Allow DHCP and DNS through ACL for vLans

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I have 4 vlans:
Uplink, Mobile, Portal, NAT

The Nat is the location of my DHCP and DNS server.

I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.

Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.

Sidenote, all need to be allowed through uplink.

Thanks
Photo of Trent Deloach

Trent Deloach

  • 110 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Please send a "show VLAN". Thanks.
Photo of Trent Deloach

Trent Deloach

  • 110 Points 100 badge 2x thumb
Total
-----------------------------------------------------------------------------------------------
Nat         1    10.80.100.3    /22  -f----------T---------------- ANY    17/33  VR-Default
DIS-Uplink      201  192.168.100.1  /30  -f--------------------------- ANY    1 /1   VR-Default
JCSD-Mobile     20   10.20.100.3    /22  -f--------------------------- ANY    8 /8   VR-Default
Mgmt            4095 ------------------------------------------------- ANY    0 /1   VR-Mgmt
User-Portal     25   10.25.100.3    /22  -f--------------------------- ANY    8 /8   VR-Default
-----------------------------------------------------------------------------------------------
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
So, I got pulled into something else and haven't had a chance to test this, but you could try this configuration below. I think the permit to dhcp ACL applied to the Mobile and Portal VLANs ingress should not be necessary (as it would be a broadcast destined to the gateway which would then, assuming you have bootprelay configured -- you do need to do that -- be directed by the switch to the dhcp server in the Nat VLAN) but it is not going to hurt. Again, I haven't tested this, so test it before deploying it in production please.

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"

config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress 
config access-list add permtodhcp first vlan JCSD-Mobile ingress 

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress 
config access-list add permtodhcp first vlan User-Portal ingress
Photo of Trent Deloach

Trent Deloach

  • 110 Points 100 badge 2x thumb
Ok, I tried it and it all worked like it should!! Awesome.  Now  What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to?  the Ip address of said printer is 10.20.100.181/22?  I am also going to have a vLan for our new camera system that I don't want to have access to the internet.  it will be called Cameras and will have an ip range of 10.30.100.0/22.  I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan.  This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"

Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress 
config access-list add permtodhcp first vlan JCSD-Mobile ingress 

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress 
config access-list add permtodhcp first vlan User-Portal ingress

 

Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress 
config access-list add permtodhcp first vlan Cameras ingress

 

(Edited)
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Obviously, you may want to refine the permfrom/toprinter ACL lines to include protocol and source/destination port-number for the printer protocol.
Photo of Trent Deloach

Trent Deloach

  • 110 Points 100 badge 2x thumb
Would this (
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

create access-list dall " " "deny"

config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress)
keep camera vlan from talking with all other vlans.  I would want them on their own completely.
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
That was the intention. But I should have added a line allowing ARPs and Broadcasts.

create access-list pbcast "ethernet-destination-address ff:ff:ff:ff:ff:ff" "permit"
create access-list parp "ethernet-type 0x0806" "permit"

config access-list add pbcast first vlan Cameras ingress
config access-list add parp first vlan Cameras ingress

Sorry about that. Again, you want to test all of this in a lab or on a lab switch.
Photo of Trent Deloach

Trent Deloach

  • 110 Points 100 badge 2x thumb
This has all worked great.  I can't test the camera's as I don't have the system installed yet, but I have stored all this information.  Thanks to you I now have my network segregated like it is supposed to be.  I am going to throw one more at you.  What if you wanted to deny traffic to and from a public ip like say google's 8.8.8.8... Im just using that as an example but what if you did?
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
You would simply create a deny line for that particular address and then apply it to the VLANs which have internet access, for example:

create access-list deny8888 "destination-address 8.8.8.8/32" "deny"

config access-list add deny8888 first vlan {VLAN} ingress