Concerning ACL with DHCP.

Answered Question
Feb 17th, 2009
User Badges:

I have a router with 2 FE interfaces :


(1) interface FastEthernet0/0

=> ip address 137.55.70.1 255.255.255.0

=> duplex auto

=> speed auto

Note : This interface/subnet i hv a DHCP server connected as 137.55.70.2.



(2) interface FastEthernet0/1

=> ip address 137.55.71.1 255.255.255.0

=> ip helper-address 137.55.70.2

=> duplex auto

=> speed auto


Scenario (1) - OK

-------------------------

(1) I hv defined ACLs as followed :

=>access-list 101 permit ip 137.55.71.0 0.0.0.255 host 137.55.70.2

=>access-list 104 permit udp 137.55.71.0 0.0.0.255 host 137.55.70.2 eq bootpc

=>access-list 104 permit udp 137.55.71.0 0.0.0.255 host 137.55.70.2 eq bootps



(2) Applied to F0/0 :

=>ip access-group 104 out


Result : Clients connected to F0/1 subnet get DHCP IP addresses.



Scenario (2) - Not OK

--------------------------------

(1) Use the same ACL applied to F0/1 :

=> ip access-group 104 in


(2) And added the following line in the global configuration mode :

=>ip forward-protocol udp


(3) Remove 104 and applied 101 to F0/1 :

=> ip access-group 101 in


Result : Clients connected to F0/1 subnet CANNOT get DHCP IP addresses.


P/S : It is not as simple as i thought. Appreciate if anyone can help. Thank you very much.



Correct Answer by Richard Burts about 8 years 2 months ago

Leo


The answer is not really based on being as close as possible to the destination. To understand the reason lets start by understanding what the messages are. The initial DHCP request (which would be filtered by the access list inbound on Fa0/1)is a broadcast from the PC with source address of zeros. Since access list 104 was written to permit only traffic whose source address was 137.55.71.0 then it denies the DHCP request. If the access list is outbound on Fa0/0 then the DHCP request gets to the router, and the router uses the helper address to forward the request to the DHCP server. And the message to the DHCP server is a unicast message with the router interface as the source address. The source address still does not match the range specified in the access list, but one of the interesting things about access lists is that outbound access lists do not filter traffic that is generated by the router itself. And the helper address message is generated by the router and so it does not get filtered by the access list. This is the reason that the access list outbound on Fa0/0 is not a problem but is a problem when inbound on Fa0/1.


HTH


Rick

Correct Answer by mlund about 8 years 2 months ago

Hi


You have to permit ip from host 0.0.0.0 to destination host 255.255.255.255, because the pc don't have any ip yet, that is why source ip would be 0.0.0.0 and the dhcp is a broadcast, so detination to host 255.255.255.255 will do.


access-list 104 permit ip host 0.0.0.0 host 255.255.255.255

or

access-list 104 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc


/Mikael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
mlund Wed, 02/18/2009 - 06:22
User Badges:
  • Silver, 250 points or more

Hi


You have to permit ip from host 0.0.0.0 to destination host 255.255.255.255, because the pc don't have any ip yet, that is why source ip would be 0.0.0.0 and the dhcp is a broadcast, so detination to host 255.255.255.255 will do.


access-list 104 permit ip host 0.0.0.0 host 255.255.255.255

or

access-list 104 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc


/Mikael

thonghawkyen Mon, 03/02/2009 - 06:36
User Badges:

Dear Mikael,


Sorry for the late reply. I am not sure why had problem accessing with my password for the past 1 weeks.


Thank you very much. Your suggestion works very well. We are now able to progress with other ACL.


regards

thong

John Blakley Wed, 02/18/2009 - 06:56
User Badges:
  • Purple, 4500 points or more

I'm not sure if you have a typo, but F0/0 doesn't have a helper-address configured.


HTH,


John

Richard Burts Wed, 02/18/2009 - 12:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


It is not a typo. In the original post it says:"This interface/subnet i hv a DHCP server connected as 137.55.70.2." So there is a DHCP server directly connected in the subnet and no need for a helper address.


HTH


Rick



Richard Burts Wed, 02/18/2009 - 12:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Yes, if you missed the directly connected DHCP server then it was a good catch of an inconsistency between the interfaces.


HTH


Rick

thonghawkyen Mon, 03/02/2009 - 07:04
User Badges:

Hi Rick,


Thank you for your clarification. My understanding is same as yours.


regards

thong

Leo Laohoo Wed, 02/18/2009 - 13:51
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Forgive my ignorance here but I thought you can only apply one access list (104), per direction (out) to one interface (Fa0/0) at any time.


So you can't apply 104 to both Fa0/0 and Fa0/1.


Am I wrong here?

Richard Burts Wed, 02/18/2009 - 14:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leo


Unfortunately your understanding is not correct. The restriction is one access list per direction per interface. (per interface is quite different than to one interface)


It is quite valid to apply the same access list to more than one interface. What is not valid is to try to have two access lists on the same interface in the same direction.


HTH


Rick

Richard Burts Wed, 02/18/2009 - 14:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I am curious how many people are wondering why access list 104 applied outbound on Fa0/0 allows traffic to flow just fine but the same access list 104 applied inbound on Fa0/1 creates a problem.


I had to think for a bit before the answer came to me. Would anyone like to contribute their understanding of this?


HTH


Rick

Leo Laohoo Wed, 02/18/2009 - 14:45
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Let me take a guess: Apply the access list as close-as-possible to the destination (Fa 0/0).


:)

Correct Answer
Richard Burts Thu, 02/19/2009 - 09:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leo


The answer is not really based on being as close as possible to the destination. To understand the reason lets start by understanding what the messages are. The initial DHCP request (which would be filtered by the access list inbound on Fa0/1)is a broadcast from the PC with source address of zeros. Since access list 104 was written to permit only traffic whose source address was 137.55.71.0 then it denies the DHCP request. If the access list is outbound on Fa0/0 then the DHCP request gets to the router, and the router uses the helper address to forward the request to the DHCP server. And the message to the DHCP server is a unicast message with the router interface as the source address. The source address still does not match the range specified in the access list, but one of the interesting things about access lists is that outbound access lists do not filter traffic that is generated by the router itself. And the helper address message is generated by the router and so it does not get filtered by the access list. This is the reason that the access list outbound on Fa0/0 is not a problem but is a problem when inbound on Fa0/1.


HTH


Rick

Leo Laohoo Thu, 02/19/2009 - 13:36
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Thanks Rick. Appreciate the explanation. :)

thonghawkyen Tue, 03/03/2009 - 02:08
User Badges:

Hi Rick,


Beside making it works, now i hv a better understand. I have no more further question.

Thank you very much.


regards

thong

Richard Burts Tue, 03/03/2009 - 12:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thong


I am glad that it is working and that our explanations have helped you to understand it better. Thank you for using the rating sytstem to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that responses did resolve the question.


HTH


Rick

Leo Laohoo Wed, 02/18/2009 - 14:42
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Thanks Rick.

Actions

This Discussion