Cisco ACL for different VLAN client and DHCP server communication

by | Dec 7, 2020 | Networking | 0 comments

Couple of months ago I was designing ACLs for one of my customers. Their R&D and DHCP server VLAN was different VLANs. My job was to create an ACL so that:
R&D VLAN can only talk to the server VLAN. And all the other VLAN communication within that organization should be blocked.

Lets say,
R&D VLAN =10.77.1.0/24
Server VLAN=10.100.0.0/24
DHCP server IP= 10.100.0.5
Here you can see DHCP server is already inside the server VLAN


So, this is what I did (these are not the exact IOS commands I used)

Created an ACL saying:
permit ip 10.77.1.0/24 10.100.0.0/24
permit ip 10.100.0.0/24 10.77.1.0/24
deny ip all

which means, please let R&D to talk with the Server and vice versa.

Since, DHCP server was in Server VLAN and I have permitted that subnet for R&D VLAN and DHCP-helper is also configured properly so I thought it should be okay.
But it was not okay. I realized some computers in R&D are working and some are not.

After doing some troubleshooting I realized that the computers that are still holding their old IP are working and the computers tried to renew their IP has no IP at all.
I tried doing IP release and renew on the working computers and then those computers stopped working.
ipconfig /release
ipconfig /renew

So, now I am dead sure that R&D can not talk to the Server VLAN. And something is wrong with the ACL that I have created. So I assigned a static IP on one PC and tried to ping some servers; and it WORKED

That means PCs can not talk to DHCP server only. what could be the reason? The reason is this:

DHCP discover packet

When a client wants to get a IP it sends out a broadcast address where source IP is 0.0.0.0 and destination IP is 255.255.255.255.
My newly created ACL was blocking that since only R&D subnet can talk to the Servers.

So all I did was added this before the “deny”: (these are not the exact IOS commands I used)
permit ip 10.77.1.0/24 10.100.0.0/24
permit ip 10.100.0.0/24 10.77.1.0/24
permit ip host 0.0.0.0 host 255.255.255.255
deny ip all

And after that everything started functioning normally.
So whenever “VLAN of WORK” and the DHCP server are on a different VLAN; add this extra statement in your ACL.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.