03-10-2012 12:15 AM - edited 03-07-2019 05:28 AM
Dear All,
I have 3 VLANs (it's an example configration):
1- Vlan 10
ip address 10.10.10.1 255.255.255.0
ip helper 10.10.10.15
Vlan 20
ip address 20.20.20.1 255.255.255.0
ip helper 10.10.10.15
Vlan 30
ip address 30.30.30.1 255.255.255.0
ip helper 10.10.10.15
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.255 area 0
network 30.30.30.0 0.0.0.255 area 0
-------------------------------------------------------------------------
Now I need all clients & network components on VLAN 20 to access everything on VLAN 10.
But for the VLAN 30 clients, I need to access only the DHCP Server on VLAN 10 , and can’t access anything on VLAN 20.
Can I use the ACL to do that? If yes how?
And do I have any other features can help me also?
Thanks,
Mohamed Lotfy
03-10-2012 04:23 AM
Mohamed,
You can try this:
On vlan 10, you can take the helper address off since the dhcp server resides on that subnet.
On vlan 30, apply an acl like the following:
access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 deny ip any any
int vlan 30
ip access-group 101 in
The acl only allows dhcp traffic to come in from hosts on the vlan 30, but it doesn't allow them to do anything outside of vlan 30 once they get an address. If you need to allow them to get to hosts in the vlan 10, you'll also need to allow them that and then deny them to vlan 20.
access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 permit ip any 10.10.10.0 0.0.0.255
access-list 101 deny ip any any
Or if you want to allow them everywhere and deny them ONLY to the vlan 20:
access-list deny ip any 20.20.20.0 0.0.0.255
access-list permit ip any any
HTH,
John
Please rate...
03-10-2012 10:01 AM
Dear Brother John,
relly thank you, it's a very helpful answer from you
thanks again
Lotfy
03-10-2012 10:52 AM
Not a problem Thank you for the rating!
10-27-2014 02:44 PM
This post is 3 years old, but I'm tossing this up for future reference
To permit | deny just DHCPv4 traffic...
(Yes, I know there are 9,003 ways to make this ACL better, but I'll leave that to you...☺)
► You have the implicit deny at the end, which will block anything that has not been explicitly permitted.
► However, I like to add an explicit deny at the end, so that I can see the stats for it.
(John Blakley also had this in his answer, so hat tip to John)
(Yes, I know there are 9,002 ways to make this ACL better, but I'll leave that to you...☺)
► You can use it to debug:
► And if you want to see the DHCP activity from 30.30.30.0/24 LAN, you can use:
debug ip dhcp server events
Well, hope that helps someone in their quest to sort out DHCP traffic...
Cheers!
▬ spammy
03-14-2020 07:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide