Vlan access map and DHCP

Answered Question
May 16th, 2008

I am setting up a vlan access map but I cannot get dhcp to work a host cannot pickup an ip address. Here is the config.

interface Vlan200

description Infx

ip address 10.79.200.1 255.255.255.0

ip helper-address 10.79.1.90

arp timeout 1

!

vlan access-map vm200 10

match ip address vac200

action forward

!

vlan filter vm200 vlan-list 200

!

!

ip access-list extended vac200

permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15

permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255

permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc

As you can see my dhcp server 10.79.1.90, If I do an ip any any in the access list it works but I would like to lock it down.

Ideas? Thanks

I have this problem too.
0 votes
Correct Answer by michael.leblanc about 8 years 8 months ago

An additional thought:

The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).

You might be better off with:

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

... and use DHCP Snooping for security.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael.leblanc Mon, 05/19/2008 - 15:35

The second ACE mirrors the first ACE to facilitate bi-directional traffic. This would imply that you need to mirror the third ACE in order to permit the DHCP clients to reach the DHCP server.

ip access-list extended vac200

permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15

permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255

permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc

permit udp host 10.79.200.0 0.0.0.255 eq bootpc 10.79.1.90 eq bootps

Correct Answer
michael.leblanc Mon, 05/19/2008 - 15:51

An additional thought:

The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).

You might be better off with:

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

... and use DHCP Snooping for security.

Actions

This Discussion