Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2467
Views
5
Helpful
4
Replies

ACL for DHCP problem

wajid dabir
Level 1
Level 1

‎04-23-2013 05:17 AM - edited ‎03-07-2019 12:59 PM

In my core Switch,there are 2 vlan(VLAN 1 & VLAN 2).my switch is cisco 4948,so be default ip routing is enable in it.

my all servers(DHCP,HTTP,HTTPS) are in vlan 1 & internet is also in vlan 1.

My requirement is that vlan 1 user should not communicate with the vlan 2 and vice versa.

But the vlan 2 users need an access of all servers and internet which is in vlan 1.help me to configure the access-list.

I have try on Packet tracer which i have attaced.

note:vlan 2 user should get the IP from dhcp server which is in vlan1.

Labels:
0 Helpful
4 Replies 4

wajid dabir
Level 1
Level 1

‎04-24-2013 12:03 AM

waiting for someone reply...

0 Helpful

Sakun Sharma
Level 1
Level 1

‎04-24-2013 05:48 AM

Hi,

As you have enabled IP routing, all the VLANs can communicate with each other.

To achieve what you wan to do, you can use ACL on your VLAN interfaces.

On VLAN 2 you can configure an externded access list allowing VLAN 2 network to only server group in VLAN 1 and internet gateway ip address, rest all traffic will be dropped at VLAN 2 interface.

For DHCP you can use ip-helper address command on VLAN 2 interface giving IP address of your DHCP server in VLAN 1.

If you want more explanation or example, please let me know.

0 Helpful

wajid dabir
Level 1
Level 1
In response to Sakun Sharma

‎04-24-2013 07:56 AM

Sakun,

ip helper address is already given on vlan 2 but after applying ACL on interface vlan 2,all user of vlan 2 stop getting the ip from DHCP.

eg.VLAN 1: 10.10.10.0/24

     VLAN 2: 20.20.20.0/24

Server IP:10.10.10.4

               1010.10.9

                10.10.10.21

                10.10.10.22

Base on this ip please write extended ACL for example.

0 Helpful

Sakun Sharma
Level 1
Level 1
In response to wajid dabir

‎04-24-2013 08:25 AM

Hi,

You can either use simple access list or IP access list, first I am showing via simple access list.

access-list 101 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.9
access-list 101 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.21
access-list 101 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.22
access-list 101 permit udp any host 255.255.255.255 eq bootps (add this for ip-helper address command to work)

interface VLAN2

ip-helper address

ip access-group 101 in

-------------

Or, you can use named extended access-list, it will be beneficial beacuse it will provide you scalability and flexibility to add and remove statements in access list.

Commands:

ip access-list extended VLAN2
 10 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.4
 20 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.9
 30 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.21
 40 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.22
 50 permit udp any host 255.255.255.255 eq bootps (add this for ip-helper address command to work)

command - show access-list VLAN2

Extended IP access list VLAN2

    10 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.4

    20 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.9

    30 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.21

    40 permit ip 20.20.20.0 0.0.0.255 host 10.10.10.22

    50 permit udp any host 255.255.255.255 eq bootps

to remove any statement, simply - no sequence no

--

Regards,

Sakun Sharma

Message was edited by: Sakun Sharma

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card