Allow DHCP and DNS through ACL for vLans
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-03-2016 03:49 PM
I have 4 vlans:
Uplink, Mobile, Portal, NAT
The Nat is the location of my DHCP and DNS server.
I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.
Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.
Sidenote, all need to be allowed through uplink.
Thanks
Uplink, Mobile, Portal, NAT
The Nat is the location of my DHCP and DNS server.
I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.
Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.
Sidenote, all need to be allowed through uplink.
Thanks
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
Would this (
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"
create access-list dall " " "deny"
config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress)
keep camera vlan from talking with all other vlans. I would want them on their own completely.
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"
create access-list dall " " "deny"
config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress)
keep camera vlan from talking with all other vlans. I would want them on their own completely.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
Obviously, you may want to refine the permfrom/toprinter ACL lines to include protocol and source/destination port-number for the printer protocol.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
This configuration still allows devices in Cameras to DIS-Uplink, which I can only assume is the means to the internet. If I understand you correctly you want devices in Cameras to only be able to reach themselves, DNS, and DHCP. For this I would do something like:
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"
create access-list dall " " "deny"
config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress
Notice I did not use permtodhcp. I did some testing, and with DHCP relay properly configured, you should not have to use permtodhcp at all on any VLAN. (you still need permfromdchp).
Now with respect to the printer, I forget my printer protocols, but you should be able to get by with this broader permit:
create access-list permtoprinter "destination-address 10.20.100.181/32" "permit"
Then add the permtoprinter access-list first to all VLANs ingress.
Then:
create access-list permfromprinter "source-address 10.20.100.181/32" "permit"
config access-list add permfromprinter first JCSD-Mobile ingress
create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"
create access-list dall " " "deny"
config access-list add inCameras first vlan Cameras ingress
config access-list add permtodns last vlan Cameras ingress
config access-list add dall last vlan Cameras ingress
Notice I did not use permtodhcp. I did some testing, and with DHCP relay properly configured, you should not have to use permtodhcp at all on any VLAN. (you still need permfromdchp).
Now with respect to the printer, I forget my printer protocols, but you should be able to get by with this broader permit:
create access-list permtoprinter "destination-address 10.20.100.181/32" "permit"
Then add the permtoprinter access-list first to all VLANs ingress.
Then:
create access-list permfromprinter "source-address 10.20.100.181/32" "permit"
config access-list add permfromprinter first JCSD-Mobile ingress
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-03-2016 07:18 PM
So, I got pulled into something else and haven't had a chance to test this, but you could try this configuration below. I think the permit to dhcp ACL applied to the Mobile and Portal VLANs ingress should not be necessary (as it would be a broadcast destined to the gateway which would then, assuming you have bootprelay configured -- you do need to do that -- be directed by the switch to the dhcp server in the Nat VLAN) but it is not going to hurt. Again, I haven't tested this, so test it before deploying it in production please.
create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress
config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress
config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress
create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress
config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress
config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-03-2016 06:06 PM
Please send a "show VLAN". Thanks.
