Each of these need DHCP pools so that appropriate addresses can be assigned to them on demand. People often experience problems leasing these out as soon as a basic access-list is in place on this interface. BVI10 on my network uses 10.0.0.0 255.255.255.0 so the natural first entry on the ACL for this interface might go as follows...
access-list x permit ip 10.0.0.0 0.0.0.255 any
..as you need any address on that network to at least be able to access that interface otherwise it will be virtually pointless them having a network connection! Remember that as soon as this is put in place, there is an implied deny all put in place. This causes problems because when a unit initially tries to access the DHCP server, it doesn't yet have an address so the first line of this access-list won't actually be able to permit access to anything. You need to add a couple more lines to permit certain broadcasts on ports used by DHCP. In my example I need to add this...
access-list x permit udp host 0.0.0.0 eq bootpc host 10.0.0.1 eq bootps
access-list x permit udp 10.0.0.0 0.0.0.255 eq bootpc host 10.0.0.1 eq bootps
access-list x permit udp any eq bootpc host 255.255.255.255 eq bootps
Note: 10.0.0.1 is the address of my gateway. It's quite common to see 192.168 networks used. If your router/gateway was 192.168.0.1, the additional ACL lines might look like this...
access-list x permit udp host 0.0.0.0 eq bootpc host 192.168.0.1 eq bootps
access-list x permit udp 192.168.0.0 0.0.0.255 eq bootpc host 192.168.0.1 eq bootps
access-list x permit udp any eq bootpc host 255.255.255.255 eq bootps
If you add this, all clients should have no problem getting their addresses. You will obviously need to edit various bits of the above to match your internal networks. Hope this helps.
Blogger Comment
Facebook Comment