I have a LAN that just needs access to a proxy server for Internet access and a dhcp server to receive an ip address. Internet access is working fine, if I assign an IP manually. The dhcp is not passing through though. I have the following access list applied to the routing interface for that LAN:
access-list 112 permit tcp any host 10.10.1.5 eq 8080
access-list 112 permit tcp any host 10.10.1.10 eq 546
access-list 112 permit udp any host 10.10.1.10 eq 546
access-list 112 permit tcp any host 10.10.1.10 eq 547
access-list 112 permit udp any host 10.10.1.10 eq 547
access-list 112 deny ip any any
access-list 113 permit tcp host 10.10.1.5 eq 8080 any
access-list 113 permit tcp host 10.10.1.10 eq 546 any
access-list 113 permit udp host 10.10.1.10 eq 546 any
access-list 113 permit tcp host 10.10.1.10 eq 547 any
access-list 113 permit udp host 10.10.1.10 eq 547 any
access-list 113 deny ip any any
ip access-group 112 in
ip access-group 113 out
If I remove "ip access-group 112 in" everything works fine. There is something addtional that needs to be able to pass through on "inbound" for dhcp to work. Any ideas?
Are you using "ip helper-address" on one or more of the interfaces? Or DHCP Relay agents on each IP subnet?
Basically, you will be permitting UDP traffic from the client subnet at port 68 to the server at port 67 in one access-list; and UDP traffic from the server back to the clients in the other. If the router with the access-lists is playing an active role in forwarding UDP broadcasts such as DHCP client address requests, and DHCP server address offers, you may have to take that into consideration as you put together the relevant access-list command lines.
UDP 67 and 68 is all you need to open up for DHCP.
The following access-list commands applied to the client LAN interface should cover all your DHCP needs (112 inbound, and 113 outbound, per your previous posts):
access-list 112 permit udp any eq 68 any
access-list 113 permit udp any any eq 68
These two commands might seem overly permissive; but the only UDP traffic leaving your client LAN from port 68 or coming back into it at port 68 should be DHCP. This leaves you the flexability to move your DHCP server around, or implement multiple DHCP servers for fault tolerance.
Thank you again for your post. However, it doesnt seem to be working. The outbound access list for 113 works fine. When I apply the inbound access list 112 the machines do not receive and IP from DHCP. What can I try next?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...