for the support, I appreciate it.

it solved the Domain resolution issue now I'm able to resolve domain names. But DHCP is still being blocked????

Martin L · ‎05-10-2020

I think DHCP also needs 2 entries; bootps and bootpc

Please use ? anytime you forget numbers or option

Router(config-ext-nacl)#permit udp any eq ?

<0-65535> Port number

bootpc Bootstrap Protocol (BOOTP) client (68)

bootps Bootstrap Protocol (BOOTP) server (67)

Regards, ML
**Please Rate All Helpful Responses **