Re: Help for an ACL

Clem58 · ‎06-24-2024

Hello,

I have created an ACL for a VLAN, we need it to block access to RFC1918 subnets, excepting for one DHCP server.

So I have created that ACL:

ip access-list extended Voice_VLAN_36
10 permit udp any host 192.168.4.115 eq bootps
20 permit udp any host 192.168.4.115 eq bootpc
30 deny ip any 10.0.0.0 0.255.255.255
40 deny ip any 172.0.0.0 0.15.255.255
50 deny ip any 192.168.0.0 0.0.255.255
60 permit ip any any

Then I have assigned this ACL to the VLAN like this:

Interface VLAN36
[...]
ip access-group Voice_VLAN_36 in

I have applied this ACL on 1 C9300 core switch, and 3 C3850.
It's working on the C9300 and one C3850, devices does not have internet on the other 2 C3850.

Could you please help me finding what's wrong ?

Thanks by advance.

MHM Cisco World · ‎06-24-2024

This issue not relate to ACL I think

You have missing in SW or not allow voice vlan 36 in trunk of SW

Check

Show vlan breif

Show interface trunk

Check if vlan 36 is appear or not

MHM

Clem58 · ‎06-25-2024

Everything is correctly setup in the switch, if I remove the ACL statement from the VLAN SVI, it's working fine.

MHM Cisco World · ‎06-26-2024

ip access-list extended Voice_VLAN_36

5 permit udp any eq bootpc any eq bootps <<- add this to make sure the workstation get correct IP or not
~~10 permit udp any host 192.168.4.115 eq bootps <<- remove this~~
~~20 permit udp any host 192.168.4.115 eq bootpc <<- remove this~~
30 deny ip any 10.0.0.0 0.255.255.255
40 deny ip any 172.0.0.0 0.15.255.255
50 deny ip any 192.168.0.0 0.0.255.255
60 permit ip any any
70 deny ip any any Log <<- add this to see log if the ACL drop the packet

MHM

Richard Burts · ‎06-26-2024

My first comment is that there is a flaw in your acl. You have this

40 deny ip any 172.0.0.0 0.15.255.255

which should be

40 deny ip any 172.16.0.0 0.15.255.255

Make the correction and let us know if the behavior changes. If there is still a problem then we will need more information about the switches where it does not work.

HTH

Rick

Clem58 · ‎06-27-2024

Thanks Richard, that is a great catch, I wonder how I did not see that ! I will give it a try and let you know.

Richard Burts · ‎06-28-2024

You are welcome. It is an easy mistake to make.

Thanks for letting us know that you have solved the issue and that it was not a problem with the acl.

HTH

Rick

Clem58 · ‎06-27-2024

So it's working now, not thanks to the correction, but because I forgot to set external DNS in DHCP scope option, we were still using internal DNS, so that were blocked of course !

Anyway it's good to have corrected the 172.16.0.0/12 subnet !

Clem58 · ‎06-27-2024

Thanks MHM, why do yo want to remove lines 10 & 20 as we need to have access to 192.168.4.115 DHCP as an exception.

MHM Cisco World · ‎06-27-2024

I use both ACL in one line and I specify ANY in case that the DHCP server is different that host 192.168.4.115
and use deny ip any any log to see why the ACL drop it,
I was think that you use external DNS (8.8.8.8 or 8.8.4.4 or ISP DNS) not internal
anyway glad issue solve
have nice day

MHM