Go CCIE Go!! - A Cisco Certified Internetwork Expert

For me, I will remove the ACL to test the DHCP functionality Then use ACL with deny any any log to check what packets are require for DHCP. I use same method for the ACL security tasks also
2008/7/13 Jason Madsen :
> if you wanted to be as specific as possible, you can use this ACL > statement: > > *permit udp host 0.0.0.0 host 255.255.255.255 eq 67* > > just apply it inward toward your dhcp server and of course you’d have to > read your requirements and see if this is a feasible solution, but it is > one > that works. > > hope that helps, > Jason > > On Sat, Jul 12, 2008 at 12:07 PM, Jason Madsen > wrote: > > > as Marvin mentioned, when your DHCP client initially does it’s discover > and > > request it will send to 0.0.0.0 255.255.255.255. the rest of the > > communication should be between src and dest IP. with all communication, > to > > include the initial discover and request etc., the client will src from > UDP > > port 68 with a dst UDP port of 67 for the DHCP server. > > > > so maybe try adding permit host 0.0.0.0 host 255.255.255.255 to the > first > > line in your ACL??? it looks as though the rest of your ACL will permit > the > > rest of the DHCP negotiation. > > > > Jason > > > > > > On Sat, Jul 12, 2008 at 11:06 AM, omar parihuana omar.parihuana@gmail.com> > > wrote: > > > >> Hi Group, > >> > >> I’ve configured a Switch 3560G with 3 SVIs in order to VLAN Routing: > >> > >> ! > >> interface Vlan10 > >> description VLAN 10 > >> ip address 10.53.0.253 255.255.255.0 > >> ! > >> interface Vlan20 > >> description VLAN 20 > >> ip address 10.53.5.1 255.255.255.0 > >> ! > >> interface Vlan30 > >> description VLAN 30 > >> ip address 10.53.8.1 255.255.255.0 > >> ! > >> ip route 0.0.0.0 0.0.0.0 10.53.0.1 > >> ! > >> > >> After I’ve configured a DHCP Pool in order to assign IP address only to > >> VLAN > >> 30, the conf is: > >> > >> ! > >> ! > >> ip dhcp excluded-address 10.53.8.1 10.53.8.199 > >> ip dhcp pool DCHP > >> network 10.53.8.0 255.255.255.0 > >> default-router 10.53.8.1 > >> dns-server 200.41.96.24 200.41.96.26 > >> ! > >> > >> After that host in vlan 30 are assigned an IP Address correctly and the > >> intervlan routing working fine, but as I need that VLAN 30 only reach to > >> external networks (Internet) and not to other networks (VLAN 10 and > >> VLAN20) > >> I’ve created an Access-list > >> ! > >> ip access-list extended BLOCKING-VLAN > >> permit ip 10.53.8.0 0.0.0.255 host 10.53.0.1 > >> deny ip 10.53.8.0 0.0.0.255 10.53.0.0 0.0.0.255 log > >> deny ip 10.53.8.0 0.0.0.255 10.53.5.0 0.0.0.255 log > >> permit ip 10.53.8.0 0.0.0.255 any > >> ! > >> > >> ! > >> interface Vlan30 > >> description VLAN 30 > >> ip address 10.53.8.1 255.255.255.0 > >> ip access-group BLOCKING-VLAN in > >> ! > >> > >> The first sentence in ACL is necessary to reach the default gateway in > >> VLAN10 (see default route above). Apparently all is working well the > host > >> in > >> VLAN 30 don’t reach to Servers in VLAN 10 and VLAN20, but DHCP IS NOT > >> WORKING! no assign IP address to hosts. After of check the debugs, I > >> noticed > >> that when the access-list is applied to Int VLAN30 the Switch is not > aware > >> about DHCP request. DHCPD: DHCPDISCOVER is never received by Switch. But > >> when I removed the access-list then DHCP working well, then how should I > >> configure the access-list in order to allow DHCP in VLAN30 and the hosts > >> in > >> VLAN30 don’t communicate the others VLANs? or maybe change the DHCP > >> Configuration but how? > >> > >> Rgds. > >> > >> — > >> Omar E.P.T > >> —————– > >> Certified Networking Professionals make better Connections! > >> > >> > >> _______________________________________________________________________ > >> Subscription information may be found at: > >> http://www.groupstudy.com/list/CCIELab.html > > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html