Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
I have created an ACL to allow one network to get to the listed servers and I want to deny all other traffic. My problem is that when I apply my ACL to the interface my handhelds do not get any IP addresses from the DHCP server thus not allowing them to access any other servers. I have read as much information about ACL's that I can, but have yet to find my problem with my ACL. Is my problem that obvious, that gleaming that I can not find it. All hints and tips would be greatly appreciated.
permit udp 192.168.116.0 0.0.0.255 host 172.16.3.4
permit udp 192.168.116.0 0.0.0.255 host 192.168.7.6
permit tcp 192.168.116.0 0.0.0.255 host 172.16.15.25
permit tcp 192.168.116.0 0.0.0.255 host 172.18.155.20
permit tcp 192.168.116.0 0.0.0.255 host 172.18.155.21
permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.85
permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.86
permit udp 192.168.116.0 0.0.0.255 host 172.18.155.20
permit udp 192.168.116.0 0.0.0.255 host 172.18.155.21
permit udp 192.168.116.0 0.0.0.255 host 172.16.26.85
permit udp 192.168.116.0 0.0.0.255 host 172.16.26.86
permit udp 192.168.116.0 0.0.0.255 host 172.16.1.122
permit tcp 192.168.116.0 0.0.0.255 host 172.18.156.20
permit tcp 192.168.116.0 0.0.0.255 host 172.16.26.87
permit tcp 192.168.116.0 0.0.0.255 host 172.25.15.17
permit udp 192.168.116.0 0.0.0.255 host 172.25.15.17
permit tcp 192.168.116.0 0.0.0.255 host 172.25.15.25
permit udp 192.168.116.0 0.0.0.255 host 172.25.15.25
permit icmp any any
deny ip any any log
On my vlan 116 I am applying the following line.
ip access-group WirelessClients in
Thanks in advance for your help.
No that is a good catch for the helper address. I will try the out, but other then that does the ACL look ok. Ive been told that there is a problem with it, but I can not find the answer after all my ACL digging.
Are you seeing anything in your logs since you logging the denys at the end of the ACL? Have you tried adding a line in your ACL to permit UDP any any to make sure it's not denying the UDP broadcasts?
I am seeing several hits on the Deny ip any any log (6249) to be exact.
I will give this a try later in the day when traffic allows me to apply it.
permit udp any any
If you do a "show log" can you see whats getting denied? You may need to turn "logging on" if you don't see anything in the logs but since your logging the denies you should see them.
Yes my udp packets are getting denied. should i put something like this in?
I see the packets being denied to 192.168.7.6 and to 18.104.22.168. Should ip put the following lines in?
permit udp any any
permit udp 192.168.116.0 0.0.0.255 host 22.214.171.124
Add the following entry to accommodate the DHCP clients:
permit udp any eq bootpc any eq bootps
The client is "broadcasting" to any DHCP server. Therefore the destination IP is 255.255.255.255, and will not match any of your IP-specific ACEs.
The client packets will be using a source address of 0.0.0.0 prior to obtaining a lease on an IP address, therefore you will need to use the keyword "any" as the source in the ACE also.
Keep in mind that you need to provision the return path for the server responses (i.e.: use inspection, or provision ACLS in the return path).
Thanks Michael. You said "Keep in mind that you need to provision the return path for the server responses (i.e.: use inspection, or provision ACLS in the return path). " Does this mean I need to add the following line.
permit upd host 192.168.7.6 192.168.116.0 0.0.0.255
I appreciate all the great help and great ideas, this is deffinately going to help me get closer to an answer.
In your situation (using a helper address), you would be concerned with the exchange between the router and the DHCP server (specifically, the packets returning from the DHCP server).
Unfortunately, I've never used a sniffer to examine one of these exchanges (I don't use the helper address function). Presumably, the DHCP server could be several hops away. If it were, then the packets would use unicast addresses for sure.
Depending on whether you have an ACL on the router interface facing the DHCP server (and the ACEs it contains), you may not have a provisioning issue for the return traffic from the DHCP server.
Add the previously indicated ACE to allow the DHCP clients to reach the router, and leverage the help of the router (via the helper address), and then determine whether an issue still exists with router-to-DHCP-server communications.