catalyst 2950, access list, dhcp

Make sure that the IP address of the DHCP server is one of the permitted addresses in the ACL. If not, add an additional ACE (Access Control Entry) to support the DHCP Server's IP address.

Make sure that you have defined a DHCP scope (pool of addresses available for assignment) from the subnet being used for vlan 300 (i.e.: each vlan is on a different subnet and therefore would require a distinct scope).

Best regards, News Reader

Yes, it is in list. Really, I don't know how dhcp works- do it's packets contain sender's ip address?

dhcp works without access groups...

What is the IP of your workstation and DHCP server? Do you have ip- helpers configured on the workstation vlan? F0/16 is the interface that connects to your workstation?

Technically, dhcp works by the workstation broadcasting for an IP address, which the router in your vlan needs to forward to the dhcp server via an ip-helper statement. Therefore, the packet does not have a destination of the dhcp server because the workstation does not have an IP itself, and has no idea what the address of the dhcp server is. You need to add a statement that allows this udp/bootpc traffic.

Check this out:

I experienced a bit of tunnel vision when I reviewed the ACL, and forgot to think about the workings of DHCP. Sorry!

Although the DHCP Discover and Request packets sent by the host are "broadcasts", the host does send "unicast" packets to the server when releasing, renewing, and rebinding.

Best regards, News Reader

Does a 2950 really support IP access-lists on its L2 ports?

I would perhaps expect it to support them on the management VLAN interface but not on the L2 ports.

No reason of course that it could not be implemented but not at all what I would expect.

Suppose I better look it up.

Oh well wrong again -

This command is available on physical interfaces only if your switch is running the enhanced software image (EI).

Examples This example shows how to configure an extended IP ACL that allows only TCP traffic to the destination IP address 128.88.1.2 with a TCP port number of 25 and how to apply it to an interface:

Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Switch(config)# interface fastethernet0/8 Switch(config-if)# ip access-group 102 in This is an example of an extended ACL that allows TCP traffic only from two specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the ACL statements is denied.

access-list 104 permit tcp 192.5.0.0 0.0.255.255 any access-list 104 permit tcp 128.88.0.0 0.0.255.255 any

Try...

permit udp host 0.0.0.0 any eq bootps

...before your default deny rule. (bootps is equivalent to the decimal value

67.)

Regards, Mike

-- | Systems Specialist: CBE,MSE Michael T. Davis (Mike) | Departmental Networking/Computing

| The Ohio State University | 197 Watts, (614) 292-6928

I guess that request doesn't pass in my rules with server address :-) But if this packets are brodacst which destination ip they have?

try

access-list 101 permit ip any host 192.168.21.220 access-list 101 permit ip any host 192.168.22.254 access-list 101 permit ip any host 192.168.22.91 access-list 101 permit ip any host 192.168.22.92

access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

access-list 101 deny ip any any

DHCP uses a combination of broadcast and unicast for various operations.

Acquiring an IP address via DHCP requires at minimum, a four packet exchange between the host and the server. The host is responsible for two of the four packets. These packets are broadcast to 255.255.255.255 to facilitate a response(s) from potentially more than one DHCP server, and because the host doesn't know the IP address of any of the DHCP servers.

In the process of accepting a lease on an IP address, the host becomes aware of the IP address of the offering DHCP server. Now that the server's IP address is known, the host will use "unicast" to communicate with the server when releasing, renewing, and rebinding.

You have previously confirmed that your existing ACL includes the following entry:

access-list 101 permit ip any host

This would address your DHCP "unicast" requirements, and any other IP communications with that server (presumably required).

Merv's suggestion of:

access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

... only addresses the "broadcast" requirements of DHCP. Which is fine as long as you retain the earlier "IP" ACE in your ACL.

It may be preferable to use a single ACE:

access-list 101 permit udp any eq bootpc any eq bootps

... which addresses both "broadcast" and "unicast" requirements for DHCP communication with the server. This may reduce the possibility of an error being introduced later due to changes in the ACL.

Further more, if you did not have any IP communication requirements with the DHCP server other than DHCP, you could then eliminate the earlier ACE that matches on "IP".

Best regards, News Reader

will need to permit DHCP (carried in bootp packets) in both directions:

access-list 101 permit udp any eq bootpc any eq bootps access-list 101 permit udp any eq bootps any eq bootpc

or could similify to:

access-list 101 permit udp any any eq bootps access-list 101 permit udp any any eq bootpc

No, that's not true.

The ACL is on the host port, and determines what traffic is allowed to "enter" the port (i.e. from host, to server).

The only DHCP traffic "entering" the host port is bootpc --> bootps.

If he had an ACL on the port connected to the server, he would need to accommodate the return traffic (bootps --> bootpc) in that ACL.

Best regads, News Reader

Merv wrote: