02-08-2018 11:49 PM - edited 03-08-2019 01:46 PM
Hi,
A simple query regarding Access Control Lists and dhcp.
192.168.1.2 is the dhcp server.
Say I have a vlan 101 configured with the following:
ip access group TEST_IN in
ip access group TEST_OUT out
ip helper-address 192.168.1.2
Here are the ACL's themselves:
ip access-list extended TEST_IN
permit udp any host 192.168.1.2 eq bootps
ip access-list extended TEST_OUT
deny ip any any
-------------------------------
In the above would a client connected via the 101 vlan be able to get an IP address via dhcp? It could send the dhcp request but would 'deny ip any any' block the return packets?
Or are the packets allowed because the router acts as a relay for the dhcp server (via ip helper-address) and the router itself allows the return packets regardless of the ACL's?
cheers
jcrow
Solved! Go to Solution.
02-09-2018 12:25 AM
Yes, It will block.
Regards,
Deepak Kumar
02-09-2018 12:14 AM
The acl needs to allow the packets before the router can forward the DHCP request.
Note though that you have the direction on your acl wrong ie. inbound is traffic from clients in vlan 101 so the source IP would never be the DHCP server.
Jon
02-09-2018 12:22 AM
02-09-2018 12:25 AM
Yes, It will block.
Regards,
Deepak Kumar
02-09-2018 02:00 AM
02-09-2018 02:13 AM
I have just tested this in a lab and it did not block the IP address assignment.
The lab was using virtual routers but I suspect the same would be seen with real equipment.
Jon
02-09-2018 02:14 AM
Deepak
Do you know this for a fact because my test has just shown otherwise but it could be because I am not using real equipment.
Jon
02-09-2018 12:26 AM
Yes, sorry I misread your acl, it is correct as you say.
As for being blocked on the way back it is a good question because traffic generated by the router itself bypasses any acls and the response is actually generated by the router after it has received a reply from the DHCP server.
To be honest don't know without testing.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide