Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
3
Replies

Need to restrict a vlan and use dhcp at same time

natenate
Level 1
Level 1

‎01-16-2004 12:39 PM - edited ‎03-02-2019 12:56 PM

My company has a 6513 as the core switch (which is configured as our DHCP server) and about twenty 3550s trunked from the core to make up our LAN. I have configured dhcp pools on the core as well as Vlans on the core. I have configured the interfaces on the 3550s for the appropriate Vlan and all is well with our 40+ Vlans obtaining IP addresses from the core. But….I want to create a new vlan called Internet-Only that would restrict access only to allow Internet traffic and DHCP traffic.

On this new Vlan, I have created this ACL:

Ip access-list extended INTERNET-ONLY

Permit tcp x.x.x.x 0.0.0.255 host x.x.x.x eq 8080

Permit udp any any eq 67

This should restrict Vlan access only to one host (our proxy server)through port 8080 for internet traffic. Also should allow traffic through udp port 67 which should allow dhcp.

On the vlan interface I entered:

Ip access-group INTERNET-ONLY in

I have configured this exact scenario on a standalone 3550 at my desk and dhcp works fine. When I implement this into the production network, an amber light comes on the interface LED and I get no dhcp.

Will I need to grant access to more udp ports in order for dhcp to work? Will I need to configure an ip-helper address pointing to the core? Why would this scenario work on a standalone switch and not our production environment?

Please help

Nathan

Labels:
0 Helpful
3 Replies 3

nikhil_m
Level 1
Level 1

‎01-22-2004 06:58 AM

One basic thing, this could be a problem with your Access list as well

0 Helpful

natenate
Level 1
Level 1
In response to nikhil_m

‎01-22-2004 08:30 AM

Yes, it works fine without the access list, but I need to know what other access list entries to add in order for DHCP to work. I just want internet traffic on this vlan and DHCP to asssign addresses.

I need to know what ports to turn on in order for dhcp to work. I thought I only needed port 67 and 68(bootps & c) turned on, but DHCP does not work. The same scenario works on a standalone 3550, but not from a trunked switch that is getting DHCP from the core.

0 Helpful

skarundi
Level 4
Level 4
In response to natenate

‎01-22-2004 10:25 AM

span the client switch port when the access list is not applied to determine exactly what ports you need to open. This way you don't have to keep on guessing what layer 4 ports to open.

0 Helpful
Customers Also Viewed These Support Documents