DHCP/ ip helper address not working with ACL

Unanswered Question
Jul 20th, 2007

For some reason the following ACL will not pass DHCP using ip helper address when applied to the vlan. The vlan is 172.20.148.0.23 The DHCP is on the 10.10.1.0/24 network. All works fine with no ACL. ACL works except for allowing DHCP.

Any ideas what I'm doing wrong?

config t

ip access-list extended net149C

?permit tcp any eq telnet any established

?permit tcp any eq 22 any established

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any host 10.10.1.10 eq 80

permit ip any host 10.10.1.58

permit ip any host 10.10.1.105

permit ip any host 10.10.1.79

permit ip any host 10.10.1.90

permit ip any host 10.10.1.13

permit ip any host 10.10.1.18

permit ip any host 10.10.1.62

deny ip any 10.10.1.0 0.0.0.255

deny? ip any 198.146.193.0 0.0.0.255

?deny? ip any 192.168.5.0 0.0.0.255

?deny? ip any 192.168.6.0 0.0.0.255

?deny? ip any 192.168.7.0 0.0.0.255

?deny? ip any 192.168.21.0 0.0.0.255

?deny? ip any 192.168.70.0 0.0.0.255

?deny? ip any 192.168.4.0 0.0.0.255

?deny? ip any 192.168.20.0 0.0.0.255

?deny? ip any 192.168.40.0 0.0.0.255

deny? ip any 172.20.0.0 0.0.255.255

?permit ip any any

?exit

interface vlan149

?ip access-group net149C in

exit

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 07/20/2007 - 09:11

Hi Randy

Try changing

permit udp any any eq bootpc

to

permit udp any eq bootpc any

HTH

Jon

You would need to debug the access-list:

1) Disable fast switching on the interfaces involved. You only see the first packet if fast switching is not disabled.

config interface

no ip route-cache

2) Use the "terminal monitor" command in enable mode in order to display "debug" command output and system error messages for the current terminal and session.

3) Use the "debug ip packet net149C detail" command in order to begin the debug process.

4) After your captures are done. Execute the no debug all command in enable mode and the interface configuration command in order to stop the debug process.

Restart caching.

config interface

ip route-cache

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts

jerrytozhang Fri, 08/03/2007 - 05:43

Hi,randyclark:

Try my access-list,it works well with my 1721/1751/1841 routers in my 200+ branches worldwide.

access-list 126 permit udp any host 255.255.255.255 eq bootps

access-list 126 permit udp any host 255.255.255.255 eq bootpc

Thanks.

Actions

This Discussion