DHCP not passing through access-list

Unanswered Question

I have a LAN that just needs access to a proxy server for Internet access and a dhcp server to receive an ip address. Internet access is working fine, if I assign an IP manually. The dhcp is not passing through though. I have the following access list applied to the routing interface for that LAN:


access-list 112 permit tcp any host 10.10.1.5 eq 8080

access-list 112 permit tcp any host 10.10.1.10 eq 546

access-list 112 permit udp any host 10.10.1.10 eq 546

access-list 112 permit tcp any host 10.10.1.10 eq 547

access-list 112 permit udp any host 10.10.1.10 eq 547

access-list 112 deny ip any any

access-list 113 permit tcp host 10.10.1.5 eq 8080 any

access-list 113 permit tcp host 10.10.1.10 eq 546 any

access-list 113 permit udp host 10.10.1.10 eq 546 any

access-list 113 permit tcp host 10.10.1.10 eq 547 any

access-list 113 permit udp host 10.10.1.10 eq 547 any

access-list 113 deny ip any any


On interface:

ip access-group 112 in

ip access-group 113 out


If I remove "ip access-group 112 in" everything works fine. There is something addtional that needs to be able to pass through on "inbound" for dhcp to work. Any ideas?


Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
konigl Tue, 05/13/2003 - 13:02
User Badges:
  • Gold, 750 points or more

BOOTP/DHCP server uses UDP port 67.

BOOTP/DHCP client uses UDP port 68.


Are you using "ip helper-address" on one or more of the interfaces? Or DHCP Relay agents on each IP subnet?


Basically, you will be permitting UDP traffic from the client subnet at port 68 to the server at port 67 in one access-list; and UDP traffic from the server back to the clients in the other. If the router with the access-lists is playing an active role in forwarding UDP broadcasts such as DHCP client address requests, and DHCP server address offers, you may have to take that into consideration as you put together the relevant access-list command lines.


Hope this helps.


konigl Wed, 05/14/2003 - 11:37
User Badges:
  • Gold, 750 points or more

UDP 67 and 68 is all you need to open up for DHCP.


The following access-list commands applied to the client LAN interface should cover all your DHCP needs (112 inbound, and 113 outbound, per your previous posts):


access-list 112 permit udp any eq 68 any


access-list 113 permit udp any any eq 68


These two commands might seem overly permissive; but the only UDP traffic leaving your client LAN from port 68 or coming back into it at port 68 should be DHCP. This leaves you the flexability to move your DHCP server around, or implement multiple DHCP servers for fault tolerance.


Hope this helps.


Actions

This Discussion