Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
8
Replies

Question related to Access-lists

flashsplash
Level 1
Level 1

‎07-22-2007 05:14 AM - edited ‎03-03-2019 05:58 PM

Hi All,

I've got this problem.

First let me post my acc-list.

access-list 101 remark ====== OUTSIDE INTERFACE ACL =====

access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

access-list 101 deny ip 127.x.x.0 0.255.255.255 any log

access-list 101 deny ip 255.0.0.0 0.255.255.255 any log

access-list 101 deny ip 224.x.x.0 31.255.255.255 any log

access-list 101 deny ip host 0.0.0.0 any log

access-list 101 deny ip 169.x.x.0 0.0.255.255 any log

access-list 101 deny ip any 0.0.0.0 255.255.255.0 log

access-list 101 deny ip any 0.0.0.255 255.255.255.0 log

access-list 101 permit ip any any log

access-list 102 remark ====== ONLY SOURCE TO INTERNET ACL =====

access-list 102 permit ip 192.168.2.0 0.0.0.255 any log

access-list 102 deny ip any any log

my problem is that when my dhcp release time is over, the acc-list stops it from getting the renew. the reason i discoverd this was because when i removed the ip access-group from the FA interfaces i directly get my address back.

any gelp would be appreciated.

TIA

bye flash

Labels:
0 Helpful
8 Replies 8

deepinder
Level 1
Level 1

‎07-22-2007 06:00 AM

Hi Flash,

All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side acl should allow the following types of packets:

Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip

Incoming packets from any address to 255.255.255.255

Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255

where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients.

eg

access-list 111 permit udp host 0.0.0.0 eq bootpc host 10.32.73.129 eq bootps

access-list 111 permit udp 10.32.73.128 0.0.0.63 eq bootpc host 10.32.73.129 eq bootps

Access-list 111 permit udp any eq bootpc host 255.255.255.255 eq bootps

If this info was of help to u please rate it.

Thanks

Deepinder Singh Babbar

0 Helpful

Manoj Wadhwa
Level 1
Level 1
In response to deepinder

‎07-22-2007 07:30 AM

Hi flash,

Actually you do not need to take help of ACL for your DHCP requests. You can instead configure "ip helper-address x.x.x.x" on your LAN interface where x.x.x.x is the ip of your DHCP server. So, if your client sends a broadcast for a ip from DHCP, the router will convert the broadcast and send a unicast request to that particular DHCP ip if "ip helpder-address" is configured. Thanks!

Regards,

Manoj

0 Helpful

royalblues
Level 10
Level 10
In response to Manoj Wadhwa

‎07-22-2007 11:08 AM

I agree with deepinder that you would need to permit udp ports 67 & 68 for DHCP to work when you have access-lists placed on the vlan

helper address wont help as the source of the DHCP broadcast carries an IP 0.0.0.0 which will be blocked by the access-list

just add the following to the beginning of your access-list

access-list 101 permit udp any any eq 67

access-list 101 permit udp any any eq 68

HTH, rate if it does

Narayan

0 Helpful

flashsplash
Level 1
Level 1
In response to royalblues

‎07-23-2007 08:02 AM

*deepinder* thx for ur advice. i must say that i don't fully understand the command u have given [this doesn't mean i don't appreciate ur advice]. I will give it a look what that command exactly stands for.

*royalblues* also my thx goes out to you. ur advice is s'thing i understand.

I just have 1 question.

the advice u have given me doesn't the command:

acc-list 101 permit ip any any must take care of letting the udp packets go thru?

i'm using Fa0/0 for my wan and it's getting it's ip add from dhcp and 1 string in the acc-list is blocking the dhcp lease renewal when the time is expired. Do i need to remove a line from acc-list 101 or will adding the,

access-list 101 permit udp any any eq 67

access-list 101 permit udp any any eq 68

on top of the acc-list resolved this issue. I'm not only looking for the solution but also what i have done wrong.

ps: acc-list 101 is configured for inbound on int fa0/0

tia

bye flash...

0 Helpful

royalblues
Level 10
Level 10
In response to flashsplash

‎07-23-2007 08:42 AM

When you add the access-list as inbound , the DHCP request goes but the response gets denied.

I asked you to add the above access-list as we do not know the source of the DHCP packet. It could be from a DHCP server directly or through a DHCP relay agent.

Just give it a try and see if it works.

you can then run a debug and allow the particular source of DHCP response and fine tune your access-list

HTH

Narayan

please rate all posts

0 Helpful

flashsplash
Level 1
Level 1
In response to royalblues

‎07-23-2007 09:26 AM

Ok? i will add them and monitor it, as my dhcp lease is being refreshed every 1,5 day...

i'll keep in touch

bye flash...

0 Helpful

flashsplash
Level 1
Level 1
In response to flashsplash

‎07-25-2007 06:22 AM

Royalblues it seems that my problem is resolved...thx

bye flash

0 Helpful

flashsplash
Level 1
Level 1
In response to flashsplash

‎07-25-2007 06:27 AM

Royalblues it seems that my problem is resolved...thx

bye flash

ps: was looking for the rate option to rate ur post Royal but i'm missing this option. Any suggestions?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card