Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DHCP only access-list

We are trying to setup an access list to allow only dhcp and proxy (for Internet) access. The proxy access works fine, but the dhcp is giving me some trouble. We assign dhcp to mulitple lans using iphelper. I am using the following...

As inbound access list:

access-list 112 permit tcp any host 10.10.1.5 eq 8080

access-list 112 permit udp any host 10.10.1.10 eq bootps

access-list 112 permit udp any host 10.10.1.10 eq bootpc

access-list 112 deny any any

And as outbound access list.

access-list 113 permit tcp host 10.10.15 eq 8080 any

access-list 113 permit udp host 10.10.1.10 eq bootps any

access-list 113 permit udp host 10.10.1.10 eq bootpc any

access-list 113 deny any any

If I assign just the outbound access list everything works fine. As soon as I apply the inbound list dhcp does not work. I have tried debugging the access list and found no errors listed. If I apply the following line to my inbound list it seems to be ok, however it seems this entry somewhat defeats my security purposes:

access-list 112 permit ip host 0.0.0.0 any

Any ideas??? Thanks in advance!

1 REPLY
Bronze

Re: DHCP only access-list

The DHCP request is broadcast, not unicast. You want the inbound access list to read:

access-list 112 permit tcp any host 10.10.1.5 eq 8080

access-list 112 permit udp any host 255.255.255.255 eq bootps

access-list 112 permit udp any host 255.255.255.255 eq bootpc

access-list 112 deny any any

I am assuming that the interface you are putting these ACLs on is the interface with the clients. If so, you can eliminate line 3 above.

HTH.

Mark

247
Views
0
Helpful
1
Replies