Solved: Allow DHCP and deny ICMP ACL

QTortellini · ‎08-11-2020

EDIT: THE SWITCH PASSWORD IS Cisco

Hi people, I've been struggling with this problem all day.

So I got 3 VLANs

VLAN 10: 192.168.10.0/24

VLAN 20: 192.168.20.0/24

VLAN 30: 192.168.30.0/24

Now I have a DHCP server on VLAN 10 and I need VLAN 20 to be able to communicate fully with VLAN 10 and 30 and block the communications between VLAN 30 and 10 except for DHCP. I'll leave my infrastructure here so you guys and girls can take a look at it. I've been trying to use

access-list 100 permit udp any any eq 67 
access-list 100 permit udp any any eq 68
access-list 100 deny 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

as an IN acl to no avail because the moment I type the last line I lose comms between VLAN 10 and 20. Hope you guys can give me a hand. Cheers!

Reza Sharifi · ‎08-11-2020

Hi,

Try this config:

access-list 100 permit udp any any eq bootps
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 permit udp any any eq bootpc
access-list 101 permit ip any any

interface vlan 10

ip access-group 100 in
ip access-group 101 out

HTH

View solution in original post

Reza Sharifi · ‎08-11-2020

Hi,

Try this config:

access-list 100 permit udp any any eq bootps
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 permit udp any any eq bootpc
access-list 101 permit ip any any

interface vlan 10

ip access-group 100 in
ip access-group 101 out

HTH

QTortellini · ‎08-11-2020

Thank you. I replaced the third line with "access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255" and it worked like a charm.

Reza Sharifi · ‎08-11-2020

Glad to know it is all working for you!