IP address DHCP with access list - 1605R

jdmcdonald · ‎09-26-2003

my outside nat interface e0 is configured to receive its address via dhcp, from the outside network. How do I configure an access list to allow the address assignment to make it back to the router? As long as I don't assign an inbound access list it is assigned and IP address.

Domwilko_2 · ‎09-28-2003

If you are configuring an inbound access list, then you need to permit the DHCP ports. These ports are UDP 67 and UDP 68.

Hope this helps,

jdmcdonald · ‎09-29-2003

Configuring the inbound list for UDP 67 and 68 works if the interface currently has an IP address, it does not work if the router is rebooted, or the interface command 'shut', then, 'no shut' is given, and it does not have a current IP address. perhaps a particular protocol id needs to be passed through the access list. Any other thoughts or ideas are appreciated.

scoclayton · ‎09-30-2003

Those protocols and ports should be fine. However, you are probably going to need to open it up to 'any any' like this:

access-list 101 permit udp any any eq 67

access-list 101 permit udp any any eq 68

Is this what you had?

Scott

jdmcdonald · ‎09-30-2003

I had specific DHCP server addresse as in. The segment is open to the internet so I don't want anyone with a server handing me an address, only the trusted one.

access-list 101 permit udp host x.x.x.x any eq 67

access-list 101 permit udp host x.x.x.x any eq 68

The problem, (I think), is the initial state of the port, with no IP address. With the access list removed from the interface the port gets it's DHCP'd address.

jdmcdonald · ‎10-06-2003

Does anyone else have any thoughts? I haven't tried this yet, but I'm wondering if perhaps adding the IP Helper-address with the IP of the trusted server will do anything.

jmia · ‎10-07-2003

Hi -

You are on the right track, use IP helper address with the trusted IP address of your DHCP server.

Thanks -

jmia · ‎10-07-2003

Hi -

IP Helper address

> ip helper-address

> no ip helper-address

The above configures IP address to which certain broadcast UDP packets are forwarded, by default it is disabled on the router.

The ip helper-address command sets the helper address to address,. The helper address should be the address of a host that can answer UDP requests from other hosts. The router sees these requests broadcast on a LAN interface and forwards them to the helper address (generally a unicast address) if one is defined. A helper is particularly useful for DHCP requests; without some kind of forwarding, DHCP requires you to have a seperate server on every subnet. By itself, this command forwards packets for the BOOTP (DHCP), DNS, TFTP, TACACS, TIME and also NetBIOS name and datagram services. The ip forward-protocol command can be used to forward additional UDP services.

Example of configuration on interface Ethernet0 to have a helper address:

> interface ethernet0

> ip address 10.10.1.2 255.255.255.0

> ip helper address 10.10.2.5

I hope this helps out on you issue, let me know how you get on.

Thanks - Jay.

jdmcdonald · ‎10-26-2003

Unfortunately this didn't help. We have decided to use a static address. I'll visit this one again, and hopefully figure it out. Thanks for all your suggestions.