The interface VLAN ACL of inbound traffic?

Hi, I may be over thinking this, but I have an ACL that is applied when entering an interface vlan. I have a line to allow udp any any newspaper which is temporary. I see hits, but the source ip address is outside the network to the ip address of the destination interface vlan. I expect to see ip source addresses only in the range of ip addresses of 192.168.1.128/25. What do you think? Thank you

Interface vlan 100

IP 192.168.1.132 255.255.255.128

IP access-group ACL_IN in

Hit of the ACL

% S: SW1-6-IPACCESSLOGP: list of the allowed ACL_IN 192.168.6.100 (137) udp-> 192.168.1.132 (137), 1 packet

Hello

That looks like to me WINS navigation, a response packet.

And as MS navigation works at level 2, it sends a response to the IP of the router where he sees demand for travel coming - maybe your customers have a configured WINS server address?

Do not forget
allow udp any any newspaper

will match ANY ip src, not only your local subnet and is why your journal entries show the traffic in both directions.

Rgds

Ian

Tags: Cisco Security

Similar Questions

  • SG300-20 - configure DHCP on the interface VLAN

    I have read the different partners of the discussions on the SG300 and SG500 going on regarding the high setting of VLAN and DHCP on VIRTUAL networks.  For some reason, I could not get even this simple task to work.

    First thing I did was update my version firmware and boot as follows:

    SW version 1.3.7.18 (date of 12 January 2014 time 18:02:59)

    Start the 1.3.5.06 version (dated 21 July 2013 times 15:12:10)

    HW version V02

    When I rebooted the SG300 after the SW/Boot updates the boot configuration has been crushed and I had to configure my switch from scratch.  The intention is to have two VIRTUAL networks:

    VLAN 1: all the devices, servers, etc.

    VLAN 2: subnet basis which distributes DHCP addresses

    The SG300-20 is connected to a router Asus RT-AC66U on the 192.168.1.x subnet and provides access to the internal network and WiFi access (IP address of the router is 192.168.1.1 and the default gateway).  Everything works without any problem.  So my task is simply to create 2 VLANS on 192.168.2.x subnet and use DHCP to assign addresses.  I spent many hours on it and I still can't get it to work.  When I connect a laptop to the port (GI8) assigned to 2 VLANS, I end up finding a few wobbly 169.254.x.x address.  I definitely thought something would not 'easy' that hard to set up, but apparently I was wrong.

    The SG300 is running in mode L3 as shown in my running-config below.

    Someone gets to see something which could prevent my client from the laptop to receive the interface VLAN 2 DHCP IP addresses that are not on the 192.168.2.x subnet?

    Any ideas / suggestions would be greatly appreciated!

    Here's my running-config:

    config-file-header
    MYSTICSW1
    v1.3.7.18 / R750_NIK_1_35_647_358
    CLI v1.0
    router adjustment system mode

    SSD of encrypted file indicator
    @
    SSD-control-start
    config of SSD
    control of password file unrestricted SSD
    no control of the integrity of the file ssd
    SSD-control-end cb0a3fdb1f3a1af4e4430033719968c0
    !
    database of VLAN
    VLAN 2
    output
    Add a voice vlan Yes-table 0001e3 Siemens_AG_phone___
    Add a voice vlan Yes-table 00036 b Cisco_phone___
    Add a voice vlan Yes-table 00096e Avaya___
    Add a voice vlan Yes-table 000fe2 H3C_Aolynk___
    Add a voice vlan Yes-table 0060 b 9 Philips_and_NEC_AG_phone
    Add a voice vlan Yes-table 00d01e Pingtel_phone___
    VLAN voice Yes-table add Polycom/Veritel_phone___ 00e075
    Add a voice vlan Yes-table 00e0bb 3Com_phone___
    Hello interface range vlan 1
    hostname MYSTICSW1
    host 192.168.1.15 record
    logging source hostname id
    username privilege 15 b4a0fcf20b2cd9d80a55b06ab8f83277f9733904 encrypted password cisco
    location of the SNMP-Server Office
    clock timezone ""-5
    DST Web recurring U.S. clock.
    clock source sntp
    unicast SNTP client enable
    unicast SNTP client survey
    survey of 192.168.1.10 SNTP server
    !
    interface vlan 1
    IP 192.168.1.254 255.255.255.0
    no ip address dhcp
    !
    interface vlan 2
    name MysticWAN
    192.168.2.254 IP address 255.255.255.0
    !
    interface gigabitethernet8
    switchport mode access
    switchport access vlan 2
    !
    output
    Default IP gateway 192.168.1.1

    Thanks in advance!

    Clint Lambert

    Clint, please see this post

    https://supportforums.Cisco.com/message/4178990#4178990

    -Tom
    Please mark replied messages useful
    http://blogs.Cisco.com/smallbusiness/

  • F10 4820 t - pulsations on the interface vlan

    Hello everyone

    Using Force10 S4820T on 9.6

    Rate limits can be applied to the physical interfaces only? and if yes how can I do to fix a speed limit on an interface vlan? Policy-map?

    Thanks in advance

    Based on the information contained in the user guide, it seems that it cannot apply to the physical interface.

    Page 739:

    http://bit.LY/1IRtdlU

  • Assign IP address to the Interface VLAN of Web Admin?

    It is a simple question, I can't find can in the web config page to assign an IP to an interface vlan.

    Example: I create a vlan 40 and assign ip 192.168.40.254/24 to it, I can accomplish this with the CLI with 'config; interface vlan 40; "192.168.40.254 IP address 255.255.255.0" but it does not seem to exist in the web interface!

    Thank you
    Scott


  • Definition of VLAN ACL blocks all traffic inside of the vlan

    Hello

    I test a 7024 PowerConnect switch, do some VLAN and want to test the traffic between 2 PC connection to the vlan by default. So I put a PC on Port 1 and the other on Port 2.

    I am applying only a permit ICMP any any rule on this vlan. This implies a refusal rule everything.

    But now I can't ssh from one PC to another?

    the ACL is an ibound IP AC, but I thought that this does not affect traffic in the vlan? Or am I wrong thinking?

    We tested this installation type and got the same results as you. It seems to be normal behavior. If I get more specific information to this I will be sure to answer back with her.

  • Lockout Ganymede, define the interface VLAN bad

    Hello

    In the middle of application and test the new configs GANYMEDE, I put the t 'GANYMEDE SOURCE INTERFACE IP' to the VLAN evil. My mistake and fortunately, I tested on a switch that is not really used. So I tell myself no case submission, I'll disconnect the trunk and move the console with the user name, with my understanding that if no RADIUS server is available, the local user name would be used. Well the name of username/password combo is not correct or the theory of "not being able to communicate with radius server, so use the local username" is not correct.

    Anyway, anyone have any ideas? Perhaps a password recovery can change the username password and fix VLAN?

    Thanks for your help...

    Hello

    If you are not able to access the switch, simply do a recovery of password for the switch. you would be able to access the switch and change the configuration.

    It is based on the orders of AAA configuration for authentication if you gave Ganymede then local authentication if the aaa is not accessible...

    Thank you

    Please rate if useful...

  • Inter-Vlan ACL

    Hi all

    I'm having some trouble getting the ACL work they way I want. I have a lot of clients in differnet VLAN (vlan 6-10) and my ASA (10.1.99.254) on vlan 99 for internet access. I need VLAN 6-10, to have access to the ASA for internet, but VLAN 6-10 should not have access to the other. For the moment, I do apply the access group of rules in the directon out on the vlan 6 SVI.

    VLAN 6-10.2.1.0/24

    VLAN 7-10.2.2.0/24

    VLAN 8-10.2.3.0/24

    VLAN 9-10.2.4.0/24

    I tried

    10 permit ip 10.1.99.254 0.0.0.255 10.2.0.0 0.0.255.255

    20. denying a whole

    I could do a ping of the ASA and made was not able to access the other vlan. However, I also don't no matter what internet access. DNS responses are not passed without traffic ICMP passed the ASA.

    The switch is a 3560G

    Any help would be appreciated.

    Robert

    The acl should not prevent the devices in the same vlan talk to each other, it will stop devices outside of this vlan only so what you see is not good.

    Regarding your general question, usually you use inbound ACL on the source rather than outgoing ACL on the destination VLAN vlan. You can use either but blocking the packets at the source is the most common approach.

    So if I understand correctly, you need to block all traffic between any vlan 10.2.x.x/24 subnet?

    If so and you are not bothered on the specification of the source IP subnet in each acl.

    extended IP access list

    deny ip any 10.2.0.0 0.0.255.255

    allow an ip

    int vlan 10

    IP access-group to

    So let's say vlan 10 is 10.2.5.0/24. What the foregoing, block any package from clients in the vlan 10 with a IP address of destination of 10.2.x.x. All other packets will be allowed. This same acl could apply to all L3 10.2.x.x VLAN interfaces.

    Note that, in the acl, I used the source of everything rather than "10.2.5.0 0.0.0.255. This is because with 'all' the same acl could be applied to all the 10.2.x.x VLAN entering without any modification. You can if you want to be more specific to a specific acl for each vlan that is to say. for the same example above.

    extended IP access list

    deny ip 10.2.5.0 0.0.0.255 10.2.0.0 0.0.255.255

    IP 10.2.5.0 allow 0.0.0.255 any

    It would be more specific and would stop to any client no 10.2.5.x on this vlan to send packets, but most of communication would not work in all cases that the return should not would be routed packets properly to the customer.  But like I said this makes the unique acl to the vlan specific so you would need different ACLs by vlan.

    A few additional points-

    (1) if clients use DHCP and the DHCP server is a 10.2.x.x device that you need to allow that, before the line to deny

    (2) customers will not be able to ping to their default gateway, that is to say the interface vlan L3. This isn't a problem because the destination IP address is never usually the interface vlan L3, but if you want to be able to do you need an online permit before the line to refuse. Also note that this means that your acl would be different for each vlan, IP because of the vlan L3 is different by vlan

    (3) If you use the same real acl for each interface vlan all hits on the acl will be for all the VLANS so you will not be able to see visits by vlan. This may or may not be important to you. Often, this is why you see unique ACL (in terms of number or name but not necessarily input) use. If you do not want to see the visits by vlan and then simply to reproduce the acl, but with a new name by acl (assuming that you go with the ability to use 'everything' in your ACL).

    Hope all that makes sense. Doubts please ask for more.

    Jon

  • ASA 5540 - cannot ping inside the interface

    Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

    In the ASDM, I see messages like this:

    ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

    This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

    interface Vlanx

    IP x.x.x.x 255.255.255.0

    IP broadcast directed to 199

    IP accounting output-packets

    IP pim sparse - dense mode

    route IP cache flow

    load-interval 30

    Has anyone experiences the problem like this before? Thanks in advance for any help.

    Can you post the output of the following on the ASA:-

    display the route

    And the output of your base layer diverter: -.

    show ip route<>

    HTH >

  • Interface VLAN SG300-28 Firmware 1.3.7.18

    Hello

    I just my SG300 to update the last firrmware 1.3.7.1.8 and I met this problem:

    -By default, the interface VLAN has been activated, but the display is always disabled

    -I can not change and I can not ping to the VLAN IP interface as well (I gave an IP 192.168.10.1)

    Is this a bug? Does anyone know how to fix this? Please help me!

    Appreciate your help

    Minh

    minh06,

    You upgrade the startup code for Sx300_FW_Boot_1.3.5.58 ?

    -Marty

  • SG300/SG500 remove interface vlan

    Hello!

    The question is the following:

    I add a VLAN interface to test IP connectivity to this vlan by adding an IP address for this interface vlan and ping on a host.

    for example
    interface vlan 5
    192.168.0.251 IP address 255.255.255.0

    Then I can remove the ip address "without ip address', but I can't delete the ' interface vlan 5".»

    Even when I delete the vlan itself of the database for vlan. There is no command "no interface vlan. I can only stop the interface vlan.

    If anyone knows how to remove the interface vlan switches SG300/SG500 cli.

    Thanks, Woeger

    Hello

    I tried just that with my switch from laboratory here.

    I created VLAN 10 and he has given an IP address.

    Then I did a no ip address on the interface VLAN and then not a vlan 10.

    At this stage there is no interface THAT VLAN 10 in my config running or when I do a show ip interface.

    So remove the VLAN has done actually remove the interface for me, brings me to my question.

    What version of the bootcode/firmware do you currently use?  Maybe this problem has been fixed, because I am running 1.3.7.18 firmware with 1.3.7.01 code to boot.

    If you are on a low moving forward and put to date, don't forget to upgrade the boot thus code, it is necessary for new versions of firmware.

    Hope that help, but if not just let me know and we can take another look,

    Christopher Ebert - Advanced Network Support Engineer

    Cisco Small Business Support Center

    * Please note the useful messages *.

  • All traffic Vlan to the Interface of the Proxy Server

    Hello!

