I have been unable to resolve an issue and I could really use some help if anyone has a minute. I have a Cisco 2951 Router and I am trying to set it up to use DHCP and for security purposes I need to use the "IP Access-Group in" command. The DHCP will not work when I have this command on the interface that I need to run it through, DHCP works fine when I do not have the "IP Access-Group in" command in the configuration. When I check the log after the failed DHCP attempt it shows up as denied, as if it's being blocked. The IOS I have is c2951-UNIVERSALK9-m 15.0 (1) M3. Conf Reg 0x2102. If anyone has any ideas on how to resolve this I would be most appreciative.
Your ACL is blocking the incoming DHCP requests. When a host boots up and sends DHCP reqeust , source ip address will be as 0.0.0.0 and destination of 255.255.255.255 .
Wheras your router is configured all the traffic destined to the router is to be dropped apart from the three sources.
If you want to use the DHCP , then UDP messages to router from any source need to be permitted
The link below describes how DHCP works..
Thanks for your reply. Could you possibly then type me out the exact command I would need using UDP?
For this u can use this below command
permit--------(according to your requirement)
permit udp any any ( For DHCP to work)
Please let me know if it works.
If what you want is to be as secure as possible a permit UDP any any will not do it for you.
Now so let's say the ACL name is In_to_out and is applied on the inbound direction of one of your LAN interfaces (Fastethernet 0/1) on that router.
So all you have to do is to apply the following:
ip access-list extended In_to_out
permit udp any host x.x.x.x eq 67 ( In this case x.x.x.x would be the ip address of the interface fastethernet 0/1)
This if the ACL is applied like this
interface fast 0/1
ip access-group In_to_out in
Give it a try
If this does not work as Edison said we must check the ACL and the Access-group.
If we assume for the moment that your ACL is applied inbound on the
interface you are trying to get an address your config would look something
ip address dhcp
In that case you need to allow udp packets sourced from the dhcp server
on the BOOTP Server port (67), so the access list entry might be something