cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1722
Views
5
Helpful
21
Replies

DHCP quits when ACL applied

lhoyle
Level 1
Level 1

I have a 1760 that routes traffic between 3 VLANS and the Internet. VLAN1 can also get to VLAN5 and VLAN10, but not the other way around. DHCP works fine until the ACL is placed on the subinterfaces of F0/0. Any help will be appreciated.

21 Replies 21

Richard Burts
Hall of Fame
Hall of Fame

Lewis

You describe the problem as being an issue with DHCP when you apply the access lists. But I am seeing several problems but not particularly problems with DHCP. If I have not understood something correctly then please clarify so that I can understand better.

Your config indicates that VLAN 1 is interface FastEthernet0/0.1. But it also indicates that VLAN 5 is interface FastEthernet0/0.1. And it indicates that VLAN 10 is interface FastEthernet0/0.1. That would certainly create problems for a start.

Then you indicate these results from one of the PCs:

ON VLAN10

IP: 192.168.10.50

Gateway: 192.168.15.254

But the IP address is in one subnet and the gateway is in a different subnet. That does not match what you show for the DHCP config. So either what you have posted is not correct or this PC has hard coded information and is not learning address and gateway from DHCP. Can you clarify which it is?

And in access list 101 you deny any traffic with source address in 192.168.15.0 or 192.168.10.0 (which covers VLAN 5 and VLAN 10) to 192.168.20.0. So a PC in VLAN 1 could send something to any device in VLAN 5 or VLAN 10, but the response coming back would be denied. So there is effectively no communication from VLAN 1 to VLAN 5 or 10 once you apply the access list.

If you can correct these issues and there is still a problem then please post updated configs and a fresh description of what is not working.

HTH

Rick

HTH

Rick

Rick,

I was cutting and pasting like a madman when I created that document. I just looked at the config and the sub ints are correct (f0/0.1, f0/0.5, f0/0.10). Sorry for the confusion on that. As far as the DHCP is concerned, my customer ran IP configs and that indeed is what he got. That is why I am so confused.

I had the customer run the "ipconfig" becasue I wondered if the DHCP server would be different than the IP address of the subint. That was why I thought the DHCP was failing. I will do more research today.

Revised ACL for VLAN 1

access-list 101 permit ip any 192.168.20.0 0.0.0.255 established

access-list 101 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.21.0 0.0.0.255 any

lhoyle
Level 1
Level 1

REVISED CONFIG attached.

Lewis

It looks like there should be an attached file but there is no file to download. I am not sure what the issue is but perhaps you could put the revised config up again?

HTH

Rick

HTH

Rick

Here it is...

service password-encryption

!

hostname Rtr1760

!

no aaa new-model

!

resource policy

!

!

!

ip dhcp excluded-address 192.168.20.1 192.168.20.49

ip dhcp excluded-address 192.168.20.151 192.168.20.254

ip dhcp excluded-address 192.168.15.1 192.168.15.49

ip dhcp excluded-address 192.168.15.151 192.168.15.254

ip dhcp excluded-address 192.168.10.1 192.168.20.49

ip dhcp excluded-address 192.168.10.151 192.168.10.254

address 192.168.20.1 client-id 0013d3f4ce7c

address 192.168.15.1 client-id 001517175c14

!

ip dhcp pool vlan1

network 192.168.20.0 255.255.255.0

default-router 192.168.20.254

dns-server 203.x.x.191 203.215.29.191

!

ip dhcp pool vlan5

network 192.168.15.0 255.255.255.0

default-router 192.168.15.254

dns-server 203.x.x.191 203.215.29.191

!

ip dhcp pool vlan10

network 192.168.10.0 255.255.255.0

default-router 192.168.10.254

dns-server 203.x.x.191 203.215.29.191

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface FastEthernet0/0.1

descr vlan 1

ip access-group 101 out

ip address 192.168.20.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.5

descr vlan 5

ip access-group 105 out

ip address 192.168.15.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.10

descr vlan 10

ip access-group 110 out

ip address 192.168.10.254 255.255.255.0

ip nat inside

!

access-list 101 permit ip any 192.168.20.0 0.0.0.255 established

access-list 101 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.21.0 0.0.0.255 any

!

access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.21.0 0.0.0.255

access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 105 permit ip any 192.168.15.0 0.0.0.255

!

access-list 110 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255

access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 110 permit ip any 192.168.10.0 0.0.0.255

!

!

When my client does a "ipconfig /all" from each subnet, he gets...

ON VLAN10

IP: 192.168.10.50

Gateway: 192.168.15.254

DHCP: 192.168.10.254

DNS: 203.x.x.191 203.215.29.19

ON VLAN5

IP: 192.168.15.50

Gateway: 192.168.15.254

DHCP: 192.168.15.254

DNS: 203.x.x.191 203.215.29.19

ON VLAN1

IP: 192.168.20.59

Gateway: 192.168.20.254

DHCP: 192.168.20.254

DNS: 203.x.x.191 203.215.29.19

Lewis

I do not believe that the PC in vlan 10 where they did ipconfig got its address from DHCP. The gateway assigned is the gateway for vlan 5 and not the one for vlan 10. Doing ipconfig is not enough. They need to go to the PC, go to network, to the interface, and check the properties. I would guess that this address was hard coded and not learned from DHCP.

Beyond that I see some issues in the way that the access lists are configured. Access list 101 is applied outbound on vlan 1. In that case 192.168.20.0 should be the destination address in the access list. I like the addition of permit tcp established which should work. The deny statements for traffic from vlan 5 and 10 are slightly problematic for any response to traffic originating from vlan 1 that uses UDP or ICMP since it will deny those responses as well as denying traffic originated from vlan 5 and 10. And the last 2 permit statements are backwards since they position 192.168.20.0 as the source address:

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.21.0 0.0.0.255 any

In access list 105 the first line does effectively deny traffic from vlan to vlan 5 as desired. But the next 2 statements have reversed the source and destination aspects of the traffic and therefore will not work as intended:

access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.21.0 0.0.0.255

access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255

There are similar issues in access list 110.

HTH

Rick

HTH

Rick

Rick,

Thanks for your help. I'm a noob on this type of thing. See if you think these will work better. If so, I'll send them off to my client for testing.

!

interface FastEthernet0/0.1

descr vlan 1

ip access-group 101 out

ip address 192.168.20.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.5

descr vlan 5

ip access-group 105 out

ip address 192.168.15.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.10

descr vlan 10

ip access-group 110 out

ip address 192.168.10.254 255.255.255.0

ip nat inside

!

access-list 101 permit ip any 192.168.20.0 0.0.0.255 established

access-list 101 permit icmp any 192.168.20.0 0.0.0.255 established

access-list 101 permit udp any 192.168.20.0 0.0.0.255 established

access-list 101 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

!

access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 105 permit ip any 192.168.15.0 0.0.0.255

!

access-list 110 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip any 192.168.10.0 0.0.0.255

!

!

Lewis

Unfortunately it is not any better. established works for TCP but not for UDP or for ICMP. So these lines are invalid and would produce syntax errors if entered into config mode:

access-list 101 permit icmp any 192.168.20.0 0.0.0.255 established

access-list 101 permit udp any 192.168.20.0 0.0.0.255 established

HTH

Rick

HTH

Rick

Weould this be better?

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny icmp any any

access-list 101 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023

Thanks,

Lee

Lee

If these are the only 3 ICMP messages that you want then yes this would be better.

HTH

Rick

HTH

Rick

DHCP still won't work though as the IP source for a broadcast DHCP discovery is 0.0.0.0 and the destination is 255.255.255.255 (UDP source 68, destination 67). You would need to include this in the ACL to allow DHCP clients to get an IP address.

HTH

Andy

Like this?

access-list 101 permit udp any eq 68 any eq 67

access-list 105 permit udp any eq 68 any eq 67

...and so on.

Thanks,

Lee

Yes, that will do it. DHCP also uses unicast half way through the lease time to check the address is still OK. However the port numbers are the same so the lines you posted will cover them.

Andy