I'm having a problem creating an ACL to allow DHCP.
I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
permit udp any host 172.16.30.4 log
permit tcp any host 172.16.30.4 log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
deny ip any any (28 matches)
172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
The IP helper address is configured on the interface and is 172.16.30.4.
Can some one let me know what I'm missing.