08-29-2003 04:17 AM - edited 03-02-2019 09:58 AM
Cat6506 Version 12.1(11b)E
VLAN filter applied to one VLAN. Forwarding and dropping works fine but DHCP Requests from clients to DHCP-Server within that VLAN doesn't work.
Any Idea?
Thanks in advance.
Daniel
08-29-2003 06:17 PM
Can you post the VACL?
08-31-2003 02:52 AM
Here it is:
Extended IP access list AZG_DROP
permit ip 10.67.29.0 0.0.0.255 10.0.0.0 0.255.255.255
Extended IP access list AZG_FORWARD
permit ip 10.67.29.0 0.0.0.255 host 194.40.128.61
permit ip 10.67.29.0 0.0.0.255 host 194.40.150.62
permit ip 10.67.29.0 0.0.0.255 host 10.67.5.133
permit ip 10.67.29.0 0.0.0.255 host 10.67.5.228
permit ip 10.67.29.0 0.0.0.255 host 10.67.40.51
permit ip 10.67.29.0 0.0.0.255 host 194.40.128.60
permit ip 10.67.29.0 0.0.0.255 host 10.72.145.206
permit ip 10.67.29.0 0.0.0.255 host 10.72.145.204
permit ip 10.67.29.0 0.0.0.255 host 160.63.4.87
permit ip 10.67.29.0 0.0.0.255 host 194.40.134.25
permit ip 10.67.29.0 0.0.0.255 host 194.40.128.38
permit ip 10.67.29.0 0.0.0.255 host 194.40.128.72
permit ip 10.67.29.0 0.0.0.255 host 194.40.128.73
permit ip 10.67.29.0 0.0.0.255 host 195.65.169.249
permit ip 10.67.29.0 0.0.0.255 host 194.40.128.58
permit ip any 10.67.29.0 0.0.0.255
Vlan access-map "AZG" 10
match: ip address AZG_FORWARD
action: forward
Vlan access-map "AZG" 20
match: ip address AZG_DROP
action: drop log
VLAN Map AZG:
Configured on VLANs: 29
Active on VLANs: 29
Regards
Daniel
08-31-2003 06:41 PM
Ok, I guess the next thing we need to know are the source and destination IPs/subnets that DHCP requests are going to, and if there's any relaying involved. And are any DHCP packets logged as being dropped?
08-31-2003 10:05 PM
That's what we can see:
Aug 28 15:14:22: datagramsize=342, IP 30909: s=0.0.0.0 (Vlan29), d=255.255.255.255, totlen 328, fragment 0, fo 0, rcvd 2
Aug 28 15:14:22: UDP src=68, dst=67
DHCP request is sourced within VLAN 29 as well the DHCP-Server belongs to VLAN 29.
No drops logged.
09-01-2003 04:43 PM
The default action of a VLAN map is to drop any packets not matched if there's at least one match clause for a given packet type (IP in this case). And such drops won't be logged.
Nothing in AZG_FORWARD allows these DHCP packets through. I'd suggest putting a "permit ip host 0.0.0.0 host 255.255.255.255" at the end and see if DHCP works then. If not, try a "permit ip any any".
09-03-2003 12:40 AM
Okay. Also DHCP responses have to be defined. This way it works.
Many thanks for your suggestions.
Best regards
Daniel
ip access-list extended AZG_FORWARD
remark Intra-VLAN traffic
permit ip 10.67.29.0 0.0.0.255 10.67.29.0 0.0.0.255
remark DHCP requests
permit ip host 0.0.0.0 host 255.255.255.255
remark DHCP response
permit ip 10.67.29.0 0.0.0.255 host 255.255.255.255
remark Response traffic local and other stuff
permit ip any 10.67.29.0 0.0.0.255
remark Local campus traffic
permit ip 10.67.29.0 0.0.0.255 host 10.67.5.133
permit ip 10.67.29.0 0.0.0.255 host 10.67.5.228
permit ip 10.67.29.0 0.0.0.255 host 10.67.5.101
--More--
vlan access-map AZG 10
match ip address AZG_FORWARD
action forward
vlan filter AZG vlan-list 29
04-21-2021 03:51 AM
Amazing mate, thanks for saving the day for me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide