This post is 3 years old, but I'm tossing this up for future reference
To permit | deny just DHCPv4 traffic...
- Create an extended ACL with 2 lines.
- Use the following parameters to create each statement:
► UDP port 67 (That's a DHCP server)
► UDP port 68 (That's a DHCP client)
BillTheCat(config)# access-list 173 permit udp 30.30.30.0 0.0.0.255 any eq 67
BillTheCat(config)# access-list 173 permit udp any 30.30.30.0 0.0.0.255 eq 68
BillTheCat(config)# end
(Yes, I know there are 9,003 ways to make this ACL better, but I'll leave that to you...☺)
► You have the implicit deny at the end, which will block anything that has not been explicitly permitted.
► However, I like to add an explicit deny at the end, so that I can see the stats for it.
(John Blakley also had this in his answer, so hat tip to John)
BillTheCat(config)# access-list 173 permit udp 30.30.30.0 0.0.0.255 any eq 67
BillTheCat(config)# access-list 173 permit udp any 30.30.30.0 0.0.0.255 eq 68
BillTheCat(config)# access-list 173 deny ip any any
BillTheCat(config)# end
(Yes, I know there are 9,002 ways to make this ACL better, but I'll leave that to you...☺)
► You can use it to debug:
BillTheCat# debug ip packet 173
IP packet debugging is on for access list 173
*IP: s=0.0.0.0 (GigabitEthernet0/1), d=255.255.255.255, len 333, rcvd 2
*IP: s=0.0.0.0 (GigabitEthernet0/1), d=255.255.255.255, len 333, stop process pak for forus packet
*IP: s=30.30.30.1 (local), d=255.255.255.255
(GigabitEthernet0/1), len 328, sending broad/multicast
► And if you want to see the DHCP activity from 30.30.30.0/24 LAN, you can use:
debug ip dhcp server events
BillTheCat# debug ip dhcp server events
DHCPD: returned 30.30.30.26 to address pool LAN-POO-30
DHCPD: assigned IP address 30.30.30.71 to client
0100.0103.85e9
DHCPD: checking for expired leases.
DHCPD: the lease for address 30.30.30.16 has expired.
DHCPD: returned 30.30.30.16 to address pool LAN-POO-30
Well, hope that helps someone in their quest to sort out DHCP traffic...
Cheers!
▬ spammy