    I need little help to route all the traffic on VLAN to the proxy server.

    I have different VLANS on switches L2 200-26 and by 300-28-L3 for routing.

    I have already created VLANs and able to rout them, but facing problem for routing traffic to the interface proxy for internet access.

    I have different VLAN for example Vlan 10, 10.10.10.0/24 sales, Vlan20 10.10.20.0/24 Marketing. I have trunk between switches interfaces and default 1U is the same on all switches.

    My proxy server has two NICs, one is connected to a dsl modem and other one to the switch port that uses the IP 192.168.0.2 to default vlan1.

    I am able to surf the internet using vlan1 but not on ther VLAN.

    I put the route defaults to the switch of 192.168.0.2, but don't not routing for internet to another VLAN.

    Thank you

    Hello

    To answer your questions:

    1. I have to update the following files?

    https://software.Cisco.com/download/release.html?mdfid=283019617&release...

    Yes, please let me know what firmware and boot code, that you have right now and I'll tell you what is the best way for you to upgrade because you shouldn't go straight to the latest firmware unless you run already 1.3.5.58 or later version.

    2. it supports to 8 dhcp pools. I have swimming pools, but I have more than 8 VLAN. I put all the settings, works very well.

    You are right and I forgot to mention the limitation of only 8 DHCP pools, I'm sorry. That being said, make sure that your current DHCP server uses IP addresses assigned to each VLAN on the switch as the gateway by default for the VLAN respective.

    3 for the Proxy Server, I need to find a way to point back roads of VLAN to vlan mapping static address on the switch. I'm confused in this little piece.

    I understand that this can be confusing, let me see if I can explain it a little better.

    Assuming that everything on the switch is configured according to my recommendations can

    1. you need a single, a route by default on the switch, so that when a PC is connected to one of VLAN on she tries to go online, an unknown IP address to the switch, it will send it to the Ip address of the router, because the proxy server will be able to reach this IP public, unknown to any Web site.

    2 - when the traffic is back to this Web site, it will be intended for another subnet that the proxy server is on. Suppose the answer is looking for 10.10.10.100 (subnet unknown to the proxy server), without a static route on the proxy server it say where to send this traffic, packets are simply deleted.

    3. you need to create as many static routes on the proxy server as the amount of VIRTUAL LANs, you have on your network.

    For now I know that the proxy server is 192.168.0.2 on VLAN 1 but I don't know what the IP address of the switch is on the same VLAN, it should be something on the 192.168.0.x range.

    All journeys should look like this:

    10.10.10.1 255.255.255.0 send 192.168.0.x (IP address of the switch on the VLAN 1)

    10.10.20.1 255.255.255.0 send 192.168.0.x (IP address of the switch on the VLAN 1)

    Alternatively, if all your internal VIRTUAL local networks are on the beach of 10.10.x.x then you should be able to create a single rule to summarize all the VLAN as this:

    10.10.1.1 255.255.0.0 send 192.168.0.x (IP address of the switch on the VLAN 1)

    Please let me know if it was a little clearer.

    Feel free to ask any questions.

  • Enable the VLAN on sub interface internet access but block traffic to VLAN native

    I have a 2821 router w / MLS 2024 switches.  Native VLAN(default vlan) is my private network and VLAN 100 is my comments system.  Below is my interface config...

    interface GigabitEthernet0/1

    Description ES_LAN, ETH - LAN$ $$

    IP 10.1.0.2 255.255.0.0

    penetration of the IP stream

    IP nat inside

    IP virtual-reassembly

    automatic duplex

    automatic speed

    !

    !

    interface GigabitEthernet0/1.1

    encapsulation dot1Q 100

    IP 10.3.1.254 255.255.255.0

    penetration of the IP stream

    IP nat inside

    IP virtual-reassembly

    !

    IP default-gateway xx.xxx.xxx.xxx

    IP forward-Protocol ND

    IP http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy slowed down 60 life 86400 request 10000

    Default route is defined...

    IP route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx

    Access list are...

    access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

    access-list 175 allow ip 10.1.0.0 0.0.255.255 everything

    access-list 175 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255

    access-list 175 allow ip 10.3.1.0 0.0.0.255 any

    I want to continue to have access to the guest VLAN in VLAN private to allow the management of points of access etc.

    I want to allow internet access as guest newtork but block it to access my private network.

    Don't know how to do in this regard.  I tried to change the ACLs (remove the 10.3.1.0 entries) and creating an another acl for the Scriptures and applying that VLAN 100 sub interface... so far without success.

    Thanks in advance for the help!

    Hello Chris,

    > From this point of view should I leave the above lines and create another list acl for the 10.3.1.0 of the network and apply entering gig0/1.1?

    I would go this way, as in a simple ACL, you can't express your needs. The ACL to apply on gi0/1.1 will probably need further instructions then the ones I suggested, but divide the problem into smaller manageable pieces is a good strategy.

    > Also with this config would be NAT be performed on each network by making this change?

    Until the internal network and network of comments are on the same side (ip nat inside) there is no NAT triggered in communication between them so that you should not influence the NAT configuration with this change.

    Hope to help

    Giuseppe

  • Interface VLAN traffic information

    Hi all

    Could someone please advice what traffic demonstrated Interface VLAN?

    For example, I have two interfaces, VLAN 10, and I created the layer 3 Interface VLAN 10.

    If I monitor the traffic of 10 to VLAN, the two interfaces combined traffic statistics?

    Thank you

    Prasanna Kumar deully

    Oh sorry I thought you meant span monitor where you register the interface traffic combined with the terms of a vlan

    To answer your question, it will display the number of ip layer 3 traffic in packets to all interfaces grouped under the vlan, then Yes, the two interfaces will show the interface of layer 3 vlan, some platforms will also show some L2 information like below and its shows 30 sec count on VLAN interfaces, but number five on the physical interface FA0/1

    Vlan149 is up, line protocol is up
    Material is EtherSVI, the address is 0008.e3ff.fd90 (bia 0008.e3ff.fd90)
    The Internet address is x.x.x.x/24
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    KeepAlive not supported
    Type of the ARP: ARPA, ARP Timeout 04:00
    Last entry of 00:00:14, exit ever, blocking of output never
    Last clearing of "show interface" counters 24w4d
    Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
    Strategy of queues: fifo
    Output queue: 0/40 (size/max)
      30 second entry rate 2134000 bps, 381 packets/s
    exit rate of 30 seconds 2019000 bps, 460 packets/s
      L2 switching: ucast: 30595061 pkt, 2268569227 bytes - mcast: 0 pkt, 0 bytes
    L3 in Switched: ucast: 5882988002 pkt, 1908218042989 bytes - mcast: 1623 pkt, 775020 bytes
    L3 on Switched: ucast: 5579358870 pkt, 1872959920772 bytes - mcast: 322 pkt, 138259 bytes
    5886751734 packets input, 1885010127367 bytes, 0 no buffer
    Received 0 emissions (28 of IP multicasts)
    0 Runts, 0 giants, 0 shifters
    entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
         5618600472 packets output, 1854023804196 bytes, 0 underruns
    0 output errors, 0 interface resets
    output buffer, the output buffers 0 permuted 0 failures

  • Install ESXi on the same VLAN as VM traffic

    I know it is advisable to separate your network management, but in this case we do not have a VLAN additional to devote to this.

    What to look out for when you use the same VLAN to install ESXi (network management) like some of my virtual machines?

    Also, I downloaded ESXi installable 4.1; I still need the local disks on my correct server install?

    The reason of VLAN in your example would be more for safety. Using a separate physical NIC for different traffic (management, vmotion, etc.) is more about performance, although a separate network offers security. If all goes well in your network design, you create a secure network that isolates the management and storage of regular network traffic traffic.

    ESXi can be installed directly on a USB flash drive. It's a support install destination from the installation CD.

  • VLAN ACL M4100

    Dear Sir

    We want to create an access list to isolate our Wifi network invited all the other vlan.
    When I do, diseapper of the other SSID of our laptops.

    I applied to the access list to our direction to SVI comments in

    ! Description of the system "M4100 - 24 G - POE + ProSafe 24 port Gigabit L2 + Managed Switch w ith PoE +, 10.0.2.13, B1.0.1.1"
    ! Version of the software system "10.0.2.13".
    ! System Up Time "28 days 22 hours 39 minutes 58 seconds"
    ! Other packets QOS, IPv6, routing
    ! Current SNTP synchronized time: SNTP last attempt status is not successful
    !
    database of VLAN
    VLAN 99 200-208 455-456 999
    VLAN 99 name 'TEST '.
    name of VLAN 200 'Clients '.
    name of VLAN 201 "Telefonie.
    name of VLAN 202 "guest."
    name of VLAN 203 'fr '.
    the name of VLAN 204 "TD."
    VLAN name 205 "DMZ".
    VLAN name 206 'printers '.
    VLAN name 207 'media '.
    VLAN 208 name 'Wireless '.
    VLAN name 999 "3com".
    VLAN 1 1 routing
    -Other - or ITU (q)
    VLAN 200 2 routing
    VLAN 201 3 routing
    VLAN routing 202 4
    VLAN routing 5 203
    VLAN routing 204 6
    VLAN routing 205 7
    VLAN routing 206 8
    VLAN routing 9 207
    VLAN routing 10 208
    VLAN routing 11 455
    VLAN routing 12 456
    VLAN routing 99 13
    output

    network mgmt_vlan 203
    IP http secure server
    Configure
    time range
    default IP gateway - 10.253.255.1
    level of 483f42190380e8780a9d32a3c63d31b86d6ad49b870db8306af86a9ce3e06cd9a39f66e666e86f0aaab777b0ab9fe571908247c31d904463d1a0767400f8e763 user name 'admin' password encrypted 15
    level password user name "secit" encrypted 15 912ba98d721224814ea15db6dec1701819e75dfcafa635831e9eab148c105c20ba85dc61882dd47a65eb66dff6cf0005a1a2232b6957ec898cd6187c6bdbb510
    line console
    output
    -Other - or ITU (q)

    line telnet
    output

    ssh line
    output

    spanning tree bpduguard

    !

    IP access-list ACL_Wizard_IPv4_0
    output

    IP access-list Deny_Guest_Intervlan_Routing
    deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.1.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.3.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.4.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.5.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.6.0 0.0.0.255
    -Other - or ITU (q)
    deny ip 10.253.2.0 0.0.0.255 10.253.7.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.8.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.9.0 0.0.0.255
    deny ip 10.253.2.0 0.0.0.255 10.253.11.0 0.0.0.255
    IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0
    output

    class-map correspondence ClassVoiceVLAN ipv4
    game of vlan 201
    output

    Policy-map PolicyVoiceVLAN in
    class ClassVoiceVLAN
    Assign-queue 3
    output

    output

    interface 0/1
    Description "ACCESSPORTS.
    participation of VLAN include 200-201
    VLAN tagging 201
    -Other - or ITU (q)
    output

    interface 0/2
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 1000000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/3
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201 204
    VLAN tagging 201
    -Other - or ITU (q)
    IP mtu 1500
    output

    interface 0/4
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/5
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 1000000
    pvid VLAN 99
    participation of VLAN include 99 200 - 201
    -Other - or ITU (q)
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/6
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/7
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    Description "ACCESSPORTS.
    pvid VLAN 203
    -Other - or ITU (q)
    participation of VLAN include 200-201
    VLAN tagging 201
    output

    0/8 interface
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/9
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    -Other - or ITU (q)
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/10
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/11
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    -Other - or ITU (q)
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/12
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/13
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    -Other - or ITU (q)
    bandwidth 100000
    pvid VLAN 200
    VLAN automatic participation 1
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/14
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    VLAN automatic participation 1
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    -Other - or ITU (q)
    interface 0/15
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    VLAN automatic participation 1
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/16
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 202
    VLAN automatic participation 1
    participation of VLAN include 201-202
    VLAN tagging 201
    IP mtu 1500
    output
    -Other - or ITU (q)

    interface 0/17
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 200
    participation of VLAN include 200-201
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/18
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 203
    participation of VLAN include 200-201 203
    VLAN tagging 201
    IP mtu 1500
    -Other - or ITU (q)
    output

    interface 0/19
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 206
    VLAN automatic participation 1
    participation of VLAN include 201 206
    VLAN tagging 201
    IP mtu 1500
    output

    interface 0/20
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 999
    participation of VLAN include 200-201 204-207 455-456 999
    -Other - or ITU (q)
    VLAN tagging 200-201 204-207 455-456
    IP mtu 1500
    output

    interface 0/21
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    pvid VLAN 455
    VLAN automatic participation 1
    participation of VLAN include 200-204 455-456
    VLAN tagging 200-204
    IP mtu 1500
    output

    interface 0/22
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    -Other - or ITU (q)
    switchport mode trunk
    switchport trunk vlan native 456
    pvid VLAN 456
    VLAN automatic participation 1
    participation of VLAN include 200-204 456
    VLAN tagging 200-204
    IP mtu 1500
    output

    interface 0/23
    VLAN 201 votes
    policy - PolicyVoiceVLAN
    bandwidth 100000
    switchport mode trunk
    switchport trunk vlan native 456
    pvid VLAN 456
    participation of VLAN include 200-204 456
    VLAN tagging 200-204
    IP mtu 1500
    output

