Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client unable to obtain address due to ACL.

Hi all,

I use the subnet  10.9.16.0 /20 for the public wifi at out hospital. This is for Internet only; not any hospital inside networks. We use 172.16.0.0 /12 for our inside networks and of course the public wifi clients get ip address via our inside DHCP server at 172.20.90.19.

How can I allow public wifi clients obtain ip address on the inside DHCP server, and in the mean time deny all other services to inside networks.

Below is my ACL, and my public wifi clients are unable to obtain any ip address. It seems the permit udp any any eq bootpc/bootps doesn't help.

Regards.

interface Vlan916

ip address 10.9.16.1 255.255.240.0

ip access-group V916in in

ip helper-address 172.20.90.19

!

ip access-list extended V916in

permit udp any any eq bootpc

permit udp any any eq bootps

permit ip any 10.9.16.0 0.0.15.255

permit udp any host 172.20.90.19 eq domain

permit tcp any host 172.20.90.19 eq domain

permit tcp any host 172.20.90.3 eq www

permit tcp any host 172.20.90.3 eq 443

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 10.0.0.0 0.255.255.255

permit ip any any

!

1 REPLY
Hall of Fame Super Silver

Client unable to obtain address due to ACL.

I believe that your problem is in failure to correctly distinguish the source and destination ports for bootpc/bootps. When the request from the client comes into the VLAN interface bootpc would be the source port and your access list is treating it as the destination port. I suggest that you change this

permit udp any any eq bootpc

into this

permit udp any eq bootpc any

Give it a try and let us know if it works better.

HTH

Rick

437
Views
0
Helpful
1
Replies