Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VACL seems to block DHCP

Cat6506 Version 12.1(11b)E

VLAN filter applied to one VLAN. Forwarding and dropping works fine but DHCP Requests from clients to DHCP-Server within that VLAN doesn't work.

Any Idea?

Thanks in advance.

Daniel

6 REPLIES
Bronze

Re: VACL seems to block DHCP

Can you post the VACL?

New Member

Re: VACL seems to block DHCP

Here it is:

Extended IP access list AZG_DROP

permit ip 10.67.29.0 0.0.0.255 10.0.0.0 0.255.255.255

Extended IP access list AZG_FORWARD

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.61

permit ip 10.67.29.0 0.0.0.255 host 194.40.150.62

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.133

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.228

permit ip 10.67.29.0 0.0.0.255 host 10.67.40.51

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.60

permit ip 10.67.29.0 0.0.0.255 host 10.72.145.206

permit ip 10.67.29.0 0.0.0.255 host 10.72.145.204

permit ip 10.67.29.0 0.0.0.255 host 160.63.4.87

permit ip 10.67.29.0 0.0.0.255 host 194.40.134.25

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.38

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.72

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.73

permit ip 10.67.29.0 0.0.0.255 host 195.65.169.249

permit ip 10.67.29.0 0.0.0.255 host 194.40.128.58

permit ip any 10.67.29.0 0.0.0.255

Vlan access-map "AZG" 10

match: ip address AZG_FORWARD

action: forward

Vlan access-map "AZG" 20

match: ip address AZG_DROP

action: drop log

VLAN Map AZG:

Configured on VLANs: 29

Active on VLANs: 29

Regards

Daniel

Bronze

Re: VACL seems to block DHCP

Ok, I guess the next thing we need to know are the source and destination IPs/subnets that DHCP requests are going to, and if there's any relaying involved. And are any DHCP packets logged as being dropped?

New Member

Re: VACL seems to block DHCP

That's what we can see:

Aug 28 15:14:22: datagramsize=342, IP 30909: s=0.0.0.0 (Vlan29), d=255.255.255.255, totlen 328, fragment 0, fo 0, rcvd 2

Aug 28 15:14:22: UDP src=68, dst=67

DHCP request is sourced within VLAN 29 as well the DHCP-Server belongs to VLAN 29.

No drops logged.

Bronze

Re: VACL seems to block DHCP

The default action of a VLAN map is to drop any packets not matched if there's at least one match clause for a given packet type (IP in this case). And such drops won't be logged.

Nothing in AZG_FORWARD allows these DHCP packets through. I'd suggest putting a "permit ip host 0.0.0.0 host 255.255.255.255" at the end and see if DHCP works then. If not, try a "permit ip any any".

New Member

Re: VACL seems to block DHCP

Okay. Also DHCP responses have to be defined. This way it works.

Many thanks for your suggestions.

Best regards

Daniel

ip access-list extended AZG_FORWARD

remark Intra-VLAN traffic

permit ip 10.67.29.0 0.0.0.255 10.67.29.0 0.0.0.255

remark DHCP requests

permit ip host 0.0.0.0 host 255.255.255.255

remark DHCP response

permit ip 10.67.29.0 0.0.0.255 host 255.255.255.255

remark Response traffic local and other stuff

permit ip any 10.67.29.0 0.0.0.255

remark Local campus traffic

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.133

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.228

permit ip 10.67.29.0 0.0.0.255 host 10.67.5.101

--More--

vlan access-map AZG 10

match ip address AZG_FORWARD

action forward

vlan filter AZG vlan-list 29

415
Views
0
Helpful
6
Replies
CreatePlease login to create content