Question related to Access-lists

Unanswered Question
Jul 22nd, 2007

Hi All,

I've got this problem.

First let me post my acc-list.

access-list 101 remark ====== OUTSIDE INTERFACE ACL =====

access-list 101 deny ip any log

access-list 101 deny ip any log

access-list 101 deny ip any log

access-list 101 deny ip 127.x.x.0 any log

access-list 101 deny ip any log

access-list 101 deny ip 224.x.x.0 any log

access-list 101 deny ip host any log

access-list 101 deny ip 169.x.x.0 any log

access-list 101 deny ip any log

access-list 101 deny ip any log

access-list 101 permit ip any any log

access-list 102 remark ====== ONLY SOURCE TO INTERNET ACL =====

access-list 102 permit ip any log

access-list 102 deny ip any any log

my problem is that when my dhcp release time is over, the acc-list stops it from getting the renew. the reason i discoverd this was because when i removed the ip access-group from the FA interfaces i directly get my address back.

any gelp would be appreciated.


bye flash

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
deepinder Sun, 07/22/2007 - 06:00

Hi Flash,

All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side acl should allow the following types of packets:

Incoming packets from or dhcp-pool to dhcp-ip

Incoming packets from any address to

Outgoing packets from dhcp-ip to dhcp-pool or

where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients.


access-list 111 permit udp host eq bootpc host eq bootps

access-list 111 permit udp eq bootpc host eq bootps

Access-list 111 permit udp any eq bootpc host eq bootps

If this info was of help to u please rate it.


Deepinder Singh Babbar

Manoj Wadhwa Sun, 07/22/2007 - 07:30

Hi flash,

Actually you do not need to take help of ACL for your DHCP requests. You can instead configure "ip helper-address x.x.x.x" on your LAN interface where x.x.x.x is the ip of your DHCP server. So, if your client sends a broadcast for a ip from DHCP, the router will convert the broadcast and send a unicast request to that particular DHCP ip if "ip helpder-address" is configured. Thanks!



royalblues Sun, 07/22/2007 - 11:08

I agree with deepinder that you would need to permit udp ports 67 & 68 for DHCP to work when you have access-lists placed on the vlan

helper address wont help as the source of the DHCP broadcast carries an IP which will be blocked by the access-list

just add the following to the beginning of your access-list

access-list 101 permit udp any any eq 67

access-list 101 permit udp any any eq 68

HTH, rate if it does


flashsplash Mon, 07/23/2007 - 08:02

*deepinder* thx for ur advice. i must say that i don't fully understand the command u have given [this doesn't mean i don't appreciate ur advice]. I will give it a look what that command exactly stands for.

*royalblues* also my thx goes out to you. ur advice is s'thing i understand.

I just have 1 question.

the advice u have given me doesn't the command:

acc-list 101 permit ip any any must take care of letting the udp packets go thru?

i'm using Fa0/0 for my wan and it's getting it's ip add from dhcp and 1 string in the acc-list is blocking the dhcp lease renewal when the time is expired. Do i need to remove a line from acc-list 101 or will adding the,

access-list 101 permit udp any any eq 67

access-list 101 permit udp any any eq 68

on top of the acc-list resolved this issue. I'm not only looking for the solution but also what i have done wrong.

ps: acc-list 101 is configured for inbound on int fa0/0


bye flash...

royalblues Mon, 07/23/2007 - 08:42

When you add the access-list as inbound , the DHCP request goes but the response gets denied.

I asked you to add the above access-list as we do not know the source of the DHCP packet. It could be from a DHCP server directly or through a DHCP relay agent.

Just give it a try and see if it works.

you can then run a debug and allow the particular source of DHCP response and fine tune your access-list



please rate all posts

flashsplash Mon, 07/23/2007 - 09:26

Ok? i will add them and monitor it, as my dhcp lease is being refreshed every 1,5 day...

i'll keep in touch

bye flash...

flashsplash Wed, 07/25/2007 - 06:27

Royalblues it seems that my problem is resolved...thx

bye flash

ps: was looking for the rate option to rate ur post Royal but i'm missing this option. Any suggestions?


This Discussion