Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi there,
I'm attempting to set up ACLs on my VLANs to block access to all other VLANs but allow traffic to the servers and the internet. As soon as I apply the ACL to the SVI it stops new connections i.e. they can't get an IP address from the DHCP s...
Worth noting is this article I found which outlines VACLs including allowing DNS and DHCP traffic. I found it invaluable for the task.
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/818-cisco-switches-vlan-security.html
Hi Philip,
I'm pleased to report the two lines I added have done the trick without opening any other ports.
Thank you for your assistance and for stimulating me to look deeper.
Regards
David
After more research I'm thinking I should add the following:
permit udp any any eq 67permit udp any any eq 68
This should allow all DHCP (UDP ports 67 [bootps] for server and 68 [bootpc] for client) but still keep the ACLs nice and tight security wis...
Thanks Philip,
I'm configuring the ACLs on a 3850 stack and a 3750 stack. I'm guessing you're talking about the dhcprelay commands (not familiar with the use of these as yet).
By adding the rule I'm assuming I tack it on the end of the ACL?
CheersDav...
