[Config] access-list, dhcp

Author	All Replies
lonebandit join:2001-12-01 Oak Creek, WI ·AT&T U-Verse	[Config] access-list, dhcp I am running a 2801 router and enabled the DHCP server for my LAN... it's working well...but I had a question... I use an access-list on my fas0/0 (lan side) and different access-lists on my fas0/1 (wan side). My current applied access list on fas0/0: interface FastEthernet0/0 description INSIDE LAN ip access-group to-internet in and the list looks like this: ip access-list extended to-internet deny tcp any any range 135 139 deny udp any any range 135 netbios-ss permit ip 192.168.1.0 0.0.0.255 any ...this configuration seems to BLOCK dhcp client requests into the interface. So I changed this list as follows: ip access-list extended to-internet deny tcp any any range 135 139 deny udp any any range 135 netbios-ss permit ip any ..this now permits the clients to obtain a DHCP address....but I was wondering if there could be a better way to do this.... Any comments WILL be appreciated. -JD
lonebandit join:2001-12-01 Oak Creek, WI ·AT&T U-Verse	to forum · permalink · · 2006-02-20 19:45:30 ·
thebajaguy Premium join:2006-01-06 Oaklyn, NJ	I dug back into the discussions and saw a note about UDP port 67 being DHCP related communications. I didn't confirm it with another source, so I'd suggest you check it out further.
thebajaguy Premium join:2006-01-06 Oaklyn, NJ	to forum · permalink · · 2006-02-20 19:59:42 ·
lonebandit join:2001-12-01 Oak Creek, WI	yea...I figured something like this should be needed....but wasnt sure. So I am on the right track -JD
lonebandit join:2001-12-01 Oak Creek, WI	to forum · permalink · · 2006-02-20 20:03:43 ·
Phraxos Premium join:2004-06-12 UK 1 edit	The way to fix these sorts of problems is to have a deny ip any any log at the end of the ACL. You trigure the problem behaviour and check the log sh log and you will see what is being blocked. Usually you can nail it in two minutes. BTW it is good practice to have that line anyway at the end of the ACLs then you can always have a quick look at the log to check for suspicious behaviour. [Edit] I could just tell you what you need for DHCP but I'm a heartless bastard and this way you will learn so much more
Phraxos Premium join:2004-06-12 UK 1 edit	to forum · permalink · · 2006-02-21 03:31:33 ·
lonebandit join:2001-12-01 Oak Creek, WI	I probably know what I need to add there...one or both of these: bootps 67/udp BOOTP/DHCP server bootpc 68/udp BOOTP/DHCP client I just wanted an opinion about this. And I guess I got it. -JD
lonebandit join:2001-12-01 Oak Creek, WI	to forum · permalink · · 2006-02-21 06:22:41 ·


Sunday, 08-Nov 16:59:27	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF