cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Allow DHCP and DNS through ACL for vLans

Allow DHCP and DNS through ACL for vLans

Trent_Deloach
New Contributor
I have 4 vlans:
Uplink, Mobile, Portal, NAT

The Nat is the location of my DHCP and DNS server.

I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.

Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.

Sidenote, all need to be allowed through uplink.

Thanks
10 REPLIES 10

Would this (
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

create access-list dall " " "deny"

config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress)
keep camera vlan from talking with all other vlans. I would want them on their own completely.

Obviously, you may want to refine the permfrom/toprinter ACL lines to include protocol and source/destination port-number for the printer protocol.

This configuration still allows devices in Cameras to DIS-Uplink, which I can only assume is the means to the internet. If I understand you correctly you want devices in Cameras to only be able to reach themselves, DNS, and DHCP. For this I would do something like:

create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

create access-list dall " " "deny"

config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress

Notice I did not use permtodhcp. I did some testing, and with DHCP relay properly configured, you should not have to use permtodhcp at all on any VLAN. (you still need permfromdchp).

Now with respect to the printer, I forget my printer protocols, but you should be able to get by with this broader permit:

create access-list permtoprinter "destination-address 10.20.100.181/32" "permit"

Then add the permtoprinter access-list first to all VLANs ingress.

Then:

create access-list permfromprinter "source-address 10.20.100.181/32" "permit"

config access-list add permfromprinter first JCSD-Mobile ingress

Matthew_Helm1
Extreme Employee
So, I got pulled into something else and haven't had a chance to test this, but you could try this configuration below. I think the permit to dhcp ACL applied to the Mobile and Portal VLANs ingress should not be necessary (as it would be a broadcast destined to the gateway which would then, assuming you have bootprelay configured -- you do need to do that -- be directed by the switch to the dhcp server in the Nat VLAN) but it is not going to hurt. Again, I haven't tested this, so test it before deploying it in production please.

create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"

config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress

config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress

config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress

Matthew_Helm1
Extreme Employee
Please send a "show VLAN". Thanks.
GTM-P2G8KFN