+ Post New Thread
Results 1 to 6 of 6
Wired Networks Thread, Why wont my Cisco ACL work? in Technical; Hi, The below is a snippet of my Cisco 3560 config. I am setting up a ACL for VLAN 600. ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468

    Why wont my Cisco ACL work?

    Hi,

    The below is a snippet of my Cisco 3560 config. I am setting up a ACL for VLAN 600. It it setup the deny all unless there is a permit rule.

    The blue text is a rule for DHCP and works a treat (woo hoo)
    The red text is to allow port 80 (web) on the same server, but this rule doesn't work - If i remove the ACL from the VLAN i can get to it fine.

    The host for DHCP and web services is 172.20.1.1

    What have i done wrong please?

    Thanks

    Code:
    interface Vlan600
     description BYOD VLAN
     ip address 10.12.12.254 255.255.255.0
     ip access-group BYOD out
     ip helper-address 172.20.1.1
    !
    ip access-list extended BYOD
     permit udp 10.12.12.0 0.0.0.255 eq bootpc host 172.20.1.1 eq bootps
     permit tcp 10.12.12.0 0.0.0.255 host 172.20.1.1 eq www
     deny   ip any any
    Last edited by FN-GM; 3rd December 2012 at 06:58 PM.

  2. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    It's possible neither rule is actually working, the dhcp request is probably being relayed via the helper address.

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    If i remove the rule and leave the ip helper it wont pickup an IP, based on that i am assuming it is working.

  4. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    It's difficult to tell without seeing the whole config. I assume the clients are using 10.12.12.254 as their gateway, and the web server is using 172.20.1.254. If the web server has external address then you may need to put a route on it for the 10.12.12.0 range.

  5. #5

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    151
    swap to

    ip access-group byod in.

    and I just use

    permit udp any eq bootpc any

    for dhcp with the helper in the vlan too


    you should not need the deny either as this should be explicit.

    Rob

  6. #6

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    151
    interface Vlan600
    description BYOD VLAN
    ip address 10.12.12.254 255.255.255.0
    ip access-group BYOD in
    ip helper-address 172.20.1.1
    !
    ip access-list extended BYOD
    permit udp any any eq bootpc
    permit tcp 10.12.12.0 0.0.0.255 host 172.20.1.1 eq www



SHARE:
+ Post New Thread

Similar Threads

  1. Why is this IPsec setup not working???
    By themightymrp in forum Wireless Networks
    Replies: 1
    Last Post: 22nd June 2011, 12:10 PM
  2. why doesn't this .adm work
    By mrbios in forum Windows
    Replies: 9
    Last Post: 13th May 2009, 01:09 PM
  3. Why wont this PDA sync with exchange?
    By woody in forum Windows
    Replies: 16
    Last Post: 13th April 2006, 09:31 PM
  4. Why isn't sysprep working?
    By Ric_ in forum Windows
    Replies: 10
    Last Post: 16th January 2006, 04:00 PM
  5. Oh why wont the internet work anymore :S
    By tarquel in forum Wireless Networks
    Replies: 4
    Last Post: 27th August 2005, 08:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •