Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
4
Replies

DHCP not passing through access-list

bevans
Level 1
Level 1

‎05-13-2003 12:33 PM - edited ‎03-02-2019 07:19 AM

I have a LAN that just needs access to a proxy server for Internet access and a dhcp server to receive an ip address. Internet access is working fine, if I assign an IP manually. The dhcp is not passing through though. I have the following access list applied to the routing interface for that LAN:

access-list 112 permit tcp any host 10.10.1.5 eq 8080

access-list 112 permit tcp any host 10.10.1.10 eq 546

access-list 112 permit udp any host 10.10.1.10 eq 546

access-list 112 permit tcp any host 10.10.1.10 eq 547

access-list 112 permit udp any host 10.10.1.10 eq 547

access-list 112 deny ip any any

access-list 113 permit tcp host 10.10.1.5 eq 8080 any

access-list 113 permit tcp host 10.10.1.10 eq 546 any

access-list 113 permit udp host 10.10.1.10 eq 546 any

access-list 113 permit tcp host 10.10.1.10 eq 547 any

access-list 113 permit udp host 10.10.1.10 eq 547 any

access-list 113 deny ip any any

On interface:

ip access-group 112 in

ip access-group 113 out

If I remove "ip access-group 112 in" everything works fine. There is something addtional that needs to be able to pass through on "inbound" for dhcp to work. Any ideas?

Bill

Labels:
0 Helpful
4 Replies 4

konigl
Level 7
Level 7

‎05-13-2003 01:02 PM

BOOTP/DHCP server uses UDP port 67.

BOOTP/DHCP client uses UDP port 68.

Are you using "ip helper-address" on one or more of the interfaces? Or DHCP Relay agents on each IP subnet?

Basically, you will be permitting UDP traffic from the client subnet at port 68 to the server at port 67 in one access-list; and UDP traffic from the server back to the clients in the other. If the router with the access-lists is playing an active role in forwarding UDP broadcasts such as DHCP client address requests, and DHCP server address offers, you may have to take that into consideration as you put together the relevant access-list command lines.

Hope this helps.

0 Helpful

bevans
Level 1
Level 1
In response to konigl

‎05-14-2003 04:16 AM

Thank you for your informative post. We are using "ip helper-address" to allow the DHCP broadcasts across the LANs. Do I need to open up more than ports 67 and 68?

Bill

0 Helpful

konigl
Level 7
Level 7
In response to bevans

‎05-14-2003 11:37 AM

UDP 67 and 68 is all you need to open up for DHCP.

The following access-list commands applied to the client LAN interface should cover all your DHCP needs (112 inbound, and 113 outbound, per your previous posts):

access-list 112 permit udp any eq 68 any

access-list 113 permit udp any any eq 68

These two commands might seem overly permissive; but the only UDP traffic leaving your client LAN from port 68 or coming back into it at port 68 should be DHCP. This leaves you the flexability to move your DHCP server around, or implement multiple DHCP servers for fault tolerance.

Hope this helps.

0 Helpful

bevans
Level 1
Level 1
In response to konigl

‎05-15-2003 12:20 PM

Thank you again for your post. However, it doesnt seem to be working. The outbound access list for 113 works fine. When I apply the inbound access list 112 the machines do not receive and IP from DHCP. What can I try next?

Bill

0 Helpful
Customers Also Viewed These Support Documents