Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vlan access map and DHCP

I am setting up a vlan access map but I cannot get dhcp to work a host cannot pickup an ip address. Here is the config.

interface Vlan200

description Infx

ip address 10.79.200.1 255.255.255.0

ip helper-address 10.79.1.90

arp timeout 1

!

vlan access-map vm200 10

match ip address vac200

action forward

!

vlan filter vm200 vlan-list 200

!

!

ip access-list extended vac200

permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15

permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255

permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc

As you can see my dhcp server 10.79.1.90, If I do an ip any any in the access list it works but I would like to lock it down.

Ideas? Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Vlan access map and DHCP

An additional thought:

The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).

You might be better off with:

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

... and use DHCP Snooping for security.

3 REPLIES
New Member

Re: Vlan access map and DHCP

*Bump

Re: Vlan access map and DHCP

The second ACE mirrors the first ACE to facilitate bi-directional traffic. This would imply that you need to mirror the third ACE in order to permit the DHCP clients to reach the DHCP server.

ip access-list extended vac200

permit ip 10.79.200.0 0.0.0.255 10.79.5.144 0.0.0.15

permit ip 10.79.5.144 0.0.0.15 10.79.200.0 0.0.0.255

permit udp host 10.79.1.90 eq bootps 10.79.200.0 0.0.0.255 eq bootpc

permit udp host 10.79.200.0 0.0.0.255 eq bootpc 10.79.1.90 eq bootps

Re: Vlan access map and DHCP

An additional thought:

The two ACEs don't address the full scope of the issue, as some of the DHCP packets are sent with a source IP address of 0.0.0.0, and a destination IP address of 255.255.255.255 (broadcast address).

You might be better off with:

permit udp any eq bootps any eq bootpc

permit udp any eq bootpc any eq bootps

... and use DHCP Snooping for security.

835
Views
0
Helpful
3
Replies