Community
Web and Unmanaged
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access list issue

mfubar
mfubar
Occasional Visitor

‎04-01-2016 08:11 AM

‎04-01-2016 08:11 AM

Access list issue

HP 1920 access list issue.   I have a case where I have a vlan for guest/public access.  The vlan is 4000 172.16.0.0/24.  I only want this vlan to get internet access.  I also need it to access a dc for dhcp and dns, which is located on vlan 1080  10.1.8.10/24.  I create the following access-list and applied it to vlan 4000

  • ip access-list extended guest
  • 10 permit ip 172.16.0.0 0.0.0.255 10.1.8.10 0.0.0.0
  • 50 deny ip 172.16.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  • 60 permit ip 172.16.0.0 0.0.0.255 0.0.0.0 255.255.255.255

 

Devices are not getting a DHCP address from the server, even though there is a helper address on the vlan interface.  However if I manually add an ip address o nthe 172.16.0.0/24 network, I can in fact access the dc at 10.1.8.10, the internet but not any other internal address.  So it would appear that my access-list is somewhat correct in that it is fuctioning how I want to.   However, you remove the static address and it will not get an address from the pool we have already established connection to the DC.   Arrgh, please help

0 Kudos
Reply
1 REPLY
16again
16again
Respected Contributor

‎04-01-2016 10:35 AM

‎04-01-2016 10:35 AM

Re: Access list issue

Probably, your access-list also blocks dhcp traffic.
add a rule to allow udp source port 68 to dest port 67
or replace line 60 with permit ip any any .

I'd also filter AD access down to only DNS. What's the use of guest network, if it can still reach one of the most important servers?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.