From: Hong Chan (howard.chan34@gmail.com)
Date: Mon Jul 14 2008 - 01:34:33 ART
For me, I will remove the ACL to test the DHCP functionality
Then use ACL with deny any any log to check what packets are require for
DHCP.
I use same method for the ACL security tasks also
2008/7/13 Jason Madsen <madsen.jason@gmail.com>:
> if you wanted to be as specific as possible, you can use this ACL
> statement:
>
> *permit udp host 0.0.0.0 host 255.255.255.255 eq 67*
>
> just apply it inward toward your dhcp server and of course you'd have to
> read your requirements and see if this is a feasible solution, but it is
> one
> that works.
>
> hope that helps,
> Jason
>
> On Sat, Jul 12, 2008 at 12:07 PM, Jason Madsen <madsen.jason@gmail.com>
> wrote:
>
> > as Marvin mentioned, when your DHCP client initially does it's discover
> and
> > request it will send to 0.0.0.0 255.255.255.255. the rest of the
> > communication should be between src and dest IP. with all communication,
> to
> > include the initial discover and request etc., the client will src from
> UDP
> > port 68 with a dst UDP port of 67 for the DHCP server.
> >
> > so maybe try adding permit host 0.0.0.0 host 255.255.255.255 to the
> first
> > line in your ACL??? it looks as though the rest of your ACL will permit
> the
> > rest of the DHCP negotiation.
> >
> > Jason
> >
> >
> > On Sat, Jul 12, 2008 at 11:06 AM, omar parihuana <
> omar.parihuana@gmail.com>
> > wrote:
> >
> >> Hi Group,
> >>
> >> I've configured a Switch 3560G with 3 SVIs in order to VLAN Routing:
> >>
> >> !
> >> interface Vlan10
> >> description VLAN 10
> >> ip address 10.53.0.253 255.255.255.0
> >> !
> >> interface Vlan20
> >> description VLAN 20
> >> ip address 10.53.5.1 255.255.255.0
> >> !
> >> interface Vlan30
> >> description VLAN 30
> >> ip address 10.53.8.1 255.255.255.0
> >> !
> >> ip route 0.0.0.0 0.0.0.0 10.53.0.1
> >> !
> >>
> >> After I've configured a DHCP Pool in order to assign IP address only to
> >> VLAN
> >> 30, the conf is:
> >>
> >> !
> >> !
> >> ip dhcp excluded-address 10.53.8.1 10.53.8.199
> >> ip dhcp pool DCHP
> >> network 10.53.8.0 255.255.255.0
> >> default-router 10.53.8.1
> >> dns-server 200.41.96.24 200.41.96.26
> >> !
> >>
> >> After that host in vlan 30 are assigned an IP Address correctly and the
> >> intervlan routing working fine, but as I need that VLAN 30 only reach to
> >> external networks (Internet) and not to other networks (VLAN 10 and
> >> VLAN20)
> >> I've created an Access-list
> >> !
> >> ip access-list extended BLOCKING-VLAN
> >> permit ip 10.53.8.0 0.0.0.255 host 10.53.0.1
> >> deny ip 10.53.8.0 0.0.0.255 10.53.0.0 0.0.0.255 log
> >> deny ip 10.53.8.0 0.0.0.255 10.53.5.0 0.0.0.255 log
> >> permit ip 10.53.8.0 0.0.0.255 any
> >> !
> >>
> >> !
> >> interface Vlan30
> >> description VLAN 30
> >> ip address 10.53.8.1 255.255.255.0
> >> ip access-group BLOCKING-VLAN in
> >> !
> >>
> >> The first sentence in ACL is necessary to reach the default gateway in
> >> VLAN10 (see default route above). Apparently all is working well the
> host
> >> in
> >> VLAN 30 don't reach to Servers in VLAN 10 and VLAN20, but DHCP IS NOT
> >> WORKING! no assign IP address to hosts. After of check the debugs, I
> >> noticed
> >> that when the access-list is applied to Int VLAN30 the Switch is not
> aware
> >> about DHCP request. DHCPD: DHCPDISCOVER is never received by Switch. But
> >> when I removed the access-list then DHCP working well, then how should I
> >> configure the access-list in order to allow DHCP in VLAN30 and the hosts
> >> in
> >> VLAN30 don't communicate the others VLANs? or maybe change the DHCP
> >> Configuration but how?
> >>
> >> Rgds.
> >>
> >> --
> >> Omar E.P.T
> >> -----------------
> >> Certified Networking Professionals make better Connections!
> >>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART