cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
401
Views
0
Helpful
1
Replies

DHCP only access-list

bevans
Level 1
Level 1

We are trying to setup an access list to allow only dhcp and proxy (for Internet) access. The proxy access works fine, but the dhcp is giving me some trouble. We assign dhcp to mulitple lans using iphelper. I am using the following...

As inbound access list:

access-list 112 permit tcp any host 10.10.1.5 eq 8080

access-list 112 permit udp any host 10.10.1.10 eq bootps

access-list 112 permit udp any host 10.10.1.10 eq bootpc

access-list 112 deny any any

And as outbound access list.

access-list 113 permit tcp host 10.10.15 eq 8080 any

access-list 113 permit udp host 10.10.1.10 eq bootps any

access-list 113 permit udp host 10.10.1.10 eq bootpc any

access-list 113 deny any any

If I assign just the outbound access list everything works fine. As soon as I apply the inbound list dhcp does not work. I have tried debugging the access list and found no errors listed. If I apply the following line to my inbound list it seems to be ok, however it seems this entry somewhat defeats my security purposes:

access-list 112 permit ip host 0.0.0.0 any

Any ideas??? Thanks in advance!

1 Reply 1

mark-obrien
Level 4
Level 4

The DHCP request is broadcast, not unicast. You want the inbound access list to read:

access-list 112 permit tcp any host 10.10.1.5 eq 8080

access-list 112 permit udp any host 255.255.255.255 eq bootps

access-list 112 permit udp any host 255.255.255.255 eq bootpc

access-list 112 deny any any

I am assuming that the interface you are putting these ACLs on is the interface with the clients. If so, you can eliminate line 3 above.

HTH.

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco