Re: Vlan Acces-list Problem

tarun209 · ‎06-28-2005

Hi Friends

I facing a problem in one of my Vlan 70 .Pcs in that Vlan are not able to not get ip from DHCP server.I have applied an access-list on that Vlan.After Removing the acces-list from that vlan Pcs in that Same vlan are able to Get ip from DHCP.I think there is problem in access-list .Config is attached.Please Suggest

Thanks & Regards

Tarun G

ankurbhasin · ‎06-28-2005

Hi Tarun,

Can you also allow port 67 and port 68 for TCP. I see you have allowed for UDP.

HTH

Ankur

tarun209 · ‎06-28-2005

Hi Ankur,

when i try to configure tcp it does not show port 67 and 68 as valid option for tcp .we have configured 546,547 for the same.

Thanks

Tarun G

Richard Burts · ‎06-28-2005

I have looked at your config and I believe that I see the problem. It is indeed a problem with the access lists. Essentially the access lists are reversed. Access list 150 is applied as an inbound access list. But in access list 150 all the source addresses are 172.16.7.0. But for inbound on VLAN 70 172.16.7.0 would be the destination not the source. Similarly access list 151 has reversed the source and destination addresses. If you apply 150 outbound and 151 inbound it has a much greater chance of working as you wish.

HTH

Rick

HTH

Rick

tarun209 · ‎06-29-2005

Hi Rick,

We have tried that out but it is not working.

Thanks

Tarun G

Richard Burts · ‎06-29-2005

Tarun

If you have made changes and it still does not work then I would ask that you post the new config (or send directly to me if you prefer). Given what is in the original config I believe that 150 out and 151 in should allow DHCP to work.

The config that you posted the first time had entries in access list 150 that would permit IP packets from source addresses in 172.17.7.0 to destination addresses in 172.16.1.0. If this access list were applied as outbound (instead of inbound as you had it) then it would allow the DHCP request to be sent. Access list 151 has statements that would permit IP packets with a source address of 172.16.1.0 to destination 172.16.7.0 which would allow the DHCP responses. If this access list were applied as inbound (instead of outbound as you had it) it would allow DHCP responses. If 150 is applied as outbound and 151 is applied as inbound then DHCP should work.

I did notice in the config that you posted that interface VLAN 10 where the 172.16.1.0 subnet is located is shutdown. Is there an alternate path that allows DHCP to work?

So please show the updated config and confirm that if DHCP does not work with the access lists that it does work without the access lists.

HTH

Rick

HTH

Rick

ybajpai · ‎06-29-2005

Do please keep in mind that everytime you make those changes in the ACL, you may need to apply the vlan filter list to the vlan again. So, after the change, remove the VACL and apply it back to that VLAN

xedin0 · ‎06-29-2005

We just recently ran across the same issue. Just add this to your ACL and it will allow DHCP to come across. Since DHCP requires the ability to do a UDP broadcast just allowing access to the DHCP server IP subnet isn't enough. Since IP helper will catch the broadcast and pass it to the appropriate server it's a safe allow statement to add to any ACL that needs it.

permit udp any any range bootps bootpc