Our config is
Code: Select all
policy network group Servers <IP ranges + specific IPs of our DHCP/DNS servers>
policy condition Server-Access-allow source vlan 1040 destination network group Servers
policy condition Server-Access-deny source vlan 1040 destination ip Any
policy action Allow
policy action Deny disposition drop
policy rule Server-Access1 precedence 20 condition Server-Access-allow action Allow
policy rule Server-Access2 precedence 19 condition Server-Access-deny action Deny
qos apply
Without the deny enabled I plug in a test PC to VLAN 1040 and get an IP address as expected. Once I enable the deny rule and release and renew my address the PC fails to get an IP. If I set the IP statically on the PC I get connectivity as expected and can access only the address range specified in our Servers network group range including our DHCP and DNS server.
Wireshark packet capture on a PC plugged into the port with the deny enabled shows only the DHCP requests going out of the PC and no other traffic. Our DHCP server is on another layer 3 and we are using IP helper to forward the request. The exact same config works fine on 6450.
Any ideas? Has the behaviour of ACLs on 6860s/AOS 8 changed?
Cheers