Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IP address DHCP with access list - 1605R

Unanswered Question
Sep 26th, 2003
User Badges:

my outside nat interface e0 is configured to receive its address via dhcp, from the outside network. How do I configure an access list to allow the address assignment to make it back to the router? As long as I don't assign an inbound access list it is assigned and IP address.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Domwilko_2 Sun, 09/28/2003 - 05:28
User Badges:

If you are configuring an inbound access list, then you need to permit the DHCP ports. These ports are UDP 67 and UDP 68.

Hope this helps,

jdmcdonald Mon, 09/29/2003 - 12:55
User Badges:

Configuring the inbound list for UDP 67 and 68 works if the interface currently has an IP address, it does not work if the router is rebooted, or the interface command 'shut', then, 'no shut' is given, and it does not have a current IP address. perhaps a particular protocol id needs to be passed through the access list. Any other thoughts or ideas are appreciated.

scoclayton Tue, 09/30/2003 - 14:42
User Badges:
  • Gold, 750 points or more

Those protocols and ports should be fine. However, you are probably going to need to open it up to 'any any' like this:

access-list 101 permit udp any any eq 67

access-list 101 permit udp any any eq 68

Is this what you had?


jdmcdonald Tue, 09/30/2003 - 15:20
User Badges:

I had specific DHCP server addresse as in. The segment is open to the internet so I don't want anyone with a server handing me an address, only the trusted one.

access-list 101 permit udp host x.x.x.x any eq 67

access-list 101 permit udp host x.x.x.x any eq 68

The problem, (I think), is the initial state of the port, with no IP address. With the access list removed from the interface the port gets it's DHCP'd address.

jdmcdonald Mon, 10/06/2003 - 21:21
User Badges:

Does anyone else have any thoughts? I haven't tried this yet, but I'm wondering if perhaps adding the IP Helper-address with the IP of the trusted server will do anything.

Hi -

IP Helper address

> ip helper-address

> no ip helper-address

The above configures IP address to which certain broadcast UDP packets are forwarded, by default it is disabled on the router.

The ip helper-address command sets the helper address to address,. The helper address should be the address of a host that can answer UDP requests from other hosts. The router sees these requests broadcast on a LAN interface and forwards them to the helper address (generally a unicast address) if one is defined. A helper is particularly useful for DHCP requests; without some kind of forwarding, DHCP requires you to have a seperate server on every subnet. By itself, this command forwards packets for the BOOTP (DHCP), DNS, TFTP, TACACS, TIME and also NetBIOS name and datagram services. The ip forward-protocol command can be used to forward additional UDP services.

Example of configuration on interface Ethernet0 to have a helper address:

> interface ethernet0

> ip address

> ip helper address

I hope this helps out on you issue, let me know how you get on.

Thanks - Jay.

jdmcdonald Sun, 10/26/2003 - 20:52
User Badges:

Unfortunately this didn't help. We have decided to use a static address. I'll visit this one again, and hopefully figure it out. Thanks for all your suggestions.


This Discussion