Allow DHCP and DNS through ACL for vLans


I have 4 vlans:
Uplink, Mobile, Portal, NAT

The Nat is the location of my DHCP and DNS server.

I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.

Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.

Sidenote, all need to be allowed through uplink.

Thanks

10 replies

Userlevel 4
Please send a "show VLAN". Thanks.
Matthew Helm wrote:

Please send a "show VLAN". Thanks.

Total
-----------------------------------------------------------------------------------------------
Nat 1 10.80.100.3 /22 -f----------T---------------- ANY 17/33 VR-Default
DIS-Uplink 201 192.168.100.1 /30 -f--------------------------- ANY 1 /1 VR-Default
JCSD-Mobile 20 10.20.100.3 /22 -f--------------------------- ANY 8 /8 VR-Default
Mgmt 4095 ------------------------------------------------- ANY 0 /1 VR-Mgmt
User-Portal 25 10.25.100.3 /22 -f--------------------------- ANY 8 /8 VR-Default
-----------------------------------------------------------------------------------------------
Userlevel 4
So, I got pulled into something else and haven't had a chance to test this, but you could try this configuration below. I think the permit to dhcp ACL applied to the Mobile and Portal VLANs ingress should not be necessary (as it would be a broadcast destined to the gateway which would then, assuming you have bootprelay configured -- you do need to do that -- be directed by the switch to the dhcp server in the Nat VLAN) but it is not going to hurt. Again, I haven't tested this, so test it before deploying it in production please.

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"

config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress
Matthew Helm wrote:

So, I got pulled into something else and haven't had a chance to test this, but you could try this configuration below. I think the permit to dhcp ACL applied to the Mobile and Portal VLANs ingress should not be necessary (as it would be a broadcast destined to the gateway which would then, assuming you have bootprelay configured -- you do need to do that -- be directed by the switch to the dhcp server in the Nat VLAN) but it is not going to hurt. Again, I haven't tested this, so test it before deploying it in production please.

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"

config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress

All this to be entered in a putty session?
Ok, thanks. I will give this a try as soon as I can do it without taking down my entire network. My only way to test is to do it live.
Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress

Userlevel 4
Trent Deloach wrote:

Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress



This configuration still allows devices in Cameras to DIS-Uplink, which I can only assume is the means to the internet. If I understand you correctly you want devices in Cameras to only be able to reach themselves, DNS, and DHCP. For this I would do something like:

create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

create access-list dall " " "deny"

config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress

Notice I did not use permtodhcp. I did some testing, and with DHCP relay properly configured, you should not have to use permtodhcp at all on any VLAN. (you still need permfromdchp).

Now with respect to the printer, I forget my printer protocols, but you should be able to get by with this broader permit:

create access-list permtoprinter "destination-address 10.20.100.181/32" "permit"

Then add the permtoprinter access-list first to all VLANs ingress.

Then:

create access-list permfromprinter "source-address 10.20.100.181/32" "permit"

config access-list add permfromprinter first JCSD-Mobile ingress
Userlevel 4
Trent Deloach wrote:

Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress



Obviously, you may want to refine the permfrom/toprinter ACL lines to include protocol and source/destination port-number for the printer protocol.
Trent Deloach wrote:

Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress



Would this (
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

create access-list dall " " "deny"

config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress)
keep camera vlan from talking with all other vlans. I would want them on their own completely.
Userlevel 4
Trent Deloach wrote:

Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress



That was the intention. But I should have added a line allowing ARPs and Broadcasts.

create access-list pbcast "ethernet-destination-address ff:ff:ff:ff:ff:ff" "permit"
create access-list parp "ethernet-type 0x0806" "permit"

config access-list add pbcast first vlan Cameras ingress
config access-list add parp first vlan Cameras ingress

Sorry about that. Again, you want to test all of this in a lab or on a lab switch.
Trent Deloach wrote:

Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress



This has all worked great. I can't test the camera's as I don't have the system installed yet, but I have stored all this information. Thanks to you I now have my network segregated like it is supposed to be. I am going to throw one more at you. What if you wanted to deny traffic to and from a public ip like say google's 8.8.8.8... Im just using that as an example but what if you did?
Userlevel 4
Trent Deloach wrote:

Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"



Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress

config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

JCSD-Mobile vLan

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress

config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

User-Portal vLan

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress

config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress



Cameras vLan

config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress

config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress



You would simply create a deny line for that particular address and then apply it to the VLANs which have internet access, for example:

create access-list deny8888 "destination-address 8.8.8.8/32" "deny"

config access-list add deny8888 first vlan {VLAN} ingress

Reply