cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19034
Views
20
Helpful
16
Replies

Concerning ACL with DHCP.

thonghawkyen
Beginner
Beginner

I have a router with 2 FE interfaces :

(1) interface FastEthernet0/0

=> ip address 137.55.70.1 255.255.255.0

=> duplex auto

=> speed auto

Note : This interface/subnet i hv a DHCP server connected as 137.55.70.2.

(2) interface FastEthernet0/1

=> ip address 137.55.71.1 255.255.255.0

=> ip helper-address 137.55.70.2

=> duplex auto

=> speed auto

Scenario (1) - OK

-------------------------

(1) I hv defined ACLs as followed :

=>access-list 101 permit ip 137.55.71.0 0.0.0.255 host 137.55.70.2

=>access-list 104 permit udp 137.55.71.0 0.0.0.255 host 137.55.70.2 eq bootpc

=>access-list 104 permit udp 137.55.71.0 0.0.0.255 host 137.55.70.2 eq bootps

(2) Applied to F0/0 :

=>ip access-group 104 out

Result : Clients connected to F0/1 subnet get DHCP IP addresses.

Scenario (2) - Not OK

--------------------------------

(1) Use the same ACL applied to F0/1 :

=> ip access-group 104 in

(2) And added the following line in the global configuration mode :

=>ip forward-protocol udp

(3) Remove 104 and applied 101 to F0/1 :

=> ip access-group 101 in

Result : Clients connected to F0/1 subnet CANNOT get DHCP IP addresses.

P/S : It is not as simple as i thought. Appreciate if anyone can help. Thank you very much.

2 Accepted Solutions

Accepted Solutions

mlund
Rising star
Rising star

Hi

You have to permit ip from host 0.0.0.0 to destination host 255.255.255.255, because the pc don't have any ip yet, that is why source ip would be 0.0.0.0 and the dhcp is a broadcast, so detination to host 255.255.255.255 will do.

access-list 104 permit ip host 0.0.0.0 host 255.255.255.255

or

access-list 104 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc

/Mikael

View solution in original post

Leo

The answer is not really based on being as close as possible to the destination. To understand the reason lets start by understanding what the messages are. The initial DHCP request (which would be filtered by the access list inbound on Fa0/1)is a broadcast from the PC with source address of zeros. Since access list 104 was written to permit only traffic whose source address was 137.55.71.0 then it denies the DHCP request. If the access list is outbound on Fa0/0 then the DHCP request gets to the router, and the router uses the helper address to forward the request to the DHCP server. And the message to the DHCP server is a unicast message with the router interface as the source address. The source address still does not match the range specified in the access list, but one of the interesting things about access lists is that outbound access lists do not filter traffic that is generated by the router itself. And the helper address message is generated by the router and so it does not get filtered by the access list. This is the reason that the access list outbound on Fa0/0 is not a problem but is a problem when inbound on Fa0/1.

HTH

Rick

HTH

Rick

View solution in original post

16 Replies 16

mlund
Rising star
Rising star

Hi

You have to permit ip from host 0.0.0.0 to destination host 255.255.255.255, because the pc don't have any ip yet, that is why source ip would be 0.0.0.0 and the dhcp is a broadcast, so detination to host 255.255.255.255 will do.

access-list 104 permit ip host 0.0.0.0 host 255.255.255.255

or

access-list 104 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc

/Mikael

Dear Mikael,

Sorry for the late reply. I am not sure why had problem accessing with my password for the past 1 weeks.

Thank you very much. Your suggestion works very well. We are now able to progress with other ACL.

regards

thong

John Blakley
Advisor
Advisor

I'm not sure if you have a typo, but F0/0 doesn't have a helper-address configured.

HTH,

John

HTH, John *** Please rate all useful posts ***