Solved: Re: Nexus 5k ACL DHCP issue.

raul.cavazos · ‎11-30-2017

Trying to Configure an ACL for one of our Fex. More specifically I want to create an ACL that allows the only VLAN on the Fex to our two DHCP servers.

Nexus 5k

system image file is: bootflash:///n6000-uk9.7.3.2.N1.1.bin

The below config does not work. I have a windows laptop that sends out requests and never obtains an IP from the DHCP server.

Int Config:

!Command: show running-config interface Vlan101

interface Vlan101
description
no shutdown

ip access-group VLAN101 in
ip access-group VL101 out
ip flow monitor standard_v9netflow input sampler flowsampler
no ip redirects
ip address 10.17.0.130/25
no ipv6 redirects
ip router ospf
hsrp version 2
hsrp 101
preempt
priority 120
timers 1 4
ip 10.17.0.129
ip dhcp relay address 10.4.117.10
ip dhcp relay address 10.4.227.10

ip access-list VLAN101

1 permit udp 10.17.0.128/25 eq bootpc 10.4.117.10/32 eq bootps
2 permit udp 10.17.0.128/25 eq bootpc 10.4.227.10/32 eq bootps
3 permit udp 10.17.0.128/25 eq bootpc 255.255.255.255/32 eq bootps
4 permit udp any eq bootpc any

5 deny any any

ip access-list VL101

2 permit udp 10.4.117.10/32 eq bootps 10.17.0.128/25 eq bootpc
3 permit udp 10.4.217.10/32 eq bootps 10.17.0.128/25 eq bootpc
4 permit udp 255.255.255.255/32 eq bootps 10.17.0.128/25 eq bootpc
5 permit udp 255.255.255.255/32 eq bootps 0.0.0.0/32 eq bootpc

I left the top three lines in VLAN101 the same when I attempted to troubleshoot. The only changes I've made were to the 4th line. I've tried the following.

permit udp any eq bootpc any eq bootps

permit udp 0.0.0.0/32 eq bootpc 255.255.255.255/32 eq bootps

permit udp host 0.0.0.0 host 255.255.255.255 eq bootpc (This automatically changes hosts to 0.0.0.0/32 eq bootpc 255.255.255.255/32 ).

I also removed lines 1-3 in VLAN101 and tried all the variants I listed and still nothing. I have not adjusted anything in VL101

Removed the acl VLAN101 and VL101 from the vlan interface and DHCP works.

I appreciate any adive or suggestions.

Flavio Miranda · ‎11-30-2017

Hi @raul.cavazos

Can you try this way?

1 permit udp 10.17.0.128/25 10.4.117.10/32 eq 67

2 permit udp 10.17.0.128/25 10.4.117.10/32 eq 68

What I am suggesting differently besides port instead protocol is do not put protocol on the origin and destination but only on the destination.

Hope it help.

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Flavio Miranda · ‎11-30-2017

Hi @raul.cavazos

Can you try this way?

1 permit udp 10.17.0.128/25 10.4.117.10/32 eq 67

2 permit udp 10.17.0.128/25 10.4.117.10/32 eq 68

What I am suggesting differently besides port instead protocol is do not put protocol on the origin and destination but only on the destination.

Hope it help.

-If I helped you somehow, please, rate it as useful.-

raul.cavazos · ‎12-01-2017

Hello @Flavio Miranda and thank you for your suggestion. This worked! Removing the source protocol and leaving only the destination protocol worked. Again thanks for the help.

For ACL IN

2 permit udp 10.17.0.128/25 10.4.117.10/32 eq bootps
3 permit udp 10.17.0.128/25 10.4.217.10/32 eq bootps
4 permit udp 10.17.0.128/25 255.255.255.255/32 eq bootps
5 permit udp any any eq bootps

ACL OUT

2 permit udp 10.4.117.10/32 10.17.0.128/25 eq bootpc
3 permit udp 10.4.217.10/32 10.17.0.128/25 eq bootpc
4 permit udp 255.255.255.255/32 10.17.0.128/25 eq bootpc
5 permit udp any any eq bootpc