Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
1
Replies

DHCP issue on a VLAN, using vlan-maps and ip helper

hugoramirez
Level 1
Level 1

‎04-14-2011 10:31 PM - edited ‎03-06-2019 04:37 PM

Hello,

I have this problem which I´m trying to resolve, recently I learned about vlan-maps to block traffic between vlans, and tried to implement it on a vlan where we have an ip helper server to give dhcp addresses to hosts, I tested it out and from the switch I can see the hosts I want to be blocked, but getting a complain that hosts can´t get dhcp on the vlan.

Let me give you the configs I have:

interface Vlan5
description vlan5
ip address 10.10.91.129 255.255.255.128
ip helper-address 172.21.100.50
!

ip access-list extended wififwdtoiphelper
permit ip 10.10.91.128 0.0.0.127 host 172.21.100.50
ip access-list extended wifiguestblocking
permit ip 10.10.91.128 0.0.0.127 150.0.0.0 0.255.255.255
permit ip 10.10.91.128 0.0.0.127 145.166.0.0 0.0.255.255
permit ip 10.10.91.128 0.0.0.127 10.0.0.0 0.255.255.255
permit ip 10.10.91.128 0.0.0.127 172.16.0.0 0.0.255.255
permit ip 10.10.91.128 0.0.0.127 172.20.0.0 0.0.255.255
permit ip 10.10.91.128 0.0.0.127 172.21.0.0 0.0.255.255
permit ip 10.10.91.128 0.0.0.127 172.23.1.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 155.126.104.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.244.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.245.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.246.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.247.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.248.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.249.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 192.168.250.0 0.0.0.255
permit ip 10.10.91.128 0.0.0.127 165.136.23.128 0.0.0.127
permit ip 10.10.91.128 0.0.0.127 165.136.30.128 0.0.0.127

!

vlan access-map wifiblock1 10
action drop
match ip address wifiguestblocking
vlan access-map wifiblock1 20
action forward
match ip address wififwdtoiphelper
vlan filter wifiblock1 vlan-list 5

If I remove the access-map I get DHCP, what is wrong with my access-map that is preventing users get an IP address from 172.21.100.50

I can ping the dhcp from the switch sourced vlan 5, and on the ACL I have all protocols open.


Thanks for any hints or comments that can guide me to the light at the end of the tunnel

Cheers,

Enrique

Labels:
0 Helpful
1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

‎04-14-2011 11:43 PM

Hi,

the dhcp discover  destination is 255.255.255.255  and there is still no ip address leased so source is 0.0.0.0 so you should get rid of

permit ip 10.10.91.128 0.0.0.127 host 172.21.100.50  and replace with :

permit udp any any bootps

I would also invert you vlan map clauses but I'm not sure this is mandatory here.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card