I'm attempting to set up ACLs on my VLANs to block access to all other VLANs but allow traffic to the servers and the internet. As soon as I apply the ACL to the SVI it stops new connections i.e. they can't get an IP address from the DHCP server on the server network. Already connected devices have all other traffic controlled as I wanted. Any pointers as to how I can rectify the situation will be greatly appreciated.
Servers are on 10.10.0.0/23 and 10.20.0.0/23, NGFW is 10.80.1.254.
Below is how I structured a test VACL for Vlan 500 (10.50.0.0/20):
no ip access-list extended pen-wifi-vacl-in
ip access-list extended pen-wifi-vacl-in
remark *** Allow server access ***
permit ip 10.50.0.0 0.0.15.255 10.10.0.0 0.0.1.255
permit ip 10.50.0.0 0.0.15.255 10.20.0.0 0.0.1.255
permit ip 10.50.0.0 0.0.15.255 host 10.80.1.254
remark *** Deny access to other VLANs ***
remark * Wired VLANs *
deny ip 10.50.0.0 0.0.15.255 10.12.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.13.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.15.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.22.1.0 0.0.255.255 log
deny ip 10.50.0.0 0.0.15.255 10.23.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.25.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.30.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.60.0.0 0.0.1.255 log
remark * BYOD and Wi-Fi *
deny ip 10.50.0.0 0.0.15.255 10.26.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.27.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.28.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.29.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.36.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.70.0.0 0.0.15.255 log
remark * VoIP and management *
deny ip 10.50.0.0 0.0.15.255 10.31.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.61.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.252.0.0 0.3.255.255 log
remark *** Permit access to the internet ***
permit ip 10.50.0.0 0.0.15.255 any
no ip access-group pen-wifi-vacl-in in
ip access-group pen-wifi-vacl-in in
I don't see any DHCP forwarding commands, so I'm not sure how your clients get their request to the DHCP server; but to begin with clients have no IP address. So they send a packet from 0.0.0.0 to 255.255.255.255. On the whole, I would just add a rule to allow "any to 255.255.255.255" so that broadcast traffic is allowed in general.
I'm configuring the ACLs on a 3850 stack and a 3750 stack. I'm guessing you're talking about the dhcprelay commands (not familiar with the use of these as yet).
By adding the rule I'm assuming I tack it on the end of the ACL?
After more research I'm thinking I should add the following:
permit udp any any eq 67
permit udp any any eq 68
This should allow all DHCP (UDP ports 67 [bootps] for server and 68 [bootpc] for client) but still keep the ACLs nice and tight security wise.
I'll try this first and let you know the outcome.
I'm pleased to report the two lines I added have done the trick without opening any other ports.
Thank you for your assistance and for stimulating me to look deeper.
Worth noting is this article I found which outlines VACLs including allowing DNS and DHCP traffic. I found it invaluable for the task.