From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Jul 12 2008 - 15:07:35 ART
as Marvin mentioned, when your DHCP client initially does it's discover and
request it will send to 0.0.0.0 255.255.255.255. the rest of the
communication should be between src and dest IP. with all communication, to
include the initial discover and request etc., the client will src from UDP
port 68 with a dst UDP port of 67 for the DHCP server.
so maybe try adding permit host 0.0.0.0 host 255.255.255.255 to the first
line in your ACL??? it looks as though the rest of your ACL will permit the
rest of the DHCP negotiation.
Jason
On Sat, Jul 12, 2008 at 11:06 AM, omar parihuana <omar.parihuana@gmail.com>
wrote:
> Hi Group,
>
> I've configured a Switch 3560G with 3 SVIs in order to VLAN Routing:
>
> !
> interface Vlan10
> description VLAN 10
> ip address 10.53.0.253 255.255.255.0
> !
> interface Vlan20
> description VLAN 20
> ip address 10.53.5.1 255.255.255.0
> !
> interface Vlan30
> description VLAN 30
> ip address 10.53.8.1 255.255.255.0
> !
> ip route 0.0.0.0 0.0.0.0 10.53.0.1
> !
>
> After I've configured a DHCP Pool in order to assign IP address only to
> VLAN
> 30, the conf is:
>
> !
> !
> ip dhcp excluded-address 10.53.8.1 10.53.8.199
> ip dhcp pool DCHP
> network 10.53.8.0 255.255.255.0
> default-router 10.53.8.1
> dns-server 200.41.96.24 200.41.96.26
> !
>
> After that host in vlan 30 are assigned an IP Address correctly and the
> intervlan routing working fine, but as I need that VLAN 30 only reach to
> external networks (Internet) and not to other networks (VLAN 10 and VLAN20)
> I've created an Access-list
> !
> ip access-list extended BLOCKING-VLAN
> permit ip 10.53.8.0 0.0.0.255 host 10.53.0.1
> deny ip 10.53.8.0 0.0.0.255 10.53.0.0 0.0.0.255 log
> deny ip 10.53.8.0 0.0.0.255 10.53.5.0 0.0.0.255 log
> permit ip 10.53.8.0 0.0.0.255 any
> !
>
> !
> interface Vlan30
> description VLAN 30
> ip address 10.53.8.1 255.255.255.0
> ip access-group BLOCKING-VLAN in
> !
>
> The first sentence in ACL is necessary to reach the default gateway in
> VLAN10 (see default route above). Apparently all is working well the host
> in
> VLAN 30 don't reach to Servers in VLAN 10 and VLAN20, but DHCP IS NOT
> WORKING! no assign IP address to hosts. After of check the debugs, I
> noticed
> that when the access-list is applied to Int VLAN30 the Switch is not aware
> about DHCP request. DHCPD: DHCPDISCOVER is never received by Switch. But
> when I removed the access-list then DHCP working well, then how should I
> configure the access-list in order to allow DHCP in VLAN30 and the hosts in
> VLAN30 don't communicate the others VLANs? or maybe change the DHCP
> Configuration but how?
>
> Rgds.
>
> --
> Omar E.P.T
> -----------------
> Certified Networking Professionals make better Connections!
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART