1. Home
  2. Cisco Systems
  3. Cisco DHCP: what is wrong in my conf?

Cisco DHCP: what is wrong in my conf?

Hello I have always used cisco's DHCP inside the routers without trouble.

Now I am in this particular situation:

Cisco 837 IOS 12.4(25c)

Eth0: Office LAN 192.168.0.0/24 eth2: WISP Lan 172.16.0.1/23 (255.255.254.0)

These are the relevant lines of the config:

no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.0 192.168.1.10 ip dhcp excluded-address 192.168.1.20 192.168.1.254 ip dhcp excluded-address 172.16.0.0 172.16.0.254 ip dhcp excluded-address 172.16.1.1 172.16.1.99 ! ip dhcp pool Mezzogori network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 netbios-node-type h-node domain-name mezzogorimario.local dns-server 192.168.1.1 ! ip dhcp pool WISP-TEST network 172.16.0.0 255.255.254.0 default-router 172.16.0.1 netbios-node-type h-node domain-name wisp-test.local dns-server 172.16.0.1 ! ! ip cef

interface Ethernet0 description Rete 192.168.1.0/24 Office ip address 192.168.1.1 255.255.255.0 no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly hold-queue 100 out ! interface Ethernet2 description Rete 172.16.0.0/23 WISP TEST ip address 172.16.0.1 255.255.254.0 ip access-group 110 in no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly hold-queue 100 out

The access list 110 is the following:

access-list 110 deny ip 172.16.0.0 0.0.1.255 192.168.1.0 0.0.0.255 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq tftp access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 135 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 135 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any range 137 139 access-list 110 deny udp 172.16.0.0 0.0.1.255 any range netbios-ns netbios-ss access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 445 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 445 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 593 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 593 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 4444 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 4444 access-list 110 permit ip 172.16.0.0 0.0.1.255 any

To avoid that the wisp network enters the eth0 network. to avoid some outgoing worms

I think that I am blocking DHCP requests...

Can someone help me?

Reply to
Elia S.
Loading thread data ...

You need to permit: permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

Reply to
Rob

Hello thank you Rob. just now I added:

access-list 110 deny ip 172.16.0.0 0.0.1.255 192.168.1.0 0.0.0.255 access-list 110 permit udp any any eq bootpc access-list 110 permit udp any any eq bootps access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 69 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 135 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 135 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any range 137 139 access-list 110 deny udp 172.16.0.0 0.0.1.255 any range 137 139 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 445 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 445 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 593 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 593 access-list 110 deny tcp 172.16.0.0 0.0.1.255 any eq 4444 access-list 110 deny udp 172.16.0.0 0.0.1.255 any eq 4444 access-list 110 permit ip 172.16.0.0 0.0.1.255 any

And now it works flawlessy :)

thank you

"Rob" ha scritto nel messaggio news: snipped-for-privacy@xs8.xsall.nl...

Elia S. wrote:

You need to permit: permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

Reply to
Elia S.

You need to allow bootpc and bootps in your access list.

Thanks, Joe

formatting link

Reply to
ccie reports

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.