From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Jul 12 2008 - 15:23:08 ART
if you wanted to be as specific as possible, you can use this ACL statement:
*permit udp host 0.0.0.0 host 255.255.255.255 eq 67*
just apply it inward toward your dhcp server and of course you'd have to
read your requirements and see if this is a feasible solution, but it is one
that works.
hope that helps,
Jason
On Sat, Jul 12, 2008 at 12:07 PM, Jason Madsen <madsen.jason@gmail.com>
wrote:
> as Marvin mentioned, when your DHCP client initially does it's discover and
> request it will send to 0.0.0.0 255.255.255.255. the rest of the
> communication should be between src and dest IP. with all communication, to
> include the initial discover and request etc., the client will src from UDP
> port 68 with a dst UDP port of 67 for the DHCP server.
>
> so maybe try adding permit host 0.0.0.0 host 255.255.255.255 to the first
> line in your ACL??? it looks as though the rest of your ACL will permit the
> rest of the DHCP negotiation.
>
> Jason
>
>
> On Sat, Jul 12, 2008 at 11:06 AM, omar parihuana <omar.parihuana@gmail.com>
> wrote:
>
>> Hi Group,
>>
>> I've configured a Switch 3560G with 3 SVIs in order to VLAN Routing:
>>
>> !
>> interface Vlan10
>> description VLAN 10
>> ip address 10.53.0.253 255.255.255.0
>> !
>> interface Vlan20
>> description VLAN 20
>> ip address 10.53.5.1 255.255.255.0
>> !
>> interface Vlan30
>> description VLAN 30
>> ip address 10.53.8.1 255.255.255.0
>> !
>> ip route 0.0.0.0 0.0.0.0 10.53.0.1
>> !
>>
>> After I've configured a DHCP Pool in order to assign IP address only to
>> VLAN
>> 30, the conf is:
>>
>> !
>> !
>> ip dhcp excluded-address 10.53.8.1 10.53.8.199
>> ip dhcp pool DCHP
>> network 10.53.8.0 255.255.255.0
>> default-router 10.53.8.1
>> dns-server 200.41.96.24 200.41.96.26
>> !
>>
>> After that host in vlan 30 are assigned an IP Address correctly and the
>> intervlan routing working fine, but as I need that VLAN 30 only reach to
>> external networks (Internet) and not to other networks (VLAN 10 and
>> VLAN20)
>> I've created an Access-list
>> !
>> ip access-list extended BLOCKING-VLAN
>> permit ip 10.53.8.0 0.0.0.255 host 10.53.0.1
>> deny ip 10.53.8.0 0.0.0.255 10.53.0.0 0.0.0.255 log
>> deny ip 10.53.8.0 0.0.0.255 10.53.5.0 0.0.0.255 log
>> permit ip 10.53.8.0 0.0.0.255 any
>> !
>>
>> !
>> interface Vlan30
>> description VLAN 30
>> ip address 10.53.8.1 255.255.255.0
>> ip access-group BLOCKING-VLAN in
>> !
>>
>> The first sentence in ACL is necessary to reach the default gateway in
>> VLAN10 (see default route above). Apparently all is working well the host
>> in
>> VLAN 30 don't reach to Servers in VLAN 10 and VLAN20, but DHCP IS NOT
>> WORKING! no assign IP address to hosts. After of check the debugs, I
>> noticed
>> that when the access-list is applied to Int VLAN30 the Switch is not aware
>> about DHCP request. DHCPD: DHCPDISCOVER is never received by Switch. But
>> when I removed the access-list then DHCP working well, then how should I
>> configure the access-list in order to allow DHCP in VLAN30 and the hosts
>> in
>> VLAN30 don't communicate the others VLANs? or maybe change the DHCP
>> Configuration but how?
>>
>> Rgds.
>>
>> --
>> Omar E.P.T
>> -----------------
>> Certified Networking Professionals make better Connections!
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART