LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL to block everything other than DHCP and DNS

 
ScottLangshaw
Occasional Contributor

ACL to block everything other than DHCP and DNS

Hello,

I have configured a VLAN on our core switches to allow the use of a VDI solution but what i want is for this particular VLAN not to be able to connect with anything else on the network other than DHCP and DNS from our DC's which are on IP's 10.40.208.169 and 10.40.208.170 and i would like if possible to allow the Server VLAN which is a 10.40.208.128/26 range to be able to communicate into the VLAN but the clients not to be able to communicate out.

Then VLAN is on a 10.77.0.0/16 range, i have created an extended ACL on the core switch but i cannot seem to get the correct permits and denys on the ACL to get what i need.

Any help would be helpful.

Thanks 

Scott

2 REPLIES
Vince-Whirlwind
Honored Contributor

Re: ACL to block everything other than DHCP and DNS

Bearing in mind acls aren't very good and you would be better off putting your VDI hosts in their own zone policed by a proper firewall, if you really want to try this, you should have something like:

allow 10.77.0.0/16 --> 10.40.208.169 : UDP 53,67,68
deny 10.77.0.0/16 --> 0.0.0.0/0

interface vlan 77
ip address 10.77.0.1
apply acl (name) in

ScottLangshaw
Occasional Contributor

Re: ACL to block everything other than DHCP and DNS

Thank you Vince for you reply,

I am building this VDI solution into a RDS solution so i do need some functionatlity to the network these VDI desktops wont be going out to the internet so i need to try and sort the access via the Switches. 

Scott