Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > catalyst 2950, access list, dhcp

Reply
Thread Tools

catalyst 2950, access list, dhcp

 
 
Dmitry Melekhov
Guest
Posts: n/a
 
      03-19-2008
Hello!

I need to set ip access-group on 2950 interface, so workstation will
have access only to some addresses.
It works, but workstation can't get ip address from dhcp server.
Could you tell me what I have to allow in such list to have dhcp work?

access-list 101 permit ip any host 192.168.21.220
access-list 101 permit ip any host 192.168.22.254
access-list 101 permit ip any host 192.168.22.91
access-list 101 permit ip any host 192.168.22.92
access-list 101 deny ip any any


interface FastEthernet0/16
description GUEST
switchport access vlan 300
ip access-group 101 in

 
Reply With Quote
 
 
 
 
News Reader
Guest
Posts: n/a
 
      03-19-2008
Dmitry Melekhov wrote:
> Hello!
>
> I need to set ip access-group on 2950 interface, so workstation will
> have access only to some addresses.
> It works, but workstation can't get ip address from dhcp server.
> Could you tell me what I have to allow in such list to have dhcp work?
>
> access-list 101 permit ip any host 192.168.21.220
> access-list 101 permit ip any host 192.168.22.254
> access-list 101 permit ip any host 192.168.22.91
> access-list 101 permit ip any host 192.168.22.92
> access-list 101 deny ip any any
>
>
> interface FastEthernet0/16
> description GUEST
> switchport access vlan 300
> ip access-group 101 in
>


Make sure that the IP address of the DHCP server is one of the permitted
addresses in the ACL. If not, add an additional ACE (Access Control
Entry) to support the DHCP Server's IP address.

Make sure that you have defined a DHCP scope (pool of addresses
available for assignment) from the subnet being used for vlan 300 (i.e.:
each vlan is on a different subnet and therefore would require a
distinct scope).

Best regards,
News Reader
 
Reply With Quote
 
 
 
 
Dmitry Melekhov
Guest
Posts: n/a
 
      03-20-2008
On 19 อมา, 20:00, News Reader <(E-Mail Removed)> wrote:

> Make sure that the IP address of the DHCP server is one of the permitted
> addresses in the ACL.


Yes, it is in list.
Really, I don't know how dhcp works- do it's packets contain sender's
ip address?


> Make sure that you have defined a DHCP scope (pool of addresses
> available for assignment) from the subnet being used for vlan 300 (i.e.:
> each vlan is on a different subnet and therefore would require a
> distinct scope).


dhcp works without access groups...
 
Reply With Quote
 
Trendkill
Guest
Posts: n/a
 
      03-20-2008
On Mar 19, 11:33 pm, Dmitry Melekhov <(E-Mail Removed)> wrote:
> On 19 อมา, 20:00, News Reader <(E-Mail Removed)> wrote:
>
> > Make sure that the IP address of the DHCP server is one of the permitted
> > addresses in the ACL.

>
> Yes, it is in list.
> Really, I don't know how dhcp works- do it's packets contain sender's
> ip address?
>
> > Make sure that you have defined a DHCP scope (pool of addresses
> > available for assignment) from the subnet being used for vlan 300 (i.e.:
> > each vlan is on a different subnet and therefore would require a
> > distinct scope).

>
> dhcp works without access groups...


What is the IP of your workstation and DHCP server? Do you have ip-
helpers configured on the workstation vlan? F0/16 is the interface
that connects to your workstation?

Technically, dhcp works by the workstation broadcasting for an IP
address, which the router in your vlan needs to forward to the dhcp
server via an ip-helper statement. Therefore, the packet does not
have a destination of the dhcp server because the workstation does not
have an IP itself, and has no idea what the address of the dhcp server
is. You need to add a statement that allows this udp/bootpc
traffic.

Check this out: http://www.velocityreviews.com/forum...ccesslist.html
 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-20-2008
Trendkill wrote:
> On Mar 19, 11:33 pm, Dmitry Melekhov <(E-Mail Removed)> wrote:
>> On 19 อมา, 20:00, News Reader <(E-Mail Removed)> wrote:
>>
>>> Make sure that the IP address of the DHCP server is one of the permitted
>>> addresses in the ACL.

>> Yes, it is in list.
>> Really, I don't know how dhcp works- do it's packets contain sender's
>> ip address?
>>
>>> Make sure that you have defined a DHCP scope (pool of addresses
>>> available for assignment) from the subnet being used for vlan 300 (i.e.:
>>> each vlan is on a different subnet and therefore would require a
>>> distinct scope).

>> dhcp works without access groups...

>
> What is the IP of your workstation and DHCP server? Do you have ip-
> helpers configured on the workstation vlan? F0/16 is the interface
> that connects to your workstation?
>
> Technically, dhcp works by the workstation broadcasting for an IP
> address, which the router in your vlan needs to forward to the dhcp
> server via an ip-helper statement. Therefore, the packet does not
> have a destination of the dhcp server because the workstation does not
> have an IP itself, and has no idea what the address of the dhcp server
> is. You need to add a statement that allows this udp/bootpc
> traffic.
>
> Check this out: http://www.velocityreviews.com/forum...ccesslist.html


I experienced a bit of tunnel vision when I reviewed the ACL, and forgot
to think about the workings of DHCP. Sorry!

Although the DHCP Discover and Request packets sent by the host are
"broadcasts", the host does send "unicast" packets to the server when
releasing, renewing, and rebinding.

Best regards,
News Reader

 
Reply With Quote
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      03-20-2008
On 20 Mar, 16:26, News Reader <(E-Mail Removed)> wrote:
> Trendkill wrote:
> > On Mar 19, 11:33 pm, Dmitry Melekhov <(E-Mail Removed)> wrote:
> >> On 19 อมา, 20:00, News Reader <(E-Mail Removed)> wrote:

>
> >>> Make sure that the IP address of the DHCP server is one of the permitted
> >>> addresses in the ACL.
> >> Yes, it is in list.
> >> Really, I don't know how dhcp works- do it's packets contain sender's
> >> ip address?

>
> >>> Make sure that you have defined a DHCP scope (pool of addresses
> >>> available for assignment) from the subnet being used for vlan 300 (i.e..:
> >>> each vlan is on a different subnet and therefore would require a
> >>> distinct scope).
> >> dhcp works without access groups...

>
> > What is the IP of your workstation and DHCP server? *Do you have ip-
> > helpers configured on the workstation vlan? *F0/16 is the interface
> > that connects to your workstation?

>
> > Technically, dhcp works by the workstation broadcasting for an IP
> > address, which the router in your vlan needs to forward to the dhcp
> > server via an ip-helper statement. *Therefore, the packet does not
> > have a destination of the dhcp server because the workstation does not
> > have an IP itself, and has no idea what the address of the dhcp server
> > is. *You need to add a statement that allows this udp/bootpc
> > traffic.

>
> > Check this out: *http://www.velocityreviews.com/forum...ccesslist.html

>
> I experienced a bit of tunnel vision when I reviewed the ACL, and forgot
> to think about the workings of DHCP. Sorry!
>
> Although the DHCP Discover and Request packets sent by the host are
> "broadcasts", the host does send "unicast" packets to the server when
> releasing, renewing, and rebinding.
>
> Best regards,
> News Reader- Hide quoted text -


Does a 2950 really support IP access-lists on its L2 ports?

I would perhaps expect it to support them on the management
VLAN interface but not on the L2 ports.

No reason of course that it could not be implemented but
not at all what I would expect.

Suppose I better look it up.

Oh well wrong again -
http://www.cisco.com/en/US/docs/swit...html#wp4213991

This command is available on physical interfaces only if your switch
is
running the enhanced software image (EI).


Examples
This example shows how to configure an extended IP ACL that allows
only
TCP traffic to the destination IP address 128.88.1.2 with a TCP port
number of 25 and how to apply it to an interface:

Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
Switch(config)# interface fastethernet0/8
Switch(config-if)# ip access-group 102 in
This is an example of an extended ACL that allows TCP traffic
only from two specified networks. The wildcard bits apply to
the host portions of the network addresses. Any host with a
source address that does not match the ACL statements is denied.

access-list 104 permit tcp 192.5.0.0 0.0.255.255 any
access-list 104 permit tcp 128.88.0.0 0.0.255.255 any

 
Reply With Quote
 
Michael T. Davis
Guest
Posts: n/a
 
      03-20-2008

In article <(E-Mail Removed)>
Dmitry Melekhov <(E-Mail Removed)> writes:

>Hello!
>
>I need to set ip access-group on 2950 interface, so workstation will
>have access only to some addresses.
>It works, but workstation can't get ip address from dhcp server.
>Could you tell me what I have to allow in such list to have dhcp work?
>
>access-list 101 permit ip any host 192.168.21.220
>access-list 101 permit ip any host 192.168.22.254
>access-list 101 permit ip any host 192.168.22.91
>access-list 101 permit ip any host 192.168.22.92
>access-list 101 deny ip any any
>
>
>interface FastEthernet0/16
> description GUEST
> switchport access vlan 300
> ip access-group 101 in
>


Try...

permit udp host 0.0.0.0 any eq bootps

....before your default deny rule. (bootps is equivalent to the decimal value
67.)

Regards,
Mike
--
| Systems Specialist: CBE,MSE
Michael T. Davis (Mike) | Departmental Networking/Computing
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928
 
Reply With Quote
 
Dmitry Melekhov
Guest
Posts: n/a
 
      03-21-2008
On 20 อมา, 23:05, (E-Mail Removed)-state.edu (Michael T. Davis) wrote:

> permit udp host 0.0.0.0 any eq bootps


This is what I did, but I ghave to allow all udp traffic (this is
acceptable for me), just because IOS says that I can't mix rules with
and without ports in the same access-list.
 
Reply With Quote
 
Dmitry Melekhov
Guest
Posts: n/a
 
      03-21-2008
On 20 อมา, 19:26, News Reader <(E-Mail Removed)> wrote:

>
> Although the DHCP Discover and Request packets sent by the host are
> "broadcasts"


I guess that request doesn't pass in my rules with server address
But if this packets are brodacst which destination ip they have?
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      03-21-2008

> I guess that request doesn't pass in my rules with server address
> But if this packets are brodacst which destination ip they have?


try

access-list 101 permit ip any host 192.168.21.220
access-list 101 permit ip any host 192.168.22.254
access-list 101 permit ip any host 192.168.22.91
access-list 101 permit ip any host 192.168.22.92

access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255
eq bootps

access-list 101 deny ip any any



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating Subnets, DHCP Relay, Catalyst 6000, PIX, Catalyst 2948/2924 cruz@hnu.edu Cisco 3 02-09-2007 10:12 PM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
Wireless DHCP clients cannot obtain an IP address from the DHCP se =?Utf-8?B?SGVpbkQ=?= Wireless Networking 0 01-08-2006 03:41 PM
run > ipconfig > net stop dhcp then > net start dhcp Fayza Computer Support 3 05-12-2004 07:10 PM
if Active Directory no DHCP? or: Where ist my DHCP Ingo Hauf Computer Support 2 10-18-2003 02:25 PM



Advertisments