Solved: Concerning ACL with DHCP.

thonghawkyen · ‎02-17-2009

I have a router with 2 FE interfaces :

(1) interface FastEthernet0/0

=> ip address 137.55.70.1 255.255.255.0

=> duplex auto

=> speed auto

Note : This interface/subnet i hv a DHCP server connected as 137.55.70.2.

(2) interface FastEthernet0/1

=> ip address 137.55.71.1 255.255.255.0

=> ip helper-address 137.55.70.2

=> duplex auto

=> speed auto

Scenario (1) - OK

-------------------------

(1) I hv defined ACLs as followed :

=>access-list 101 permit ip 137.55.71.0 0.0.0.255 host 137.55.70.2

=>access-list 104 permit udp 137.55.71.0 0.0.0.255 host 137.55.70.2 eq bootpc

=>access-list 104 permit udp 137.55.71.0 0.0.0.255 host 137.55.70.2 eq bootps

(2) Applied to F0/0 :

=>ip access-group 104 out

Result : Clients connected to F0/1 subnet get DHCP IP addresses.

Scenario (2) - Not OK

--------------------------------

(1) Use the same ACL applied to F0/1 :

=> ip access-group 104 in

(2) And added the following line in the global configuration mode :

=>ip forward-protocol udp

(3) Remove 104 and applied 101 to F0/1 :

=> ip access-group 101 in

Result : Clients connected to F0/1 subnet CANNOT get DHCP IP addresses.

P/S : It is not as simple as i thought. Appreciate if anyone can help. Thank you very much.

mlund · ‎02-18-2009

Hi

You have to permit ip from host 0.0.0.0 to destination host 255.255.255.255, because the pc don't have any ip yet, that is why source ip would be 0.0.0.0 and the dhcp is a broadcast, so detination to host 255.255.255.255 will do.

access-list 104 permit ip host 0.0.0.0 host 255.255.255.255

or

access-list 104 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc

/Mikael

View solution in original post

Richard Burts · ‎02-19-2009

Leo

The answer is not really based on being as close as possible to the destination. To understand the reason lets start by understanding what the messages are. The initial DHCP request (which would be filtered by the access list inbound on Fa0/1)is a broadcast from the PC with source address of zeros. Since access list 104 was written to permit only traffic whose source address was 137.55.71.0 then it denies the DHCP request. If the access list is outbound on Fa0/0 then the DHCP request gets to the router, and the router uses the helper address to forward the request to the DHCP server. And the message to the DHCP server is a unicast message with the router interface as the source address. The source address still does not match the range specified in the access list, but one of the interesting things about access lists is that outbound access lists do not filter traffic that is generated by the router itself. And the helper address message is generated by the router and so it does not get filtered by the access list. This is the reason that the access list outbound on Fa0/0 is not a problem but is a problem when inbound on Fa0/1.

HTH

Rick

HTH

Rick

View solution in original post

mlund · ‎02-18-2009

Hi

You have to permit ip from host 0.0.0.0 to destination host 255.255.255.255, because the pc don't have any ip yet, that is why source ip would be 0.0.0.0 and the dhcp is a broadcast, so detination to host 255.255.255.255 will do.

access-list 104 permit ip host 0.0.0.0 host 255.255.255.255

or

access-list 104 permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc

/Mikael

thonghawkyen · ‎03-02-2009

Dear Mikael,

Sorry for the late reply. I am not sure why had problem accessing with my password for the past 1 weeks.

Thank you very much. Your suggestion works very well. We are now able to progress with other ACL.

regards

thong

John Blakley · ‎02-18-2009

I'm not sure if you have a typo, but F0/0 doesn't have a helper-address configured.

HTH,

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎02-18-2009

John

It is not a typo. In the original post it says:"This interface/subnet i hv a DHCP server connected as 137.55.70.2." So there is a DHCP server directly connected in the subnet and no need for a helper address.

HTH

Rick

HTH

Rick

John Blakley · ‎02-18-2009

Yep, didn't see that.

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎02-18-2009

John

Yes, if you missed the directly connected DHCP server then it was a good catch of an inconsistency between the interfaces.

HTH

Rick

HTH

Rick

thonghawkyen · ‎03-02-2009

Hi Rick,

Thank you for your clarification. My understanding is same as yours.

regards

thong

Leo Laohoo · ‎02-18-2009

Forgive my ignorance here but I thought you can only apply one access list (104), per direction (out) to one interface (Fa0/0) at any time.

So you can't apply 104 to both Fa0/0 and Fa0/1.

Am I wrong here?

Richard Burts · ‎02-18-2009

Leo

Unfortunately your understanding is not correct. The restriction is one access list per direction per interface. (per interface is quite different than to one interface)

It is quite valid to apply the same access list to more than one interface. What is not valid is to try to have two access lists on the same interface in the same direction.

HTH

Rick

HTH

Rick

Richard Burts · ‎02-18-2009

I am curious how many people are wondering why access list 104 applied outbound on Fa0/0 allows traffic to flow just fine but the same access list 104 applied inbound on Fa0/1 creates a problem.

I had to think for a bit before the answer came to me. Would anyone like to contribute their understanding of this?

HTH

Rick

HTH

Rick

Leo Laohoo · ‎02-18-2009

Let me take a guess: Apply the access list as close-as-possible to the destination (Fa 0/0).

:)

Richard Burts · ‎02-19-2009

Leo

The answer is not really based on being as close as possible to the destination. To understand the reason lets start by understanding what the messages are. The initial DHCP request (which would be filtered by the access list inbound on Fa0/1)is a broadcast from the PC with source address of zeros. Since access list 104 was written to permit only traffic whose source address was 137.55.71.0 then it denies the DHCP request. If the access list is outbound on Fa0/0 then the DHCP request gets to the router, and the router uses the helper address to forward the request to the DHCP server. And the message to the DHCP server is a unicast message with the router interface as the source address. The source address still does not match the range specified in the access list, but one of the interesting things about access lists is that outbound access lists do not filter traffic that is generated by the router itself. And the helper address message is generated by the router and so it does not get filtered by the access list. This is the reason that the access list outbound on Fa0/0 is not a problem but is a problem when inbound on Fa0/1.

HTH

Rick

HTH

Rick

Leo Laohoo · ‎02-19-2009

Thanks Rick. Appreciate the explanation. :)

thonghawkyen · ‎03-03-2009

Hi Rick,

Beside making it works, now i hv a better understand. I have no more further question.

Thank you very much.

regards

thong