cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1522
Views
5
Helpful
7
Replies

VACL seems to block DHCP

d.bader
Level 1
Level 1

Cat6506 Version 12.1(11b)E

VLAN filter applied to one VLAN. Forwarding and dropping works fine but DHCP Requests from clients to DHCP-Server within that VLAN doesn't work.

Any Idea?

Thanks in advance.

Daniel

7 Replies 7

t.baranski
Level 4
Level 4

Can you post the VACL?

Here it is:

Extended IP access list AZG_DROP

permit ip 10.67.29.0 0.0.0.255 10.0.0.0 0.255.255.255

Extended IP access list AZG_FORWARD

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.61

permit ip 10.67.29.0 0.0.0.255 host 194.40.150.62

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.133

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.228

permit ip 10.67.29.0 0.0.0.255 host 10.67.40.51

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.60

permit ip 10.67.29.0 0.0.0.255 host 10.72.145.206

permit ip 10.67.29.0 0.0.0.255 host 10.72.145.204

permit ip 10.67.29.0 0.0.0.255 host 160.63.4.87

permit ip 10.67.29.0 0.0.0.255 host 194.40.134.25

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.38

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.72

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.73

permit ip 10.67.29.0 0.0.0.255 host 195.65.169.249

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.58

permit ip any 10.67.29.0 0.0.0.255

Vlan access-map "AZG" 10

match: ip address AZG_FORWARD

action: forward

Vlan access-map "AZG" 20

match: ip address AZG_DROP

action: drop log

VLAN Map AZG:

Configured on VLANs: 29

Active on VLANs: 29

Regards

Daniel

Ok, I guess the next thing we need to know are the source and destination IPs/subnets that DHCP requests are going to, and if there's any relaying involved. And are any DHCP packets logged as being dropped?

That's what we can see:

Aug 28 15:14:22: datagramsize=342, IP 30909: s=0.0.0.0 (Vlan29), d=255.255.255.255, totlen 328, fragment 0, fo 0, rcvd 2

Aug 28 15:14:22: UDP src=68, dst=67

DHCP request is sourced within VLAN 29 as well the DHCP-Server belongs to VLAN 29.

No drops logged.

The default action of a VLAN map is to drop any packets not matched if there's at least one match clause for a given packet type (IP in this case). And such drops won't be logged.

Nothing in AZG_FORWARD allows these DHCP packets through. I'd suggest putting a "permit ip host 0.0.0.0 host 255.255.255.255" at the end and see if DHCP works then. If not, try a "permit ip any any".

Okay. Also DHCP responses have to be defined. This way it works.

Many thanks for your suggestions.

Best regards

Daniel

ip access-list extended AZG_FORWARD

remark Intra-VLAN traffic

permit ip 10.67.29.0 0.0.0.255 10.67.29.0 0.0.0.255

remark DHCP requests

permit ip host 0.0.0.0 host 255.255.255.255

remark DHCP response

permit ip 10.67.29.0 0.0.0.255 host 255.255.255.255

remark Response traffic local and other stuff

permit ip any 10.67.29.0 0.0.0.255

remark Local campus traffic

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.133

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.228

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.101

--More--

vlan access-map AZG 10

match ip address AZG_FORWARD

action forward

vlan filter AZG vlan-list 29

Amazing mate, thanks for saving the day for me

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco