05-13-2003 12:33 PM - edited 03-02-2019 07:19 AM
I have a LAN that just needs access to a proxy server for Internet access and a dhcp server to receive an ip address. Internet access is working fine, if I assign an IP manually. The dhcp is not passing through though. I have the following access list applied to the routing interface for that LAN:
access-list 112 permit tcp any host 10.10.1.5 eq 8080
access-list 112 permit tcp any host 10.10.1.10 eq 546
access-list 112 permit udp any host 10.10.1.10 eq 546
access-list 112 permit tcp any host 10.10.1.10 eq 547
access-list 112 permit udp any host 10.10.1.10 eq 547
access-list 112 deny ip any any
access-list 113 permit tcp host 10.10.1.5 eq 8080 any
access-list 113 permit tcp host 10.10.1.10 eq 546 any
access-list 113 permit udp host 10.10.1.10 eq 546 any
access-list 113 permit tcp host 10.10.1.10 eq 547 any
access-list 113 permit udp host 10.10.1.10 eq 547 any
access-list 113 deny ip any any
On interface:
ip access-group 112 in
ip access-group 113 out
If I remove "ip access-group 112 in" everything works fine. There is something addtional that needs to be able to pass through on "inbound" for dhcp to work. Any ideas?
Bill
05-13-2003 01:02 PM
BOOTP/DHCP server uses UDP port 67.
BOOTP/DHCP client uses UDP port 68.
Are you using "ip helper-address" on one or more of the interfaces? Or DHCP Relay agents on each IP subnet?
Basically, you will be permitting UDP traffic from the client subnet at port 68 to the server at port 67 in one access-list; and UDP traffic from the server back to the clients in the other. If the router with the access-lists is playing an active role in forwarding UDP broadcasts such as DHCP client address requests, and DHCP server address offers, you may have to take that into consideration as you put together the relevant access-list command lines.
Hope this helps.
05-14-2003 04:16 AM
Thank you for your informative post. We are using "ip helper-address" to allow the DHCP broadcasts across the LANs. Do I need to open up more than ports 67 and 68?
Bill
05-14-2003 11:37 AM
UDP 67 and 68 is all you need to open up for DHCP.
The following access-list commands applied to the client LAN interface should cover all your DHCP needs (112 inbound, and 113 outbound, per your previous posts):
access-list 112 permit udp any eq 68 any
access-list 113 permit udp any any eq 68
These two commands might seem overly permissive; but the only UDP traffic leaving your client LAN from port 68 or coming back into it at port 68 should be DHCP. This leaves you the flexability to move your DHCP server around, or implement multiple DHCP servers for fault tolerance.
Hope this helps.
05-15-2003 12:20 PM
Thank you again for your post. However, it doesnt seem to be working. The outbound access list for 113 works fine. When I apply the inbound access list 112 the machines do not receive and IP from DHCP. What can I try next?
Bill
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide