Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3157
Views
0
Helpful
6
Replies

IP Access-group in command not allowing DHCP

g.lafreniere
Level 1
Level 1

‎02-28-2013 08:16 AM - edited ‎03-07-2019 11:59 AM

Hello,

I have been unable to resolve an issue and I could really use some help if anyone has a minute. I have a Cisco 2951 Router and I am trying to set it up to use DHCP and for security purposes I need to use the "IP Access-Group in" command. The DHCP will not work when I have this command on the interface that I need to run it through, DHCP works fine when I do not have the "IP Access-Group in" command in the configuration. When I check the log after the failed DHCP attempt it shows up as denied, as if it's being blocked. The IOS I have is c2951-UNIVERSALK9-m 15.0 (1) M3. Conf Reg 0x2102. If anyone has any ideas on how to resolve this I would be most appreciative.

Greg               

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

‎02-28-2013 08:20 AM

Please post the access-list being used by the access-group.

0 Helpful

vijay kumar
Level 2
Level 2
In response to Edison Ortiz

‎02-28-2013 09:17 AM

Hi ,

Your ACL is blocking the incoming DHCP requests. When a host boots up and sends DHCP reqeust , source ip address will be as 0.0.0.0 and destination of 255.255.255.255 .

Wheras your router is configured all the traffic destined to the router is to be dropped apart from the three sources.

If you want to use the DHCP , then UDP messages to router from any source need to be permitted

The link below describes how DHCP works..

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml

Regards,

TS.

0 Helpful

g.lafreniere
Level 1
Level 1
In response to vijay kumar

‎02-28-2013 09:49 AM

Vijay,

Thanks for your reply. Could you possibly then type me out the exact command I would need using UDP?

Thanks, Greg

0 Helpful

vijay kumar
Level 2
Level 2
In response to g.lafreniere

‎02-28-2013 07:51 PM

Hi,

For this u can use this below command

permit--------(according to your requirement)

permit udp any any ( For DHCP to work)

Please let me know if it works.

Regards,

TS.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to g.lafreniere

‎02-28-2013 07:58 PM

Hello,

If what you want is to be as secure as possible a permit UDP any any will not do it for you.

Now so let's say the ACL name is In_to_out and is applied on the inbound direction of one of your LAN interfaces (Fastethernet 0/1) on that router.

So all you have to do is to apply the following:

ip access-list extended In_to_out

permit udp any host x.x.x.x eq 67 ( In this case x.x.x.x would be the ip address of the interface fastethernet 0/1)

This if the ACL is applied like this

interface fast 0/1

ip access-group In_to_out in

Give it a try

If this does not work as Edison said we must check the ACL and the Access-group.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

hermanwjacobsen
Level 1
Level 1
In response to Julio Carvajal

‎02-28-2013 08:14 PM

If we assume for the moment that your ACL is applied inbound on the

interface you are trying to get an address your config would look something

like this:


!

interface (fast)ethernet

ip address dhcp

ip access-group in

!


In that case you need to allow udp packets sourced from the dhcp server

on the BOOTP Server port (67), so the access list entry might be something

like:


!

....

access-list permit udp host x.x.x.x eq bootps any eq bootpc

access-list deny ip any any

!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card