Go CCIE Go!! - A Cisco Certified Internetwork Expert

if you wanted to be as specific as possible, you can use this ACL statement:
*permit udp host 0.0.0.0 host 255.255.255.255 eq 67*
just apply it inward toward your dhcp server and of course you’d have to read your requirements and see if this is a feasible solution, but it is one that works.
hope that helps, Jason
On Sat, Jul 12, 2008 at 12:07 PM, Jason Madsen wrote:
> as Marvin mentioned, when your DHCP client initially does it’s discover and > request it will send to 0.0.0.0 255.255.255.255. the rest of the > communication should be between src and dest IP. with all communication, to > include the initial discover and request etc., the client will src from UDP > port 68 with a dst UDP port of 67 for the DHCP server. > > so maybe try adding permit host 0.0.0.0 host 255.255.255.255 to the first > line in your ACL??? it looks as though the rest of your ACL will permit the > rest of the DHCP negotiation. > > Jason > > > On Sat, Jul 12, 2008 at 11:06 AM, omar parihuana > wrote: > >> Hi Group, >> >> I’ve configured a Switch 3560G with 3 SVIs in order to VLAN Routing: >> >> ! >> interface Vlan10 >> description VLAN 10 >> ip address 10.53.0.253 255.255.255.0 >> ! >> interface Vlan20 >> description VLAN 20 >> ip address 10.53.5.1 255.255.255.0 >> ! >> interface Vlan30 >> description VLAN 30 >> ip address 10.53.8.1 255.255.255.0 >> ! >> ip route 0.0.0.0 0.0.0.0 10.53.0.1 >> ! >> >> After I’ve configured a DHCP Pool in order to assign IP address only to >> VLAN >> 30, the conf is: >> >> ! >> ! >> ip dhcp excluded-address 10.53.8.1 10.53.8.199 >> ip dhcp pool DCHP >> network 10.53.8.0 255.255.255.0 >> default-router 10.53.8.1 >> dns-server 200.41.96.24 200.41.96.26 >> ! >> >> After that host in vlan 30 are assigned an IP Address correctly and the >> intervlan routing working fine, but as I need that VLAN 30 only reach to >> external networks (Internet) and not to other networks (VLAN 10 and >> VLAN20) >> I’ve created an Access-list >> ! >> ip access-list extended BLOCKING-VLAN >> permit ip 10.53.8.0 0.0.0.255 host 10.53.0.1 >> deny ip 10.53.8.0 0.0.0.255 10.53.0.0 0.0.0.255 log >> deny ip 10.53.8.0 0.0.0.255 10.53.5.0 0.0.0.255 log >> permit ip 10.53.8.0 0.0.0.255 any >> ! >> >> ! >> interface Vlan30 >> description VLAN 30 >> ip address 10.53.8.1 255.255.255.0 >> ip access-group BLOCKING-VLAN in >> ! >> >> The first sentence in ACL is necessary to reach the default gateway in >> VLAN10 (see default route above). Apparently all is working well the host >> in >> VLAN 30 don’t reach to Servers in VLAN 10 and VLAN20, but DHCP IS NOT >> WORKING! no assign IP address to hosts. After of check the debugs, I >> noticed >> that when the access-list is applied to Int VLAN30 the Switch is not aware >> about DHCP request. DHCPD: DHCPDISCOVER is never received by Switch. But >> when I removed the access-list then DHCP working well, then how should I >> configure the access-list in order to allow DHCP in VLAN30 and the hosts >> in >> VLAN30 don’t communicate the others VLANs? or maybe change the DHCP >> Configuration but how? >> >> Rgds. >> >> — >> Omar E.P.T >> —————– >> Certified Networking Professionals make better Connections! >> >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html