Re: VACL not permitting helper-address (DHCP)

arififtikhar · ‎09-17-2007

Hi,

I configured the ACL to restrict communication of one VLAN over 3560 used as VTP server. Following are the config excerpt;

interface Vlan Process

description Process VLAN

ip address x.x.84.254 255.255.255.0

ip access-group Process_in in

ip access-group Process_out out

ip helper-address x.x.82.26

Each ACLs contain "permit" entry for x.x.82.26 (DHCP Server) in both ways (I put both ways when it was not working either way).

Machines connecting to this VLAN unable to obtain lease (IP address). All other vlans are OK.

Can anyone please guide about it?

Thanks,

Daniel Foerst · ‎09-23-2007

Can you post the Process_in and Process_out ACLs please?

arififtikhar · ‎09-23-2007

Thanks for response.

I put DHCP permit both ways in both ACLs when it was not working one way.

Extended IP access list AFS_Process_in

permit ip any host X.X.82.10

permit ip host X.X.82.10 any

permit ip any host X.X.82.21

permit ip any host X.X.82.26 >>>[DHCP]

permit ip host X.X.82.26 any >>>[DHCP]

permit ip any host X.X.82.27

permit ip any host X.X.24.66

permit ip X.X.84.192 0.0.0.31 any

deny ip any any log

Extended IP access list AFS_Process_out

permit ip host X.X.82.10 any

permit ip any host X.X.82.10

permit ip host X.X.82.21 any

permit ip host X.X.82.26 any >>>[DHCP]

permit ip any host X.X.82.26 >>>[DHCP]

permit ip host X.X.82.27 any

permit ip host X.X.24.66 any

permit ip any X.X.84.192 0.0.0.31

deny ip any any log

Regards,

Arif

amdil · ‎09-24-2007

You should do the following:

no ip access-list extended AFS_Process_out

IP access-list extended AFS_Process_out

permit ip any host X.X.82.10

permit ip any host X.X.82.26

permit ip host X.X.24.66 any

interface Vlan Process

no ip access-group Process_in in

no ip access-group Process_out out

ip access-group AFS_Process_out out

BR. Amdil