Access-list with DHCP

nma_xdcinema · ‎05-30-2012

Hello Cisco support community,

I have a question regarding ACL with DHCP:

I have cisco 881 routers:

- VLAN 1 (FastEthernet 0, 1, 2 and 3): IP address 172.20.0.1/16

- FastEthernet 4 (connected to another network): IP address receivede from a DHCP server.

These router will be installed on different sites where I don't have access to the DHCP server: I don't know the IP address that FA4 will receive.

I want to make an inbound ACL to allow access to 1 host in the FA4 network to a specific port.

interface fa 4
ip access-group  FILTER in

ip access-list FILTER
permit tcp host [host IP] [IP FA4] eq [port]

How can I do that kind of ACL if I don't know the IP address of FA4 in advance ?

Thank you !

Nicolas

johnlloyd_13 · ‎06-03-2012

hi nicolas,

if FE4 is receving dynamic IP from DHCP, you could put your ACL under VLAN 1 SVI instead.

Jeff Van Houten · ‎06-03-2012

Why not just put the acl on the server itself? Windows and Linux both have port filters you could activate and allow only the traffic you specify inbound.

Sent from Cisco Technical Support iPad App

Tagir Temirgaliyev · ‎06-03-2012

Hi

you will need to enable DHCP to get address

ip access-list FILTER

permit udp any any eq 67

permit udp any any eq 68

permit tcp host [host IP] 172.20.0.0 0.0.255.255 eq [port]

this will enable to get dhcp address

and comunication from [host IP] to your network 172.20.0.0 0.0.255.255

dont forget to rate post if it helps