Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DHCP Forwarding and Access Lists-Catalyst 3550

I am setting up some ip access lists on a 3550 to allow a range of

ip's through and deny all other IP traffic. However, I can't seem to

forward dhcp requests through to the ip helper-address.

Any suggestions?

6 REPLIES
New Member

Re: DHCP Forwarding and Access Lists-Catalyst 3550

config please?

New Member

Re: DHCP Forwarding and Access Lists-Catalyst 3550

Here's the config (sorry, first time poster)....

interface GigabitEthernet0/2

description Freedom Quad-RESNet

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,248,1002-1005

switchport mode trunk

no ip address

interface Vlan248

description VLAN248 for Freedom Dutch Subnets 248-252

ip address 10.227.248.1 255.255.255.0 secondary

ip address 10.226.248.1 255.255.254.0 secondary

ip address 169.226.248.1 255.255.252.0

ip access-group 107 in

ip helper-address 169.226.44.30

access-list 107 permit ip 169.226.248.0 0.0.3.255 any

access-list 107 permit ip 10.226.248.0 0.0.1.255 any

access-list 107 permit ip 10.227.248.0 0.0.0.255 any

access-list 107 deny ip any any

New Member

Re: DHCP Forwarding and Access Lists-Catalyst 3550

Sysdrg,

I don't see anything wrong with the ACL. Were you able to ping to the DHCP server using static IP? Were you able to get DHCP without ACL? Is routing ok between VLANs?

New Member

Re: DHCP Forwarding and Access Lists-Catalyst 3550

Kevin,

Everything works except the dhcp relay. I can ping the dhcp server using a static ip. DHCP was working prior to the ACL going in and all routing looks

good. I'm putting the ACL in to stop some syn attacks and it worked except for the dhcp relay agent. I even tried allowing broadcast forwarding in the acl to no avail.

Don

New Member

Re: DHCP Forwarding and Access Lists-Catalyst 3550

here are the access-list lines we use

permit udp any any eq bootpc

permit udp any any eq bootps

New Member

Re: DHCP Forwarding and Access Lists-Catalyst 3550

Don't forget that when your system boots up, it doesn't have an IP address. Therefore, when you restrict the incoming packets on the VLAN interface to the subnets behind it, the packets that don't have allowed IPs will be blocked before the helper relay function occurs. When the system boots and looks for a DHCP server, the packet source IP address is 0.0.0.0 and the destination packet is 255.255.255.255. That's why the two lines provided:

permit udp any any eq bootpc

permit udp any any eq bootps

should help.

487
Views
0
Helpful
6
Replies
CreatePlease to create content