Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP/ ip helper address not working with ACL

For some reason the following ACL will not pass DHCP using ip helper address when applied to the vlan. The vlan is 172.20.148.0.23 The DHCP is on the 10.10.1.0/24 network. All works fine with no ACL. ACL works except for allowing DHCP.

Any ideas what I'm doing wrong?

config t

ip access-list extended net149C

?permit tcp any eq telnet any established

?permit tcp any eq 22 any established

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any host 10.10.1.10 eq 80

permit ip any host 10.10.1.58

permit ip any host 10.10.1.105

permit ip any host 10.10.1.79

permit ip any host 10.10.1.90

permit ip any host 10.10.1.13

permit ip any host 10.10.1.18

permit ip any host 10.10.1.62

deny ip any 10.10.1.0 0.0.0.255

deny? ip any 198.146.193.0 0.0.0.255

?deny? ip any 192.168.5.0 0.0.0.255

?deny? ip any 192.168.6.0 0.0.0.255

?deny? ip any 192.168.7.0 0.0.0.255

?deny? ip any 192.168.21.0 0.0.0.255

?deny? ip any 192.168.70.0 0.0.0.255

?deny? ip any 192.168.4.0 0.0.0.255

?deny? ip any 192.168.20.0 0.0.0.255

?deny? ip any 192.168.40.0 0.0.0.255

deny? ip any 172.20.0.0 0.0.255.255

?permit ip any any

?exit

interface vlan149

?ip access-group net149C in

exit

end

7 REPLIES
Hall of Fame Super Blue

Re: DHCP/ ip helper address not working with ACL

Hi Randy

Try changing

permit udp any any eq bootpc

to

permit udp any eq bootpc any

HTH

Jon

New Member

It works for me. Thank you

It works for me. Thank you very much.

New Member

Re: DHCP/ ip helper address not working with ACL

Try this

access-list permit udp host x.x.x.x eq bootps any eq bootpc

New Member

Re: DHCP/ ip helper address not working with ACL

None of the suggestions have worked. I'm stumped.

New Member

Re: DHCP/ ip helper address not working with ACL

You would need to debug the access-list:

1) Disable fast switching on the interfaces involved. You only see the first packet if fast switching is not disabled.

config interface

no ip route-cache

2) Use the "terminal monitor" command in enable mode in order to display "debug" command output and system error messages for the current terminal and session.

3) Use the "debug ip packet net149C detail" command in order to begin the debug process.

4) After your captures are done. Execute the no debug all command in enable mode and the interface configuration command in order to stop the debug process.

Restart caching.

config interface

ip route-cache

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ts

New Member

Re: DHCP/ ip helper address not working with ACL

Try changing yours to this

permit udp any eq bootps any eq bootpc

New Member

Re: DHCP/ ip helper address not working with ACL

Hi,randyclark:

Try my access-list,it works well with my 1721/1751/1841 routers in my 200+ branches worldwide.

access-list 126 permit udp any host 255.255.255.255 eq bootps

access-list 126 permit udp any host 255.255.255.255 eq bootpc

Thanks.

3558
Views
5
Helpful
7
Replies