07-20-2007 09:04 AM
For some reason the following ACL will not pass DHCP using ip helper address when applied to the vlan. The vlan is 172.20.148.0.23 The DHCP is on the 10.10.1.0/24 network. All works fine with no ACL. ACL works except for allowing DHCP.
Any ideas what I'm doing wrong?
config t
ip access-list extended net149C
?permit tcp any eq telnet any established
?permit tcp any eq 22 any established
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any host 10.10.1.10 eq 80
permit ip any host 10.10.1.58
permit ip any host 10.10.1.105
permit ip any host 10.10.1.79
permit ip any host 10.10.1.90
permit ip any host 10.10.1.13
permit ip any host 10.10.1.18
permit ip any host 10.10.1.62
deny ip any 10.10.1.0 0.0.0.255
deny? ip any 198.146.193.0 0.0.0.255
?deny? ip any 192.168.5.0 0.0.0.255
?deny? ip any 192.168.6.0 0.0.0.255
?deny? ip any 192.168.7.0 0.0.0.255
?deny? ip any 192.168.21.0 0.0.0.255
?deny? ip any 192.168.70.0 0.0.0.255
?deny? ip any 192.168.4.0 0.0.0.255
?deny? ip any 192.168.20.0 0.0.0.255
?deny? ip any 192.168.40.0 0.0.0.255
deny? ip any 172.20.0.0 0.0.255.255
?permit ip any any
?exit
interface vlan149
?ip access-group net149C in
exit
end
07-20-2007 09:11 AM
Hi Randy
Try changing
permit udp any any eq bootpc
to
permit udp any eq bootpc any
HTH
Jon
12-10-2015 08:15 AM
It works for me. Thank you very much.
07-20-2007 11:30 AM
Try this
access-list
07-23-2007 08:13 AM
None of the suggestions have worked. I'm stumped.
07-23-2007 08:51 AM
You would need to debug the access-list:
1) Disable fast switching on the interfaces involved. You only see the first packet if fast switching is not disabled.
config interface
no ip route-cache
2) Use the "terminal monitor" command in enable mode in order to display "debug" command output and system error messages for the current terminal and session.
3) Use the "debug ip packet net149C detail" command in order to begin the debug process.
4) After your captures are done. Execute the no debug all command in enable mode and the interface configuration command in order to stop the debug process.
Restart caching.
config interface
ip route-cache
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts
07-23-2007 08:24 AM
Try changing yours to this
permit udp any eq bootps any eq bootpc
08-03-2007 05:43 AM
Hi,randyclark:
Try my access-list,it works well with my 1721/1751/1841 routers in my 200+ branches worldwide.
access-list 126 permit udp any host 255.255.255.255 eq bootps
access-list 126 permit udp any host 255.255.255.255 eq bootpc
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide