Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19951
Views
7
Helpful
3
Replies

Access list to allow DHCP to different subnet

Alex Zmaczynski
Level 1
Level 1

‎09-05-2012 08:22 AM - edited ‎03-07-2019 08:42 AM

Hi:

The scenario:

DHCP server at 10.0.0.13 on vlan 10

Clients on vlan 5 must use that DHCP server to get addresses in the 172.16.0.0/21 range.

I've configured an ip helper-address on the SVI of vlan 5 to allow the forwarding of DHCP requests. That works fine, and clients can obtain addresses.

However, I'd like to prohibit ALL other traffic to any 10.0.0.0 address from vlan 5.

would the following work?

ip access-list extended dhcppermit

  permit udp any eq bootpc any eq bootps

  deny ip any 10.0.0.0 0.0.0.255

  permit ip any any

int vlan 5

  ip address 172.16.0.1 255.255.248.0

  ip helper-address 10.0.0.13

  ip access-group dhcppermit in

And if so, is there a way to lock this down, even more?

Thanks,

Tony

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎09-05-2012 08:30 AM

Tony

That should do the trick. As long as there are no other services needed on the 10.0.0.x network and i only say this as the DHCP server is often on the same subnet as AD etc. if using microsoft.

Jon

Alex Zmaczynski
Level 1
Level 1
In response to Jon Marshall

‎09-05-2012 09:12 AM

Thanks, Jon.

I was able to try this out, and was able to get an IP address with that config.

Two more questions:

Do you know if DHCP ever use TCP? I thought I read somewhere that a dhcp renew uses TCP unicast to the DHCP server's address, but I can't seem to find that reference now.

I setup Wireshark on the client and noticed a few pings coming back from the DHCP server, checking if the address was in use, before it handed it out. So it would appear that I need to allow icmp replies back to the server, or that function will never spot duplicate addresses.

Thoughts?

Thanks,

Tony

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Alex Zmaczynski

‎09-05-2012 09:25 AM

Hi,

I've never heard DHCP uses TCP, but DNS can in some occasions.

Norwally clients should do a Gratuitous arp request before accepting the IP and if it is already on another device it will send a DHCP decline to the server. I also think that some servers also use ARP for duplicate address detection( at least Cisco routers do) so it may be working without  letting the ICMP replies back. if the server doesn't get the reply it will suppose it can offer the IP but I don't know if it keeps it up in its table when he receives a decline.

I'll do some searching and let you know.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card