ACL for DHCP Configured on Cisco Switch – VLAN and DHCP Guide

aclciscodhcpswitchvlan

We have a DHCP pool configured on Cisco L3 switch for hosts on SVI.
Since we want to restrict connectivity to DHCP which is on the same switch.

excluded 172.24.19.1-172.24.19.50
SVI IP 172.24.19.50
DHCP gateway 172.24.19.50

Without acl the ipconfig output shows DHCP server as 172.24.19.50
Tried below acl but clients fail to get IP

permit ip any 172.24.19.0 0.0.0.255

permit ip 0.0.0.0 255.255.255.255 172.24.19.50 0.0.0.0

Direction- IN on SVI

what acl should be defined on vlan interface.

Best Answer

To allow DHCP:

ip access-list extended ACL-DHCP-NET
permit udp any host 255.255.255.255 eq 67 68
<other rules>

To reject DHCP:

ip access-list extended ACL-STATIC-NET:
deny udp any host 255.255.255.255 eq 67 68
<other rules>

Related Solutions

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Best Answer

Related Solutions

Vlan – Setting up PIM Sparse mode

HP Procurve 5406zl – ACL issue

Related Topic