×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access-list and dhcp requests

Unanswered Question
Dec 11th, 2006
User Badges:

I have an access-list I apply inbound on a LAN interface, ethernet0. Its purpose is to only allow hosts on that LAN to access specific destination addresses. The access-list is of the form


access-list 100 permit ip any host 10.1.1.1


then under ethernet0 I put


ip access-group 100 in


The idea being to permit hosts on ethernet0 accessing only 10.1.1.1


Ethernet0 also has


ip helper-address 10.1.1.1


To forward dhcp requests to that host.


With the acess-group command applied dhcp requests are blocked but with it off they are passed. I assume permit IP allows all tcp and udp packets so the udp dhcp request should pass. Is it being blocked because the source address will be 0.0.0.0 ? If I manually put an IP address on a client on ethernet0, i.e. No dhcp, all other traffic passes fine. I also tried adding access-list 100 permit udp any host 10.1.1.1 eq bootpc but no change. I know I'm missing something stupid here. Does ip any not match traffic from 0.0.0.0 ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Richard Burts Mon, 12/11/2006 - 09:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

stephen


If I have understood your explanation correctly then either your access list syntax is bacckward or your access-group assignment is backward. According to your explanation 10.1.1.1 is on a remote subnet. Your access list is set to permit any source to destination 10.1.1.1. But if the access-group is in then 10.1.1.1 should be the source. Or if you want to keep 10.1.1.1 as the destination then your ip access-group should specify out instead of in.


HTH


Rick

StevieOliver_2 Mon, 12/11/2006 - 12:45
User Badges:

My access list should be permitting IP from any source to 10.1.1.1


The access-group is applied in on the ethernet0 interface because this is where the packet from any source is entering.


dhcp host--->e0 Router e1--->dhcp server 10.1.1.1


Surely if the access group were to be applied out this would be on e1.


Stevie.

Richard Burts Mon, 12/11/2006 - 13:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Stevie


You say that: "My access list should be permitting IP from any source to 10.1.1.1"

and that clearly is true inbound on interface ethernet1 not on ethernet0.


Your access list is specified as:

access-list 100 permit ip any host 10.1.1.1

this says that any host is the source and 10.1.1.1 is the destination. That description fits ethernet1 according to your diagram but does not fit ethernet0.


If you configure an access list inbound on ethernet0 then 10.1.1.1 must be the source not the destination.


As I said before you can fix your problem by keeping the same access list and applying it to the other interface or you can fix your problem by keeping the access list inbound on ethernet0 and reversing the source and destination addresses in the access list.


As you point out when you apply it as described the network is broken because nothing matches the combination of source and destination that you have specified.


HTH


Rick

tdrais Mon, 12/11/2006 - 13:15
User Badges:
  • Blue, 1500 points or more

I think part of your issue is that the DHCPREQUEST from the pc is send to 255.255.255.255. The router will convert this because of the helper and send the traffic to 10.1.1.1. Although I have not found it I suspect the router will process the access list before it does the helper function. This means the packet will be dropped. You will either need to apply this access list outbound as rick suggests or allow the router to receive the broadcast dhcprequest.

StevieOliver_2 Mon, 12/11/2006 - 13:34
User Badges:

Just managed to replicate this and that is indeed the problem. 10.1.1.1 is not the destination until the helper-address is processed. This is AFTER the access list is processed and the destination in that case at that stage is 255.255.255.255


I applied access-list 100 permit udp any host 255.255.255.255 then applied it inbound on ethernet0 as before.


The acceess-list would need applied outbound on e1 if I kept the destination as 10.1.1.1 but this affects other traffic leaving that interface so I prefer the inbound e0 and broadcast destination address.


Thanks for all replies.


Stevie.

Actions

This Discussion