A simple query regarding Access Control Lists and dhcp.
192.168.1.2 is the dhcp server.
Say I have a vlan 101 configured with the following:
ip access group TEST_IN in
ip access group TEST_OUT out
ip helper-address 192.168.1.2
Here are the ACL's themselves:
ip access-list extended TEST_IN
permit udp any host 192.168.1.2 eq bootps
ip access-list extended TEST_OUT
deny ip any any
In the above would a client connected via the 101 vlan be able to get an IP address via dhcp? It could send the dhcp request but would 'deny ip any any' block the return packets?
Or are the packets allowed because the router acts as a relay for the dhcp server (via ip helper-address) and the router itself allows the return packets regardless of the ACL's?
Solved! Go to Solution.
The acl needs to allow the packets before the router can forward the DHCP request.
Note though that you have the direction on your acl wrong ie. inbound is traffic from clients in vlan 101 so the source IP would never be the DHCP server.
I have just tested this in a lab and it did not block the IP address assignment.
The lab was using virtual routers but I suspect the same would be seen with real equipment.
Do you know this for a fact because my test has just shown otherwise but it could be because I am not using real equipment.
Yes, sorry I misread your acl, it is correct as you say.
As for being blocked on the way back it is a good question because traffic generated by the router itself bypasses any acls and the response is actually generated by the router after it has received a reply from the DHCP server.
To be honest don't know without testing.