07-04-2016 10:45 PM - edited 02-21-2020 05:51 AM
Hi there,
I'm attempting to set up ACLs on my VLANs to block access to all other VLANs but allow traffic to the servers and the internet. As soon as I apply the ACL to the SVI it stops new connections i.e. they can't get an IP address from the DHCP server on the server network. Already connected devices have all other traffic controlled as I wanted. Any pointers as to how I can rectify the situation will be greatly appreciated.
Servers are on 10.10.0.0/23 and 10.20.0.0/23, NGFW is 10.80.1.254.
Below is how I structured a test VACL for Vlan 500 (10.50.0.0/20):
no ip access-list extended pen-wifi-vacl-in
ip access-list extended pen-wifi-vacl-in
remark *** Allow server access ***
permit ip 10.50.0.0 0.0.15.255 10.10.0.0 0.0.1.255
permit ip 10.50.0.0 0.0.15.255 10.20.0.0 0.0.1.255
permit ip 10.50.0.0 0.0.15.255 host 10.80.1.254
remark *** Deny access to other VLANs ***
remark * Wired VLANs *
deny ip 10.50.0.0 0.0.15.255 10.12.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.13.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.15.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.22.1.0 0.0.255.255 log
deny ip 10.50.0.0 0.0.15.255 10.23.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.25.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.30.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.60.0.0 0.0.1.255 log
remark * BYOD and Wi-Fi *
deny ip 10.50.0.0 0.0.15.255 10.26.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.27.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.28.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.29.0.0 0.0.1.255 log
deny ip 10.50.0.0 0.0.15.255 10.36.0.0 0.0.3.255 log
deny ip 10.50.0.0 0.0.15.255 10.70.0.0 0.0.15.255 log
remark * VoIP and management *
deny ip 10.50.0.0 0.0.15.255 10.31.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.61.0.0 0.0.0.255 log
deny ip 10.50.0.0 0.0.15.255 10.252.0.0 0.3.255.255 log
remark *** Permit access to the internet ***
permit ip 10.50.0.0 0.0.15.255 any
!
interface Vlan500
no ip access-group pen-wifi-vacl-in in
ip access-group pen-wifi-vacl-in in
exit
Regards,
David
07-04-2016 10:51 PM
I don't see any DHCP forwarding commands, so I'm not sure how your clients get their request to the DHCP server; but to begin with clients have no IP address. So they send a packet from 0.0.0.0 to 255.255.255.255. On the whole, I would just add a rule to allow "any to 255.255.255.255" so that broadcast traffic is allowed in general.
07-04-2016 10:59 PM
Thanks Philip,
I'm configuring the ACLs on a 3850 stack and a 3750 stack. I'm guessing you're talking about the dhcprelay commands (not familiar with the use of these as yet).
By adding the rule I'm assuming I tack it on the end of the ACL?
Cheers
David
07-04-2016 11:11 PM
07-05-2016 04:10 PM
After more research I'm thinking I should add the following:
permit udp any any eq 67
permit udp any any eq 68
This should allow all DHCP (UDP ports 67 [bootps] for server and 68 [bootpc] for client) but still keep the ACLs nice and tight security wise.
I'll try this first and let you know the outcome.
Cheers
David
07-05-2016 04:26 PM
Hi Philip,
I'm pleased to report the two lines I added have done the trick without opening any other ports.
Thank you for your assistance and for stimulating me to look deeper.
Regards
David
07-05-2016 04:35 PM
You're welcome. It would be great if you could rate helpful posts and mark responses.
07-05-2016 04:49 PM
Questionnaire filled in. ;-)
07-05-2016 05:58 PM
Worth noting is this article I found which outlines VACLs including allowing DNS and DHCP traffic. I found it invaluable for the task.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide