[Config] access-list, dhcp in Cisco

[Config] access-list, dhcp in Cisco http://www.dslreports.com/forum/r15522112 en Thu, 26 Nov 2009 07:33:01 EDT Thu, 26 Nov 2009 07:33:01 EDT Re: [Config] access-list, dhcp http://www.dslreports.com/forum/remark,15525023 lonebandit : I probably know what I need to add there...one or both of these:

bootps 67/udp BOOTP/DHCP server
bootpc 68/udp BOOTP/DHCP client

I just wanted an opinion about this. And I guess I got it.

-JD]]> http://www.dslreports.com/forum/remark,15525023 Tue, 21 Feb 2006 06:22:41 EDT Re: [Config] access-list, dhcp http://www.dslreports.com/forum/remark,15524815 Phraxos : The way to fix these sorts of problems is to have a deny ip any any log at the end of the ACL. You trigure the problem behaviour and check the log sh log and you will see what is being blocked.

Usually you can nail it in two minutes. :D

BTW it is good practice to have that line anyway at the end of the ACLs then you can always have a quick look at the log to check for suspicious behaviour.

[Edit] I could just tell you what you need for DHCP but I'm a heartless bastard and this way you will learn so much more ;)]]> http://www.dslreports.com/forum/remark,15524815 Tue, 21 Feb 2006 03:31:33 EDT Re: [Config] access-list, dhcp http://www.dslreports.com/forum/remark,15522259 lonebandit : yea...I figured something like this should be needed....but wasnt sure.
So I am on the right track :)

-JD]]> http://www.dslreports.com/forum/remark,15522259 Mon, 20 Feb 2006 20:03:43 EDT Re: [Config] access-list, dhcp http://www.dslreports.com/forum/remark,15522229 thebajaguy : I dug back into the discussions and saw a note about UDP port 67 being DHCP related communications. I didn't confirm it with another source, so I'd suggest you check it out further.]]> http://www.dslreports.com/forum/remark,15522229 Mon, 20 Feb 2006 19:59:42 EDT [Config] access-list, dhcp http://www.dslreports.com/forum/remark,15522112 lonebandit : I am running a 2801 router and enabled the DHCP server for my LAN... it's working well...but I had a question...

I use an access-list on my fas0/0 (lan side) and different access-lists on my fas0/1 (wan side).

My current applied access list on fas0/0:
interface FastEthernet0/0
description INSIDE LAN
ip access-group to-internet in

and the list looks like this:
ip access-list extended to-internet
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
permit ip 192.168.1.0 0.0.0.255 any

...this configuration seems to BLOCK dhcp client requests into the interface.

So I changed this list as follows:
ip access-list extended to-internet
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
permit ip any

..this now permits the clients to obtain a DHCP address....but I was wondering if there could be a better way to do this....

Any comments WILL be appreciated.

-JD]]> http://www.dslreports.com/forum/remark,15522112 Mon, 20 Feb 2006 19:45:30 EDT