cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2109
Views
0
Helpful
6
Replies
Highlighted
Beginner

IP Access-group in command not allowing DHCP

Hello,

I have been unable to resolve an issue and I could really use some help if anyone has a minute. I have a Cisco 2951 Router and I am trying to set it up to use DHCP and for security purposes I need to use the "IP Access-Group in" command. The DHCP will not work when I have this command on the interface that I need to run it through, DHCP works fine when I do not have the "IP Access-Group in" command in the configuration. When I check the log after the failed DHCP attempt it shows up as denied, as if it's being blocked. The IOS I have is c2951-UNIVERSALK9-m 15.0 (1) M3. Conf Reg 0x2102. If anyone has any ideas on how to resolve this I would be most appreciative.

Greg               

6 REPLIES 6
Highlighted
Hall of Fame Mentor

IP Access-group in command not allowing DHCP

Please post the access-list being used by the access-group.

Highlighted
Explorer

IP Access-group in command not allowing DHCP

Hi ,

Your ACL is blocking the incoming DHCP requests. When a host boots up and sends DHCP reqeust , source ip address will be as 0.0.0.0 and destination of 255.255.255.255 .

Wheras your router is configured all the traffic destined to the router is to be dropped apart from the three sources.

If you want to use the DHCP , then UDP messages to router from any source need to be permitted

The link below describes how DHCP works..

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml

Regards,

TS.

Highlighted
Beginner

IP Access-group in command not allowing DHCP

Vijay,

Thanks for your reply. Could you possibly then type me out the exact command I would need using UDP?

Thanks, Greg

Highlighted
Explorer

IP Access-group in command not allowing DHCP

Hi,

For this u can use this below command

permit--------(according to your requirement)

permit udp any any ( For DHCP to work)

Please let me know if it works.

Regards,

TS.

Highlighted

IP Access-group in command not allowing DHCP

Hello,

If what you want is to be as secure as possible a permit UDP any any will not do it for you.

Now so let's say the ACL name is In_to_out and is applied on the inbound direction of one of your LAN interfaces (Fastethernet 0/1) on that router.

So all you have to do is to apply the following:

ip access-list extended In_to_out

permit udp any host x.x.x.x eq 67 ( In this case x.x.x.x would be the ip address of the interface fastethernet 0/1)

This if the ACL is applied like this

interface fast 0/1

ip access-group In_to_out in

Give it a try

If this does not work as Edison said we must check the ACL and the Access-group.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

IP Access-group in command not allowing DHCP

If we assume for the moment that your ACL is applied inbound on the

interface you are trying to get an address your config would look something

like this:


!

interface (fast)ethernet

ip address dhcp

ip access-group in

!


In that case you need to allow udp packets sourced from the dhcp server

on the BOOTP Server port (67), so the access list entry might be something

like:


!

....

access-list permit udp host x.x.x.x eq bootps any eq bootpc

access-list deny ip any any

!

CreatePlease to create content
Content for Community-Ad