access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.x.x.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.x.x.0 18.104.22.168 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip 169.x.x.0 0.0.255.255 any log
access-list 101 deny ip any 0.0.0.0 255.255.255.0 log
access-list 101 deny ip any 0.0.0.255 255.255.255.0 log
access-list 101 permit ip any any log
access-list 102 remark ====== ONLY SOURCE TO INTERNET ACL =====
access-list 102 permit ip 192.168.2.0 0.0.0.255 any log
access-list 102 deny ip any any log
my problem is that when my dhcp release time is over, the acc-list stops it from getting the renew. the reason i discoverd this was because when i removed the ip access-group from the FA interfaces i directly get my address back.
All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side acl should allow the following types of packets:
Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
Incoming packets from any address to 255.255.255.255
Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients.
Actually you do not need to take help of ACL for your DHCP requests. You can instead configure "ip helper-address x.x.x.x" on your LAN interface where x.x.x.x is the ip of your DHCP server. So, if your client sends a broadcast for a ip from DHCP, the router will convert the broadcast and send a unicast request to that particular DHCP ip if "ip helpder-address" is configured. Thanks!
*deepinder* thx for ur advice. i must say that i don't fully understand the command u have given [this doesn't mean i don't appreciate ur advice]. I will give it a look what that command exactly stands for.
*royalblues* also my thx goes out to you. ur advice is s'thing i understand.
I just have 1 question.
the advice u have given me doesn't the command:
acc-list 101 permit ip any any must take care of letting the udp packets go thru?
i'm using Fa0/0 for my wan and it's getting it's ip add from dhcp and 1 string in the acc-list is blocking the dhcp lease renewal when the time is expired. Do i need to remove a line from acc-list 101 or will adding the,
access-list 101 permit udp any any eq 67
access-list 101 permit udp any any eq 68
on top of the acc-list resolved this issue. I'm not only looking for the solution but also what i have done wrong.
ps: acc-list 101 is configured for inbound on int fa0/0
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...