Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Allow DHCP and DNS through ACL for vLans

Allow DHCP and DNS through ACL for vLans

New Contributor
I have 4 vlans:
Uplink, Mobile, Portal, NAT

The Nat is the location of my DHCP and DNS server.

I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.

Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.

Sidenote, all need to be allowed through uplink.


New Contributor
Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address" "deny"

create access-list denytoMobile "destination-address" "deny"
create access-list denytoPortal "destination-address" "deny"

create access-list denytoCameras "destination-address" "deny"

create access-list permtodns "destination-address; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"

Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress

Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress

You would simply create a deny line for that particular address and then apply it to the VLANs which have internet access, for example:

create access-list deny8888 "destination-address" "deny"

config access-list add deny8888 first vlan {VLAN} ingress

This has all worked great. I can't test the camera's as I don't have the system installed yet, but I have stored all this information. Thanks to you I now have my network segregated like it is supposed to be. I am going to throw one more at you. What if you wanted to deny traffic to and from a public ip like say google's Im just using that as an example but what if you did?

That was the intention. But I should have added a line allowing ARPs and Broadcasts.

create access-list pbcast "ethernet-destination-address ff:ff:ff:ff:ff:ff" "permit"
create access-list parp "ethernet-type 0x0806" "permit"

config access-list add pbcast first vlan Cameras ingress
config access-list add parp first vlan Cameras ingress

Sorry about that. Again, you want to test all of this in a lab or on a lab switch.