ACL not working properly on 6860
Posted: 02 May 2019 12:41
I am trying to enable a template ACL we have been using across our 6450 switches on our 6860 and it seems to be producing some strange results. The syntax is the same as the 6450 switches yet adding the same commands seems to kill DHCP even though our ACL explicitly includes the IP address of our DHCP servers.
Our config is
The IP range for VLAN 1040 is included in the network group Servers as this group contains some /17 networks for various sites that we want to allow communication to.
Without the deny enabled I plug in a test PC to VLAN 1040 and get an IP address as expected. Once I enable the deny rule and release and renew my address the PC fails to get an IP. If I set the IP statically on the PC I get connectivity as expected and can access only the address range specified in our Servers network group range including our DHCP and DNS server.
Wireshark packet capture on a PC plugged into the port with the deny enabled shows only the DHCP requests going out of the PC and no other traffic. Our DHCP server is on another layer 3 and we are using IP helper to forward the request. The exact same config works fine on 6450.
Any ideas? Has the behaviour of ACLs on 6860s/AOS 8 changed?
Cheers
Our config is
Code: Select all
policy network group Servers <IP ranges + specific IPs of our DHCP/DNS servers>
policy condition Server-Access-allow source vlan 1040 destination network group Servers
policy condition Server-Access-deny source vlan 1040 destination ip Any
policy action Allow
policy action Deny disposition drop
policy rule Server-Access1 precedence 20 condition Server-Access-allow action Allow
policy rule Server-Access2 precedence 19 condition Server-Access-deny action Deny
qos apply
Without the deny enabled I plug in a test PC to VLAN 1040 and get an IP address as expected. Once I enable the deny rule and release and renew my address the PC fails to get an IP. If I set the IP statically on the PC I get connectivity as expected and can access only the address range specified in our Servers network group range including our DHCP and DNS server.
Wireshark packet capture on a PC plugged into the port with the deny enabled shows only the DHCP requests going out of the PC and no other traffic. Our DHCP server is on another layer 3 and we are using IP helper to forward the request. The exact same config works fine on 6450.
Any ideas? Has the behaviour of ACLs on 6860s/AOS 8 changed?
Cheers