05-16-2008 07:06 AM - edited 03-05-2019 11:02 PM
I am setting up a vlan access map but I cannot get dhcp to work a host cannot pickup an ip address. Here is the config.
interface Vlan200
description Infx
ip address 10.79.200.1 255.255.255.0
ip helper-address 10.79.1.90
arp timeout 1
!
vlan access-map vm200 10
match ip address vac200
action forward
!
vlan filter vm200 vlan-list 200
!
!
ip access-list extended vac200
permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15
permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255
permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc
As you can see my dhcp server 10.79.1.90, If I do an ip any any in the access list it works but I would like to lock it down.
Ideas? Thanks
Solved! Go to Solution.
05-19-2008 03:51 PM
An additional thought:
The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).
You might be better off with:
permit udp any eq bootps any eq bootpc
permit udp any eq bootpc any eq bootps
... and use DHCP Snooping for security.
05-16-2008 11:27 AM
*Bump
05-19-2008 03:35 PM
The second ACE mirrors the first ACE to facilitate bi-directional traffic. This would imply that you need to mirror the third ACE in order to permit the DHCP clients to reach the DHCP server.
ip access-list extended vac200
permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15
permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255
permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc
permit udp host 10.79.200.0 0.0.0.255 eq bootpc 10.79.1.90 eq bootps
05-19-2008 03:51 PM
An additional thought:
The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).
You might be better off with:
permit udp any eq bootps any eq bootpc
permit udp any eq bootpc any eq bootps
... and use DHCP Snooping for security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide