• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

DHCP and IP Access Lists

C

cpals

Diamond Member
I have two sites where I setup layer 3 connectivity between the two and want to keep the traffic completely isolated. Each side has it's own VLAN with an access-list applied to it so only the two subnets can talk to each other. On one side I have a DHCP server that needs to give out addresses to both locations, but it's not working. I've setup the ip helper-address, but it doesn't seem to like it. From my research I think it has something to do with it blocking the broadcast, but I'm not sure.

I'm relatively new to ACLs and am not sure what to change while keeping all the traffic isolated. My configs are below.

Also, IP connectivity has been verified and both sides can see each other fine.

Site 1
---------
Code: 
interface Vlan3
 ip address 192.168.201.1 255.255.255.0
 ip access-group 105 in
 ip access-group 105 out

#sh ip access-lists 105
Extended IP access list 105
    10 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255
    20 permit ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255
    30 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
    40 permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255 (65429 matches)
    50 deny ip any any (22996 matches)

Site 2
----------
Code: 
interface Vlan3
 ip address 192.168.200.1 255.255.255.0
 ip access-group 105 in
 ip access-group 105 out
 ip helper-address 192.168.201.9

#sh ip access-lists 105
Extended IP access list 105
    10 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255
    20 permit ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255 (3445 matches)
    30 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255 (1 match)
    40 permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255
    50 deny ip any any (5913 matches)
Thanks!
 
It should work. The helper-address will turn the layer2 broadcast into a directed datagram to 201.9.

It also may not like the source IP address of 0.0.0.0 in the initial DHCP request. I forget where helper addresses go in order of processing if they are before or after checking an ACL.
 
I think you're correct.. because it's not coming from a valid address it's being blocked?

From other websites, some people are using this:
Code: 
access-list 105 permit udp any host 192.168.201.9 eq bootps
access-list 105 permit udp any host 192.168.201.9 eq bootpc
Would this provide the functionality while keeping it secure?
 
Last edited:
Or you could do this to log the traffic and see what's going on.

Extended IP access list 105
10 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255
20 permit ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255 (3445 matches)
30 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255 (1 match)
40 permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255
41 permit udp any any eq bootps
42 permit udp any any eq bootpc
50 deny ip any any (5913 matches)
 
cpals said:
I think you're correct.. because it's not coming from a valid address it's being blocked?

From other websites, some people are using this:
Code: 
access-list 105 permit udp any host 192.168.201.9 eq bootps
access-list 105 permit udp any host 192.168.201.9 eq bootpc
Would this provide the functionality while keeping it secure?
Click to expand...

That ACL should work and it does exactly what you want it to do. Don't forget the return packets.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top