Here's the config (sorry, first time poster)....

interface GigabitEthernet0/2

description Freedom Quad-RESNet

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,248,1002-1005

switchport mode trunk

no ip address

interface Vlan248

description VLAN248 for Freedom Dutch Subnets 248-252

ip address 10.227.248.1 255.255.255.0 secondary

ip address 10.226.248.1 255.255.254.0 secondary

ip address 169.226.248.1 255.255.252.0

ip access-group 107 in

ip helper-address 169.226.44.30

access-list 107 permit ip 169.226.248.0 0.0.3.255 any

access-list 107 permit ip 10.226.248.0 0.0.1.255 any

access-list 107 permit ip 10.227.248.0 0.0.0.255 any

access-list 107 deny ip any any

Sysdrg,

I don't see anything wrong with the ACL. Were you able to ping to the DHCP server using static IP? Were you able to get DHCP without ACL? Is routing ok between VLANs?

Kevin,

Everything works except the dhcp relay. I can ping the dhcp server using a static ip. DHCP was working prior to the ACL going in and all routing looks

good. I'm putting the ACL in to stop some syn attacks and it worked except for the dhcp relay agent. I even tried allowing broadcast forwarding in the acl to no avail.

Don

Don't forget that when your system boots up, it doesn't have an IP address. Therefore, when you restrict the incoming packets on the VLAN interface to the subnets behind it, the packets that don't have allowed IPs will be blocked before the helper relay function occurs. When the system boots and looks for a DHCP server, the packet source IP address is 0.0.0.0 and the destination packet is 255.255.255.255. That's why the two lines provided:

permit udp any any eq bootpc

permit udp any any eq bootps

should help.