cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1379
Views
0
Helpful
3
Replies

Vlan access map and DHCP

elovelace256
Level 1
Level 1

I am setting up a vlan access map but I cannot get dhcp to work a host cannot pickup an ip address. Here is the config.

interface Vlan200

description Infx

ip address 10.79.200.1 255.255.255.0

ip helper-address 10.79.1.90

arp timeout 1

!

vlan access-map vm200 10

match ip address vac200

action forward

!

vlan filter vm200 vlan-list 200

!

!

ip access-list extended vac200

permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15

permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255

permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc

As you can see my dhcp server 10.79.1.90, If I do an ip any any in the access list it works but I would like to lock it down.

Ideas? Thanks

1 Accepted Solution

Accepted Solutions

An additional thought:

The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).

You might be better off with:

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

... and use DHCP Snooping for security.

View solution in original post

3 Replies 3

elovelace256
Level 1
Level 1

*Bump

michael.leblanc
Level 4
Level 4

The second ACE mirrors the first ACE to facilitate bi-directional traffic. This would imply that you need to mirror the third ACE in order to permit the DHCP clients to reach the DHCP server.

ip access-list extended vac200

permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15

permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255

permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc

permit udp host 10.79.200.0 0.0.0.255 eq bootpc 10.79.1.90 eq bootps

An additional thought:

The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).

You might be better off with:

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

... and use DHCP Snooping for security.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: