Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACL Problem

I have created an ACL to allow one network to get to the listed servers and I want to deny all other traffic. My problem is that when I apply my ACL to the interface my handhelds do not get any IP addresses from the DHCP server thus not allowing them to access any other servers. I have read as much information about ACL's that I can, but have yet to find my problem with my ACL. Is my problem that obvious, that gleaming that I can not find it. All hints and tips would be greatly appreciated.

permit udp 192.168.116.0 0.0.0.255 host 172.16.3.4

permit udp 192.168.116.0 0.0.0.255 host 192.168.7.6

permit tcp 192.168.116.0 0.0.0.255 host 172.16.15.25

permit tcp 192.168.116.0 0.0.0.255 host 172.18.155.20

permit tcp 192.168.116.0 0.0.0.255 host 172.18.155.21

permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.85

permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.86

permit udp 192.168.116.0 0.0.0.255 host 172.18.155.20

permit udp 192.168.116.0 0.0.0.255 host 172.18.155.21

permit udp 192.168.116.0 0.0.0.255 host 172.16.26.85

permit udp 192.168.116.0 0.0.0.255 host 172.16.26.86

permit udp 192.168.116.0 0.0.0.255 host 172.16.1.122

permit tcp 192.168.116.0 0.0.0.255 host 172.18.156.20

permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.87

permit tcp 192.168.116.0 0.0.0.255 host 172.25.15.17

permit udp 192.168.116.0 0.0.0.255 host 172.25.15.17

permit tcp 192.168.116.0 0.0.0.255 host 172.25.15.25

permit udp 192.168.116.0 0.0.0.255 host 172.25.15.25

permit icmp any any

deny ip any any log

On my vlan 116 I am applying the following line.

ip access-group WirelessClients in

Thanks in advance for your help.

12 REPLIES

Re: ACL Problem

Do you have a helper for the DHCP server on the VLAN interface?

ip helper-address DHCP SERVER IP

New Member

Re: ACL Problem

Yes the line below is on my vlan 116 interface.

ip helper-address 192.168.7.6

Re: ACL Problem

Just checking, try changing your ACL to out

ip access-group WirelessClients out

New Member

Re: ACL Problem

No that is a good catch for the helper address. I will try the out, but other then that does the ACL look ok. Ive been told that there is a problem with it, but I can not find the answer after all my ACL digging.

Re: ACL Problem

The format looks correct.

Bronze

Re: ACL Problem

Hi,

Are you seeing anything in your logs since you logging the denys at the end of the ACL? Have you tried adding a line in your ACL to permit UDP any any to make sure it's not denying the UDP broadcasts?

HTH

New Member

Re: ACL Problem

I am seeing several hits on the Deny ip any any log (6249) to be exact.

I will give this a try later in the day when traffic allows me to apply it.

permit udp any any

Bronze

Re: ACL Problem

Hi,

If you do a "show log" can you see whats getting denied? You may need to turn "logging on" if you don't see anything in the logs but since your logging the denies you should see them.

HTH

New Member

Re: ACL Problem

Yes my udp packets are getting denied. should i put something like this in?

I see the packets being denied to 192.168.7.6 and to 224.0.0.2. Should ip put the following lines in?

permit udp any any

or

permit udp 192.168.116.0 0.0.0.255 host 224.0.0.2

Re: ACL Problem

Add the following entry to accommodate the DHCP clients:

permit udp any eq bootpc any eq bootps

The client is "broadcasting" to any DHCP server. Therefore the destination IP is 255.255.255.255, and will not match any of your IP-specific ACEs.

The client packets will be using a source address of 0.0.0.0 prior to obtaining a lease on an IP address, therefore you will need to use the keyword "any" as the source in the ACE also.

Keep in mind that you need to provision the return path for the server responses (i.e.: use inspection, or provision ACLS in the return path).

New Member

Re: ACL Problem

Thanks Michael. You said "Keep in mind that you need to provision the return path for the server responses (i.e.: use inspection, or provision ACLS in the return path). " Does this mean I need to add the following line.

permit upd host 192.168.7.6 192.168.116.0 0.0.0.255

I appreciate all the great help and great ideas, this is deffinately going to help me get closer to an answer.

Re: ACL Problem

In your situation (using a helper address), you would be concerned with the exchange between the router and the DHCP server (specifically, the packets returning from the DHCP server).

Unfortunately, I've never used a sniffer to examine one of these exchanges (I don't use the helper address function). Presumably, the DHCP server could be several hops away. If it were, then the packets would use unicast addresses for sure.

Depending on whether you have an ACL on the router interface facing the DHCP server (and the ACEs it contains), you may not have a provisioning issue for the return traffic from the DHCP server.

Add the previously indicated ACE to allow the DHCP clients to reach the router, and leverage the help of the router (via the helper address), and then determine whether an issue still exists with router-to-DHCP-server communications.

165
Views
0
Helpful
12
Replies
CreatePlease to create content