Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
2
Replies

Advice regarding Packet Tracer ACLs

Go to solution
Jonathan Riley
Level 1
Level 1

‎12-17-2014 12:22 PM - edited ‎03-07-2019 09:56 PM

Hi all,

I am working on a packet tracer network for a college assignment.  I have 3 networks, each with 3 VLANs on, 1 Employee wired, 1 Employee Wireless and 1 Guest Wireless.

The network is configured to use routing on a stick, I have a DHCP server on one of the LANs with pools configured for each VLAN. On the sub-interfaces of each router I have configured the ip helper-address, all works perfectly, hosts on each VLAN are obtaining IP addresses as per their VLAN pool. I now want to create an ACL that will allow hosts on the guest VLAN to obtain an IP address and that is all, no pinging hosts on other VLANs. I have tried different ACLs, all with no success, an example of them is shown below:

The VLAN I want to filter is 174, network address 172.40.174.0/26, the DHCP Server is on VLAN 30, IP address 172.40.52.254

First attempt was

  • permit udp 172.40.174.0 0.0.0.63 host 172.40.52.254 eq bootps
  • permit udp 172.40.174.0 0.0.0.63 host 172.40.52.254 eq bootpc 

 

Then I tried

  • permit udp any host 172.40.52.254 eq bootps
  • permit udp any host 172.40.52.254 eq bootpc

 

Each time the packet is stopped at the router, in simulation mode the packet turns red and clicking on it shows "1. The device sends back an ICMP Administratively Prohibited Unreachable message.", I have tried permitting icmp in the hope that would work but it didn't. My lecturer couldn't figure it out either

I have applied the access group to the interface inbound to filter packets before they cross the network

 

Any ideas?

 

Thanks in advance

Jon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-17-2014 12:51 PM

Jon

The issue is that the DHCP request from the client is a broadcast ie. it is not the DHCP server IP.

So you need to modify your acl. I was recently involved in a similar thread where i suggested an entry which didn't seem to work and the OP suggested different entries which did.

However he had other DHCP issues going on so it's not clear which worked and which didn't.

Have a read of that thread and just try them out  -

https://supportforums.cisco.com/discussion/12375666/router-not-issusing-dhcp-leases

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-17-2014 12:51 PM

Jon

The issue is that the DHCP request from the client is a broadcast ie. it is not the DHCP server IP.

So you need to modify your acl. I was recently involved in a similar thread where i suggested an entry which didn't seem to work and the OP suggested different entries which did.

However he had other DHCP issues going on so it's not clear which worked and which didn't.

Have a read of that thread and just try them out  -

https://supportforums.cisco.com/discussion/12375666/router-not-issusing-dhcp-leases

Jon

0 Helpful

Go to solution
Jonathan Riley
Level 1
Level 1
In response to Jon Marshall

‎12-18-2014 12:46 AM

Thank you Jon,

The two entries in the thread you advised me to read worked first time. And annoyingly, I wasn't far off with my own entries.

Thanks again, and have a god Christmas and New Year

 

Regards

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card