12-17-2014 12:22 PM - edited 03-07-2019 09:56 PM
Hi all,
I am working on a packet tracer network for a college assignment. I have 3 networks, each with 3 VLANs on, 1 Employee wired, 1 Employee Wireless and 1 Guest Wireless.
The network is configured to use routing on a stick, I have a DHCP server on one of the LANs with pools configured for each VLAN. On the sub-interfaces of each router I have configured the ip helper-address, all works perfectly, hosts on each VLAN are obtaining IP addresses as per their VLAN pool. I now want to create an ACL that will allow hosts on the guest VLAN to obtain an IP address and that is all, no pinging hosts on other VLANs. I have tried different ACLs, all with no success, an example of them is shown below:
The VLAN I want to filter is 174, network address 172.40.174.0/26, the DHCP Server is on VLAN 30, IP address 172.40.52.254
First attempt was
Then I tried
Each time the packet is stopped at the router, in simulation mode the packet turns red and clicking on it shows "1. The device sends back an ICMP Administratively Prohibited Unreachable message.", I have tried permitting icmp in the hope that would work but it didn't. My lecturer couldn't figure it out either
I have applied the access group to the interface inbound to filter packets before they cross the network
Any ideas?
Thanks in advance
Jon
Solved! Go to Solution.
12-17-2014 12:51 PM
Jon
The issue is that the DHCP request from the client is a broadcast ie. it is not the DHCP server IP.
So you need to modify your acl. I was recently involved in a similar thread where i suggested an entry which didn't seem to work and the OP suggested different entries which did.
However he had other DHCP issues going on so it's not clear which worked and which didn't.
Have a read of that thread and just try them out -
https://supportforums.cisco.com/discussion/12375666/router-not-issusing-dhcp-leases
Jon
12-17-2014 12:51 PM
Jon
The issue is that the DHCP request from the client is a broadcast ie. it is not the DHCP server IP.
So you need to modify your acl. I was recently involved in a similar thread where i suggested an entry which didn't seem to work and the OP suggested different entries which did.
However he had other DHCP issues going on so it's not clear which worked and which didn't.
Have a read of that thread and just try them out -
https://supportforums.cisco.com/discussion/12375666/router-not-issusing-dhcp-leases
Jon
12-18-2014 12:46 AM
Thank you Jon,
The two entries in the thread you advised me to read worked first time. And annoyingly, I wasn't far off with my own entries.
Thanks again, and have a god Christmas and New Year
Regards
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide