Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-lists and DHCP across a Public VLAN

Status
Not open for further replies.
fdurham

fdurham

MIS
Sep 14, 2005
103
US
Greetings-

I have been racking my brain on this particular issue. What I am trying to do is create a Public VLAN for vendors and vistors in our company that will restrict them from accessing our corporate network while allowing them to access web, email and VPn connections to the outside. In addtion when people connect to this VLAN, they are retrieving a DHCP IP addy for a windows 2000 server. Without any access-list the process works just fine. Here is an example of the interface and the access-list which is attached to the interface. When applied I am no longer able to get an IP address from the win2k server. Any insight how to correct his problem.

interface Vlan10
description vlan 10 - Guest VLAN
ip address 10.10.9.1 255.255.255.0
ip broadcast-address 10.10.9.255
ip access-group 100 in
ip helper-address 172.16.201.10
ip helper-address 172.16.201.1



access-list 100 permit ip any host 172.16.201.11
access-list 100 permit udp any host 172.16.201.10 eq domain
access-list 100 permit udp any host 172.16.201.11 eq domain
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq ftp
access-list 100 deny ip any any

Frank



 
Sort by date Sort by votes
Simple. The broadcast for DHCP is getting stopped by your ACL before it gets to the IP Helper command to be forwarded to your server. Here's part of the fix.

access-list 100 permit udp any 10.10.9.1 eq 67
access-list 100 permit udp any 10.10.9.1 eq 68
access-list 100 permit udp any 255.255.255.255 eq 67
access-list 100 permit udp any 255.255.255.255 eq 68

It's been awhile since I've done a packet capture of this session, but this should make it work. I don't think all 4 lines are needed, but some of them for sure. This will allow the broadcasts to get to your vlan interface and then be forwarded to your server.

Another spin is layer 3 switches now support DHCP, so you could have a DHCP server for that vlan on the switch itself. You'd have to have most of those acl lines to do that too.

Kurt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
136
Lccarter
Lccarter
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
139
jarod_paris
jarod_paris
cheikhdtn
  • Locked
  • Question
VLAN
Replies
3
Views
85
iggsterman
iggsterman
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
116
Zero6
Zero6
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
148
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top