Wednesday, February 20, 2019

HP L3 Switch ACL blocking DHCP for mobile but not laptops, why?

Network is 10.77.50.0/23

Gateway/Router/DHCP Server is 10.77.50.1

The ACL is an extended ACL applied as "vlan-in"

This ACL allows laptops to get DHCP but iPhones and Androids will not:

ip access-list extended "PublicWifi"

10 remark "THIS ACE ALLOWS DHCP REQUESTS"

10 permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67

20 remark "THIS ACE DENIES ICMP INCLUDING AND TRACEROUTE"

20 deny icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

50 remark "THIS ACE BLOCKS TO ANY 192.168.0.0/16 OTHER THAN ABOVE"

50 deny ip 10.77.50.0 0.0.1.255 192.168.0.0 0.0.255.255

60 remark "THIS ACE BLOCKS TO ANY 10.77.0.0/16 OTHER THAN ABOVE"

60 deny ip 10.77.50.0 0.0.1.255 10.77.0.0 0.0.255.255

70 remark "THIS ACE ALLOWS IP TRAFFIC TO ANYWHERE ELSE"

70 permit ip 10.77.50.0 0.0.1.255 0.0.0.0 255.255.255.255

exit

Once I allow all traffic local to the subnet/vlan, which I didn't think was necessary as it's not coming in to the vlan from outside...

This ACL allows the mobile devices as well:

ip access-list extended "PublicWifi"

10 remark "THIS ACE ALLOWS DHCP REQUESTS"

10 permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67

20 remark "THIS ACE DENIES ICMP"

20 deny icmp any any

30 remark "THIS ACE ALLOWS LOCAL IP TRAFFIC"

30 permit ip 10.77.50.0 0.0.1.255 10.77.50.0 0.0.1.255

40 remark "THIS ACE BLOCKS TO ANY 192.168.0.0/16"

40 deny ip 10.77.50.0 0.0.1.255 192.168.0.0 0.0.255.255

50 remark "THIS ACE BLOCKS TO ANY 10.77.0.0/16 OTHER THAN ABOVE"

50 deny ip 10.77.50.0 0.0.1.255 10.77.0.0 0.0.255.255

60 remark "THIS ACE ALLOWS IP TRAFFIC TO ANYWHERE ELSE"

60 permit ip 10.77.50.0 0.0.1.255 0.0.0.0 255.255.255.255

exit



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)