Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL issue on router

Hi,

I have a router 2600 in my branch.Today i configured the ACL on its internal interface that users cannot acccess internet.After configuring the ACL users cannot getting the IP address from DHCP which is configured on router.Below is my ACL.

Please tell me how i configured the ACL correctly the DHCP issue can be resolved.

ip access-list extended INSIDE-IN

permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255

deny ip any any

!

int fa 0/1

description inside interface

ip access-group INSIDE-IN in

!

1 ACCEPTED SOLUTION

Accepted Solutions

ACL issue on router

Yes, once they get an address, they should be able to get everywhere with the "permit IP" statement.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
5 REPLIES

ACL issue on router

You need to allow dhcp requests in through the acl. You could try something like "permit udp any eq bootpc any eq bootps" at the top of the acl.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

ACL issue on router

Hi John.

Thanks for help

Can you please explain why this acl is Denying DHCP.And one other thing is that I implement the IP acl in such acl all UPD.TCP and ICMP shuld allow

ACL issue on router

A dhcp broadcast/request doesn't have an ip address yet, so the source address is 0.0.0.0 and, since it's a broadcast, a destination address of 255.255.255.255. So, the source of 0.0.0.0 doesn't match any of your permit statements until it receives an address in the range of IPs that you are permitting through your acl.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

ACL issue on router

John,

Great i got it.

Please one last thing i wana ask from you the I told earlier in IP ACL all TCP,UDP and ICMP are allowed??am i right or not.

ACL issue on router

Yes, once they get an address, they should be able to get everywhere with the "permit IP" statement.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
138
Views
0
Helpful
5
Replies
CreatePlease to create content