DHCP Port Open

Joe Lee · ‎03-31-2015

Hello,

We configured two subnets on the switch, one is for employee, one is for student. We don't want the student student access to the employee subnet. The DHCP server is setup at employee subnet - 192.168.100.2. We are not able to pull the IP address from the DHCP server at the VLAN20, but when we remove the "ip access-group 100 in" at VLAN 20, and it works fine. What ports should we open at the access list 100. Please advise.

Thanks,

Joe

Int vlan 2

ip address 192.168.100.1 255.255.255.0

!

int vlan 20

ip address 192.168.200.1 255.255.255.0

ip access-group 100 in

ip helper-address 192.168.100.2

!

access-list 100 permit udp 192.168.0.0 0.0.255.255 host 192.168.100.2 67

access-list 100 permit udp 192.168.0.0 0.0.255.255 host 192.168.100.2 68

access-list 100 deny any any

Charles Hill · ‎03-31-2015

Hello Joe Lee,

Try adding the line below to your acl.

access-list 100 permit udp any eq bootpc and eq bootps

UDP port 67 is for the dhcp server

UDP port 68 is for the dhcp client

The link below gives more detail concerning allowing dhcp traffic via a acl.

https://supportforums.cisco.com/discussion/11442541/acl-allow-only-dhcp-server

Hope this helps.,

if so, please rate.

DHCP Port Open

Port-Security - Configuração Básica

ISE 3.3 P5 - Open Caveats (versão Português)

Port 1080 open

ISE 3.3 P5 - Open Caveats

Fail-open & Fail-close explanation