DHCP forwarding behind access list on a Cisco Catalyst
Posted
by
Ásgeir Bjarnason
on Server Fault
See other posts from Server Fault
or by Ásgeir Bjarnason
Published on 2012-10-15T10:18:40Z
Indexed on
2012/10/19
5:06 UTC
Read the original article
Hit count: 516
I'm having some trouble with forwarding DHCP from a subnet behind an access list on a Cisco Catalyst 4500 switch. I'm hoping somebody can see the mistake I'm making.
The subnet is defined like this: (first three octets of IP addresses and vrf name anonymized)
interface Vlan40
ip vrf forwarding vrf_name
ip address 10.10.10.126 255.255.255.0 secondary
ip address 10.10.10.254 255.255.255.0
ip access-group 100 out
ip helper-address 10.10.20.36
no ip redirects
I tried turning on a VMWare machine on this subnet that was configured to use DHCP, but I never got a DHCP response and the DHCP server didn't receive a request. I tried putting the following in the access-list:
access-list 100 permit udp host 10.10.10.254 host 10.10.20.36 eq bootps
access-list 100 permit udp host 10.10.10.254 host 10.10.20.36 eq bootpc
access-list 100 permit udp host 10.10.20.36 host 10.10.10.254 eq bootps
access-list 100 permit udp host 10.10.20.36 host 10.10.10.254 eq bootpc
That didn't help. Can anybody see what the problem is?
- I know that the DHCP server works; our whole network is running off of this DHCP server
- I also know that the subnet works because we have active servers running on the network
- The DHCP scope is already defined on the DHCP server
- The subnet is correctly defined on the VMWare server (already servers running on the subnet on VMWare)
Edit 2012-10-19: This is solved! The subnet had formerly been defined as a /25 network, but was then expanded into a /24 network. When the DHCP scope was altered after this change it was done incorrectly; the gateway was moved to .254, the leasable IP range was in the lower half of the /24 subnet but we forgot to change the CIDR prefix from /25 into /24. This happened some 2 years ago, and we didn't need to use DHCP on this server network again until this week.
Thank you MDMarra and Jason Seemann for looking at the question and trying to troubleshoot.
Now I'm wondering if I should mark Jason's answer as the accepted answer (I am new to the Stack Exchange network, so I don't know the etiquette of what to do if I misstated the question like in this case).
© Server Fault or respective owner