cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

19624
Views
7
Helpful
3
Replies
Highlighted

Access list to allow DHCP to different subnet

Hi:

The scenario:

DHCP server at 10.0.0.13 on vlan 10

Clients on vlan 5 must use that DHCP server to get addresses in the 172.16.0.0/21 range.

I've configured an ip helper-address on the SVI of vlan 5 to allow the forwarding of DHCP requests. That works fine, and clients can obtain addresses.

However, I'd like to prohibit ALL other traffic to any 10.0.0.0 address from vlan 5.

would the following work?

ip access-list extended dhcppermit

  permit udp any eq bootpc any eq bootps

  deny ip any 10.0.0.0 0.0.0.255

  permit ip any any

int vlan 5

  ip address 172.16.0.1 255.255.248.0

  ip helper-address 10.0.0.13

  ip access-group dhcppermit in

And if so, is there a way to lock this down, even more?

Thanks,

Tony

Everyone's tags (6)
3 REPLIES 3
Hall of Fame Guru

Access list to allow DHCP to different subnet

Tony

That should do the trick. As long as there are no other services needed on the 10.0.0.x network and i only say this as the DHCP server is often on the same subnet as AD etc. if using microsoft.

Jon

Access list to allow DHCP to different subnet

Thanks, Jon.

I was able to try this out, and was able to get an IP address with that config.

Two more questions:

Do you know if DHCP ever use TCP? I thought I read somewhere that a dhcp renew uses TCP unicast to the DHCP server's address, but I can't seem to find that reference now.

I setup Wireshark on the client and noticed a few pings coming back from the DHCP server, checking if the address was in use, before it handed it out. So it would appear that I need to allow icmp replies back to the server, or that function will never spot duplicate addresses.

Thoughts?

Thanks,

Tony

Advisor

Access list to allow DHCP to different subnet

Hi,

I've never heard DHCP uses TCP, but DNS can in some occasions.

Norwally clients should do a Gratuitous arp request before accepting the IP and if it is already on another device it will send a DHCP decline to the server. I also think that some servers also use ARP for duplicate address detection( at least Cisco routers do) so it may be working without  letting the ICMP replies back. if the server doesn't get the reply it will suppose it can offer the IP but I don't know if it keeps it up in its table when he receives a decline.

I'll do some searching and let you know.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
CreatePlease to create content
Content for Community-Ad