cancel
Showing results for 
Search instead for 
Did you mean: 

Correct rule to allow DHCP in ACL for a VLAN

Correct rule to allow DHCP in ACL for a VLAN

Ilya_Semenov
Contributor
Hello, everybody!

I need to allow DHCP traffic for a certain VLAN in ACL. Is my rule correct?

entry DHCP { if {

protocol udp ;

destination-port 67,68 ;

} then {

permit ;

}

}

Should it be applied to VLAN as "ingress"?

Could you please, check it? Thank you!!!

13 REPLIES 13

Henrique
Extreme Employee
You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

in our two-tier MLAG design, with VRRP enabled and VLAN ACL, we also have to allowed the VRRP multicast traffic to 224.0.0.18/32 or to all 224.0.0.0/24

The only deny rule I have in the end of every acl. Is it similar to deny all?

entry perm_blocked_in { if {
source-address 0.0.0.0/0 ;
} then {
deny ;
}
}

Thank you.

Ilya,

if you add a deny all rule you should make sure to deny only IP traffic. If you deny every frame not previously permitted, you might accidentally stop e.g. layer 2 redundancy mechanisms from working correctly (STP, EAPS, ...).

Erik
GTM-P2G8KFN