Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23906
Views
20
Helpful
4
Replies

bootpc and bootps - ACL

dacruzer1
Level 1
Level 1

‎06-24-2020 01:47 PM

Hello Everyone,  

 

Hope everyone is staying safe and healthy.

 

I used to have this line configured on an extended ACL:

permit udp any any eq bootpc bootps

 

But then a few of my laptops started having issues and could not get an IP address.  So after many hours of troubleshooting, I split the above entry to:

permit udp any any eq bootpc

permit udp any any eq bootps

 

And... those laptops started working again!

 

So why would these two entries work and not the other one???

 

Any info would be greatly appreciated !

Alfred

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Martin L
VIP
VIP

‎06-24-2020 02:30 PM


Yes, interesting question but I never seen single ACL line working for DHCP; it always has been 2 lines.

Richard Burts
Hall of Fame
Hall of Fame
In response to Martin L

‎06-26-2020 12:59 PM

As I understand it certain platforms (and certain versions of code) support specifying discontiguous port numbers in a named access list. There are things that we do not know about the environment of the original post and they might impact our answer. Was this extended access list a named list or a numbered list? Is it possible that it was implemented and working and then some change was made in the network (perhaps transition to a different platform or to a different version of code)?

 

I agree with @Martin L that my experience is frequently the ACL uses 2 lines, one for each protocol. But in truth you usually need only one and which one depends on whether your filter is applied inbound or outbound. You are usually looking at traffic from client to server or looking at traffic from server to client. It would be unusual for an access list to be evaluating both type of flows (and that is where you really need both lines). We frequently configure both and that is safe because no matter which way the acl gets applied it will work.

 

I wonder in the original post if perhaps the acl was working because the first port specified happened to match the type of traffic being used through that interface. And if perhaps in configuring a new interface the order of ports changed? Or perhaps the direction of the traffic changed?

HTH

Rick

d-hoyer
Level 1
Level 1

‎10-28-2022 01:40 PM

Perhaps this instead? 

permit udp any eq bootpc any eq bootps

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to d-hoyer

‎10-29-2022 11:45 AM

As I understand the logic of the original post it was an attempt to match EITHER bootpc or bootps. Your suggestion with match one but not match the other.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card