cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7645
Views
15
Helpful
7
Replies

DHCP/ ip helper address not working with ACL

randyclark
Level 1
Level 1

For some reason the following ACL will not pass DHCP using ip helper address when applied to the vlan. The vlan is 172.20.148.0.23 The DHCP is on the 10.10.1.0/24 network. All works fine with no ACL. ACL works except for allowing DHCP.

Any ideas what I'm doing wrong?

config t

ip access-list extended net149C

?permit tcp any eq telnet any established

?permit tcp any eq 22 any established

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any host 10.10.1.10 eq 80

permit ip any host 10.10.1.58

permit ip any host 10.10.1.105

permit ip any host 10.10.1.79

permit ip any host 10.10.1.90

permit ip any host 10.10.1.13

permit ip any host 10.10.1.18

permit ip any host 10.10.1.62

deny ip any 10.10.1.0 0.0.0.255

deny? ip any 198.146.193.0 0.0.0.255

?deny? ip any 192.168.5.0 0.0.0.255

?deny? ip any 192.168.6.0 0.0.0.255

?deny? ip any 192.168.7.0 0.0.0.255

?deny? ip any 192.168.21.0 0.0.0.255

?deny? ip any 192.168.70.0 0.0.0.255

?deny? ip any 192.168.4.0 0.0.0.255

?deny? ip any 192.168.20.0 0.0.0.255

?deny? ip any 192.168.40.0 0.0.0.255

deny? ip any 172.20.0.0 0.0.255.255

?permit ip any any

?exit

interface vlan149

?ip access-group net149C in

exit

end

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Hi Randy

Try changing

permit udp any any eq bootpc

to

permit udp any eq bootpc any

HTH

Jon

It works for me. Thank you very much.

gwong
Level 1
Level 1

Try this

access-list permit udp host x.x.x.x eq bootps any eq bootpc

None of the suggestions have worked. I'm stumped.

You would need to debug the access-list:

1) Disable fast switching on the interfaces involved. You only see the first packet if fast switching is not disabled.

config interface

no ip route-cache

2) Use the "terminal monitor" command in enable mode in order to display "debug" command output and system error messages for the current terminal and session.

3) Use the "debug ip packet net149C detail" command in order to begin the debug process.

4) After your captures are done. Execute the no debug all command in enable mode and the interface configuration command in order to stop the debug process.

Restart caching.

config interface

ip route-cache

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts

bob.bartlett
Level 1
Level 1

Try changing yours to this

permit udp any eq bootps any eq bootpc

jerrytozhang
Level 1
Level 1

Hi,randyclark:

Try my access-list,it works well with my 1721/1751/1841 routers in my 200+ branches worldwide.

access-list 126 permit udp any host 255.255.255.255 eq bootps

access-list 126 permit udp any host 255.255.255.255 eq bootpc

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: