Web and Unmanaged
1828399 Members
3639 Online
109977 Solutions
New Discussion

Access list issue

 
mfubar
Occasional Visitor

Access list issue

HP 1920 access list issue.   I have a case where I have a vlan for guest/public access.  The vlan is 4000 172.16.0.0/24.  I only want this vlan to get internet access.  I also need it to access a dc for dhcp and dns, which is located on vlan 1080  10.1.8.10/24.  I create the following access-list and applied it to vlan 4000

  • ip access-list extended guest
  • 10 permit ip 172.16.0.0 0.0.0.255 10.1.8.10 0.0.0.0
  • 50 deny ip 172.16.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  • 60 permit ip 172.16.0.0 0.0.0.255 0.0.0.0 255.255.255.255

 

Devices are not getting a DHCP address from the server, even though there is a helper address on the vlan interface.  However if I manually add an ip address o nthe 172.16.0.0/24 network, I can in fact access the dc at 10.1.8.10, the internet but not any other internal address.  So it would appear that my access-list is somewhat correct in that it is fuctioning how I want to.   However, you remove the static address and it will not get an address from the pool we have already established connection to the DC.   Arrgh, please help

1 REPLY 1
16again
Respected Contributor

Re: Access list issue

Probably, your access-list also blocks dhcp traffic.
add a rule to allow udp source port 68 to dest port 67
or replace line 60 with permit ip any any .

I'd also filter AD access down to only DNS. What's the use of guest network, if it can still reach one of the most important servers?