Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2102
Views
0
Helpful
1
Replies

DHCP Port Open

Joe Lee
Level 1
Level 1

‎03-31-2015 07:15 PM - edited ‎03-05-2019 01:08 AM

Hello,

 

We configured two subnets on the switch, one is for employee, one is for student. We don't want the student student access to the employee subnet. The DHCP server is setup at employee subnet - 192.168.100.2.  We are not able to pull the IP address from the DHCP server at the VLAN20, but when we remove the "ip access-group 100 in" at VLAN 20, and it works fine. What ports should we open at the access list 100. Please advise.

 

Thanks,

Joe

 

Int vlan 2

ip address 192.168.100.1 255.255.255.0

!

int vlan 20

ip address 192.168.200.1 255.255.255.0

ip access-group 100 in

ip helper-address 192.168.100.2

!

access-list 100 permit udp 192.168.0.0 0.0.255.255 host 192.168.100.2 67

access-list 100 permit udp 192.168.0.0 0.0.255.255 host 192.168.100.2 68

access-list 100 deny any any

Labels:
0 Helpful
1 Reply 1

Charles Hill
VIP Alumni
VIP Alumni

‎03-31-2015 08:05 PM

Hello Joe Lee,

Try adding the line below to your acl.

 

access-list 100 permit udp any eq bootpc and eq bootps

 

 

UDP port 67 is for the dhcp server

UDP port 68 is for the dhcp client

 

The link below gives more detail concerning allowing dhcp traffic via a acl.

https://supportforums.cisco.com/discussion/11442541/acl-allow-only-dhcp-server

 

Hope this helps.,

if so, please rate.

0 Helpful
Customers Also Viewed These Support Documents