07-22-2007 05:14 AM - edited 03-03-2019 05:58 PM
Hi All,
I've got this problem.
First let me post my acc-list.
access-list 101 remark ====== OUTSIDE INTERFACE ACL =====
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.x.x.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.x.x.0 31.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip 169.x.x.0 0.0.255.255 any log
access-list 101 deny ip any 0.0.0.0 255.255.255.0 log
access-list 101 deny ip any 0.0.0.255 255.255.255.0 log
access-list 101 permit ip any any log
access-list 102 remark ====== ONLY SOURCE TO INTERNET ACL =====
access-list 102 permit ip 192.168.2.0 0.0.0.255 any log
access-list 102 deny ip any any log
my problem is that when my dhcp release time is over, the acc-list stops it from getting the renew. the reason i discoverd this was because when i removed the ip access-group from the FA interfaces i directly get my address back.
any gelp would be appreciated.
TIA
bye flash
07-22-2007 06:00 AM
Hi Flash,
All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side acl should allow the following types of packets:
Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
Incoming packets from any address to 255.255.255.255
Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients.
eg
access-list 111 permit udp host 0.0.0.0 eq bootpc host 10.32.73.129 eq bootps
access-list 111 permit udp 10.32.73.128 0.0.0.63 eq bootpc host 10.32.73.129 eq bootps
Access-list 111 permit udp any eq bootpc host 255.255.255.255 eq bootps
If this info was of help to u please rate it.
Thanks
Deepinder Singh Babbar
07-22-2007 07:30 AM
Hi flash,
Actually you do not need to take help of ACL for your DHCP requests. You can instead configure "ip helper-address x.x.x.x" on your LAN interface where x.x.x.x is the ip of your DHCP server. So, if your client sends a broadcast for a ip from DHCP, the router will convert the broadcast and send a unicast request to that particular DHCP ip if "ip helpder-address" is configured. Thanks!
Regards,
Manoj
07-22-2007 11:08 AM
I agree with deepinder that you would need to permit udp ports 67 & 68 for DHCP to work when you have access-lists placed on the vlan
helper address wont help as the source of the DHCP broadcast carries an IP 0.0.0.0 which will be blocked by the access-list
just add the following to the beginning of your access-list
access-list 101 permit udp any any eq 67
access-list 101 permit udp any any eq 68
HTH, rate if it does
Narayan
07-23-2007 08:02 AM
*deepinder* thx for ur advice. i must say that i don't fully understand the command u have given [this doesn't mean i don't appreciate ur advice]. I will give it a look what that command exactly stands for.
*royalblues* also my thx goes out to you. ur advice is s'thing i understand.
I just have 1 question.
the advice u have given me doesn't the command:
acc-list 101 permit ip any any must take care of letting the udp packets go thru?
i'm using Fa0/0 for my wan and it's getting it's ip add from dhcp and 1 string in the acc-list is blocking the dhcp lease renewal when the time is expired. Do i need to remove a line from acc-list 101 or will adding the,
access-list 101 permit udp any any eq 67
access-list 101 permit udp any any eq 68
on top of the acc-list resolved this issue. I'm not only looking for the solution but also what i have done wrong.
ps: acc-list 101 is configured for inbound on int fa0/0
tia
bye flash...
07-23-2007 08:42 AM
When you add the access-list as inbound , the DHCP request goes but the response gets denied.
I asked you to add the above access-list as we do not know the source of the DHCP packet. It could be from a DHCP server directly or through a DHCP relay agent.
Just give it a try and see if it works.
you can then run a debug and allow the particular source of DHCP response and fine tune your access-list
HTH
Narayan
please rate all posts
07-23-2007 09:26 AM
Ok? i will add them and monitor it, as my dhcp lease is being refreshed every 1,5 day...
i'll keep in touch
bye flash...
07-25-2007 06:22 AM
Royalblues it seems that my problem is resolved...thx
bye flash
07-25-2007 06:27 AM
Royalblues it seems that my problem is resolved...thx
bye flash
ps: was looking for the rate option to rate ur post Royal but i'm missing this option. Any suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide