Worth noting is this article

David Waters · ‎07-04-2016

Hi there,

I'm attempting to set up ACLs on my VLANs to block access to all other VLANs but allow traffic to the servers and the internet. As soon as I apply the ACL to the SVI it stops new connections i.e. they can't get an IP address from the DHCP server on the server network. Already connected devices have all other traffic controlled as I wanted. Any pointers as to how I can rectify the situation will be greatly appreciated.

Servers are on 10.10.0.0/23 and 10.20.0.0/23, NGFW is 10.80.1.254.

Below is how I structured a test VACL for Vlan 500 (10.50.0.0/20):

no ip access-list extended pen-wifi-vacl-in
ip access-list extended pen-wifi-vacl-in
remark *** Allow server access ***
permit ip 10.50.0.0 0.0.15.255 10.10.0.0 0.0.1.255
permit ip 10.50.0.0 0.0.15.255 10.20.0.0 0.0.1.255
permit ip 10.50.0.0 0.0.15.255 host 10.80.1.254
remark *** Deny access to other VLANs ***
remark * Wired VLANs *
deny   ip 10.50.0.0 0.0.15.255 10.12.0.0 0.0.0.255 log
deny   ip 10.50.0.0 0.0.15.255 10.13.0.0 0.0.1.255 log
deny   ip 10.50.0.0 0.0.15.255 10.15.0.0 0.0.1.255 log
deny   ip 10.50.0.0 0.0.15.255 10.22.1.0 0.0.255.255 log
deny   ip 10.50.0.0 0.0.15.255 10.23.0.0 0.0.0.255 log
deny   ip 10.50.0.0 0.0.15.255 10.25.0.0 0.0.3.255 log
deny   ip 10.50.0.0 0.0.15.255 10.30.0.0 0.0.1.255 log
deny   ip 10.50.0.0 0.0.15.255 10.60.0.0 0.0.1.255 log
remark * BYOD and Wi-Fi *
deny   ip 10.50.0.0 0.0.15.255 10.26.0.0 0.0.3.255 log
deny   ip 10.50.0.0 0.0.15.255 10.27.0.0 0.0.3.255 log
deny   ip 10.50.0.0 0.0.15.255 10.28.0.0 0.0.3.255 log
deny   ip 10.50.0.0 0.0.15.255 10.29.0.0 0.0.1.255 log
deny   ip 10.50.0.0 0.0.15.255 10.36.0.0 0.0.3.255 log
deny   ip 10.50.0.0 0.0.15.255 10.70.0.0 0.0.15.255 log
remark * VoIP and management *
deny   ip 10.50.0.0 0.0.15.255 10.31.0.0 0.0.0.255 log
deny   ip 10.50.0.0 0.0.15.255 10.61.0.0 0.0.0.255 log
deny   ip 10.50.0.0 0.0.15.255 10.252.0.0 0.3.255.255 log
remark *** Permit access to the internet ***
permit ip 10.50.0.0 0.0.15.255 any
!
interface Vlan500
no ip access-group pen-wifi-vacl-in in
ip access-group pen-wifi-vacl-in in
exit

Regards,
David

Philip D'Ath · ‎07-04-2016

I don't see any DHCP forwarding commands, so I'm not sure how your clients get their request to the DHCP server; but to begin with clients have no IP address. So they send a packet from 0.0.0.0 to 255.255.255.255. On the whole, I would just add a rule to allow "any to 255.255.255.255" so that broadcast traffic is allowed in general.

David Waters · ‎07-04-2016

Thanks Philip,

I'm configuring the ACLs on a 3850 stack and a 3750 stack. I'm guessing you're talking about the dhcprelay commands (not familiar with the use of these as yet).

By adding the rule I'm assuming I tack it on the end of the ACL?

Cheers
David

Philip D'Ath · ‎07-04-2016

Yes, you could add it to the end of the ACL.

David Waters · ‎07-05-2016

After more research I'm thinking I should add the following:

permit udp any any eq 67
permit udp any any eq 68

This should allow all DHCP (UDP ports 67 [bootps] for server and 68 [bootpc] for client) but still keep the ACLs nice and tight security wise.

I'll try this first and let you know the outcome.

Cheers
David

David Waters · ‎07-05-2016

Hi Philip,

I'm pleased to report the two lines I added have done the trick without opening any other ports.

Thank you for your assistance and for stimulating me to look deeper.

Regards

David

Philip D'Ath · ‎07-05-2016

You're welcome. It would be great if you could rate helpful posts and mark responses.

David Waters · ‎07-05-2016

Questionnaire filled in. ;-)

David Waters · ‎07-05-2016

Worth noting is this article I found which outlines VACLs including allowing DNS and DHCP traffic. I found it invaluable for the task.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/818-cisco-switches-vlan-security.html

ACL is blocking DHCP traffic