    -Other - or ITU (q)

    interface 0/24
    bandwidth 100000
    switchport mode trunk
    switchport trunk vlan native 999
    pvid VLAN 999
    participation of VLAN include 200-208 455-456 999
    VLAN tagging 200-207 455-456
    IP mtu 1500
    output

    interface vlan 1
    Routing
    DHCP IP address
    output

    interface vlan 200
    Routing
    -Other - or ITU (q)
    IP 10.253.0.1 255.255.255.0
    output

    interface vlan 201
    Routing
    IP 10.253.1.1 255.255.255.0
    output

    interface vlan 202
    Routing
    IP 10.253.2.1 255.255.255.0
    IP access-group Deny_Guest_Intervlan_Routing vlan 202 in
    output

    interface vlan 203
    Routing
    IP 10.253.3.1 255.255.255.0
    output
    -Other - or ITU (q)

    interface vlan 204
    Routing
    IP 10.253.4.1 255.255.255.0
    output

    interface vlan 205
    Routing
    IP 10.253.5.1 255.255.255.0
    output

    interface vlan 206
    Routing
    IP 10.253.6.1 255.255.255.0
    output

    -Other - or ITU (q)

    interface vlan 207
    Routing
    IP 10.253.7.1 255.255.255.0
    output

    interface vlan 208
    Routing
    IP 10.253.8.1 255.255.255.0
    output

    interface vlan 455
    Routing
    IP 10.253.255.2 255.255.255.0
    output

    interface vlan 456
    -Other - or ITU (q)
    Routing
    IP 10.253.11.1 255.255.255.0
    output

    interface vlan 99
    Routing
    IP 10.253.9.1 255.255.255.0
    output

    IP management vlan 203
    dhcp service
    pool IP dhcp "Telefonie.
    Rental 7 0 0
    Server DNS 8.8.8.8 8.8.4.4
    router by default - 10.253.1.1
    Network 10.253.1.0 255.255.255.0
    domain secit.be
    b-node NetBIOS node type
    output

    -Other - or ITU (q)
    pool IP dhcp "guest."
    Rental 0 12 0
    Server DNS 8.8.8.8 8.8.4.4
    router by default - 10.253.2.1
    Network 10.253.2.0 255.255.255.0
    secit domain name - guest.be
    b-node NetBIOS node type
    output

    pool IP dhcp 'media '.
    Rental 0 12 0
    10.253.3.2 DNS Server 8.8.4.4
    router by default - 10.253.7.1
    Network 10.253.7.0 255.255.255.0
    secit domain name - media.be
    b-node NetBIOS node type
    output

    pool IP dhcp "TD."
    Rental 0 14 0
    10.253.3.2 DNS Server 8.8.4.4
    router by default - 10.253.4.1
    Network 10.253.4.0 255.255.255.0
    -Other - or ITU (q)
    secit domain name - td.be
    b-node NetBIOS node type
    output

    pool IP dhcp "internal."
    Rental 7 0 0
    10.253.3.2 DNS server
    router by default - 10.253.0.1
    Network 10.253.0.0 255.255.255.0
    domain fixitsolutions.local
    b-node NetBIOS node type
    output

    output

    Maybe it's the DHCP packet filtering.

    For help, try to add a rule to allow DHCP packets.

    Example: (this is obviously NOT the exact rule to filter only the DHCP packets, but just a simple rule for the test)

    IP access-list Deny_Guest_Intervlan_Routing
    permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
    permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68
    deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
    IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0
    output

    If this ACL works (you can get the DHCP address), then you will need to write the ACL right, something like (this is just an example):

    IP access-list Deny_Guest_Intervlan_Routing
    ! DHCPDISCOVER
    permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
    ! DHCPOFFER
    0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
    ! DHCPINFORM
    permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
    ! DHCPACK
    0.0.0.0 eq 68
    permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
    ! Internal traffic
    deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
    ! Internet traffic
    IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0
    output

Maybe you are looking for