I am trying to enable a template ACL we have been using across our access switches on a new model of switch and it seems to be producing some strange results. The syntax is the same as the old switches yet adding the same commands seems to kill DHCP even though our ACL explicitly includes the IP address of our DHCP servers.
Our two rules are:
Allow - source vlan 1050 destination network group <IP ranges and the addresses of our DHCP/DNS servers>
Deny - source vlan 1050 destination ip Any
Without the deny enabled I plug in a test PC to VLAN 1050 and get an IP address as expected. Once I enable the deny rule and release and renew my address the PC fails to get an IP. If I set the IP statically on the PC I get connectivity as expected and can access only the address range specified in our ACL including our DHCP and DNS server.
Wireshark packet capture shows only the DHCP requests going out and no other traffic. Our DHCP server is on another layer 3 and we are using IP helper to forward the request. The exact same config works fine on the older model of switch.
Any ideas?
Cheers
No comments:
Post a Comment