ACL Blocking DHCP Discovery Broadcasts
Presenting Symptom
Clients on VLAN 10 cannot obtain an IP address via DHCP; DHCP discovery packets are not reaching the DHCP server.
Network Context
A small branch office with a single router (Cisco IOS XE 17.x) and one switch. The router acts as the default gateway and DHCP server for VLAN 10 (192.168.10.0/24). An extended ACL is applied inbound on the router's interface facing the switch to filter traffic. The switch is configured with VLAN 10 and trunking to the router.
Diagnostic Steps
Check if DHCP server is reachable from the router
ping 192.168.10.1!!!!!
If ping fails, the issue is not ACL-related. If successful, the server is reachable, indicating the problem is likely ACL blocking broadcast traffic.
Verify ACL configuration on the router interface
show access-listsExtended IP access list BLOCK_TRAFFIC
10 deny udp any any eq bootps
20 permit ip any anyLook for a deny statement that blocks UDP port 67 (bootps). DHCP discovery is a broadcast using UDP 67. If such a deny exists, it will block DHCP.
Check ACL application on the interface
show running-config interface GigabitEthernet0/0/0interface GigabitEthernet0/0/0 ip access-group BLOCK_TRAFFIC in
Confirm the ACL is applied inbound. If applied outbound, it would not affect incoming DHCP broadcasts from clients.
Capture DHCP traffic to confirm blocking
debug ip packet detail access-list 100IP: s=0.0.0.0 (GigabitEthernet0/0/0), d=255.255.255.255, len 576, access denied
The debug shows packets from source 0.0.0.0 (client) to destination 255.255.255.255 (broadcast) being denied. This confirms the ACL is blocking DHCP discovery.
Root Cause
An extended ACL named BLOCK_TRAFFIC is applied inbound on the router's interface facing the switch. The ACL contains a deny statement for UDP port 67 (bootps), which blocks DHCP discovery broadcasts from clients. The ACL was intended to block other traffic but inadvertently blocks DHCP.
Resolution
Verification
1. Verify ACL now permits DHCP: show access-lists Expected: Extended IP access list BLOCK_TRAFFIC 5 permit udp any any eq bootps 10 permit udp any any eq bootpc 20 permit ip any any 2. Test DHCP from a client: The client should obtain an IP address. 3. Optionally, clear debug and run: debug ip packet detail access-list 100 to see permitted DHCP packets.
Prevention
1. Use named ACLs with explicit permit statements for required services like DHCP before any deny statements. 2. Apply ACLs outbound on the server-facing interface instead of inbound on the client-facing interface to control traffic leaving the server. 3. Test ACL changes in a lab or during maintenance windows to avoid disrupting critical services.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of ACL processing order and the impact on DHCP. Expect multiple-choice questions asking which ACL entry blocks DHCP or how to fix a DHCP issue caused by ACLs. Key fact: DHCP uses UDP ports 67 (server) and 68 (client); broadcasts are sent to 255.255.255.255.
Exam Tips
Remember that DHCP discovery is a broadcast using UDP port 67; an ACL denying UDP port 67 will block it.
ACLs are processed top-down; the first match applies. Ensure permit entries for DHCP are placed before any deny all.
Use 'show access-lists' to see the sequence numbers and match count; a match count on a deny entry indicates blocked traffic.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions