Correct rule to allow DHCP in ACL for a VLAN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 12:01 PM
Hello, everybody!
I need to allow DHCP traffic for a certain VLAN in ACL. Is my rule correct?
entry DHCP { if {
protocol udp ;
destination-port 67,68 ;
} then {
permit ;
}
}
Should it be applied to VLAN as "ingress"?
Could you please, check it? Thank you!!!
I need to allow DHCP traffic for a certain VLAN in ACL. Is my rule correct?
entry DHCP { if {
protocol udp ;
destination-port 67,68 ;
} then {
permit ;
}
}
Should it be applied to VLAN as "ingress"?
Could you please, check it? Thank you!!!
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 12:42 PM
You should use the match-condition "source-address 0.0.0.0/0;"
Quick question: Do you have a deny-all rule or some other deny rule?
EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.
That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.
Quick question: Do you have a deny-all rule or some other deny rule?
EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.
That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 12:42 PM
in our two-tier MLAG design, with VRRP enabled and VLAN ACL, we also have to allowed the VRRP multicast traffic to 224.0.0.18/32 or to all 224.0.0.0/24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 12:42 PM
The only deny rule I have in the end of every acl. Is it similar to deny all?
entry perm_blocked_in { if {
source-address 0.0.0.0/0 ;
} then {
deny ;
}
}
Thank you.
entry perm_blocked_in { if {
source-address 0.0.0.0/0 ;
} then {
deny ;
}
}
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-06-2016 12:42 PM
Ilya,
if you add a deny all rule you should make sure to deny only IP traffic. If you deny every frame not previously permitted, you might accidentally stop e.g. layer 2 redundancy mechanisms from working correctly (STP, EAPS, ...).
Erik
if you add a deny all rule you should make sure to deny only IP traffic. If you deny every frame not previously permitted, you might accidentally stop e.g. layer 2 redundancy mechanisms from working correctly (STP, EAPS, ...).
Erik
