Cisco Support Community
Community Member

Need to restrict a vlan and use dhcp at same time

My company has a 6513 as the core switch (which is configured as our DHCP server) and about twenty 3550s trunked from the core to make up our LAN. I have configured dhcp pools on the core as well as Vlans on the core. I have configured the interfaces on the 3550s for the appropriate Vlan and all is well with our 40+ Vlans obtaining IP addresses from the core. But….I want to create a new vlan called Internet-Only that would restrict access only to allow Internet traffic and DHCP traffic.

On this new Vlan, I have created this ACL:

Ip access-list extended INTERNET-ONLY

Permit tcp x.x.x.x host x.x.x.x eq 8080

Permit udp any any eq 67

This should restrict Vlan access only to one host (our proxy server)through port 8080 for internet traffic. Also should allow traffic through udp port 67 which should allow dhcp.

On the vlan interface I entered:

Ip access-group INTERNET-ONLY in

I have configured this exact scenario on a standalone 3550 at my desk and dhcp works fine. When I implement this into the production network, an amber light comes on the interface LED and I get no dhcp.

Will I need to grant access to more udp ports in order for dhcp to work? Will I need to configure an ip-helper address pointing to the core? Why would this scenario work on a standalone switch and not our production environment?

Please help


Community Member

Re: Need to restrict a vlan and use dhcp at same time

One basic thing, this could be a problem with your Access list as well

Community Member

Re: Need to restrict a vlan and use dhcp at same time

Yes, it works fine without the access list, but I need to know what other access list entries to add in order for DHCP to work. I just want internet traffic on this vlan and DHCP to asssign addresses.

I need to know what ports to turn on in order for dhcp to work. I thought I only needed port 67 and 68(bootps & c) turned on, but DHCP does not work. The same scenario works on a standalone 3550, but not from a trunked switch that is getting DHCP from the core.


Re: Need to restrict a vlan and use dhcp at same time

span the client switch port when the access list is not applied to determine exactly what ports you need to open. This way you don't have to keep on guessing what layer 4 ports to open.

CreatePlease to create content