Exam 300-410 topic 1 question 218 discussion

For first time DHCP client, the discover and request messages would all be from 0.0.0.0 to 255.255.255.255. So E is needed. https://wiki.wireshark.org/uploads/__moin_import__/attachments/DHCP/dhcp-ws.png For renewing with DHCP request, the source is the current assigned IP and the destination is server itself. So A is needed. Other packets like inform is from the assigned IP to the 255.255.255.255. The existing ACL entry allows for it already. I will go with AE.

A and E To get this question, you MUST be comfortable with the DHCP-DORA Exchange. Discover: Src: 0.0.0.0 Dest: 255.255.255.255 Offer: Src: <DHCP Server Address> Dest: <Relay Address> OR 255.255.255.255 Request: Src: 0.0.0.0 Dest: 255.255.255.255 Ack: Src: <DHCP Server Address> Dest: <Relay Address> OR 255.255.255.255 Given the Inbound ACL applied to the Client-Facing Interface, AT A MINIMUM, E is required. DHCP will also use Unicast for other operations and upkeep, so A is also important. https://community.cisco.com/t5/switching/concerning-acl-with-dhcp/td-p/1239487

AE sounds fair

choose 2 so DE client always 0.0.0.0 ->255.255.255.255 server sevrip -> broadcast

I think you have to choose two from the options, but was there originally one option? In any case, since “host 0.0.0.0” cannot be set, I think the correct answers are A and D.

C. This entry allows DHCP requests from any client (with an IP of 0.0.0.0 because clients don’t have an IP address before getting one from DHCP) using port 68 (bootpc) to the DHCP server at 192.168.255.3 using port 67 (bootps). D. This entry allows DHCP replies from the DHCP server (192.168.255.3) using port 67 (bootps) to the clients in the 192.168.30.0/24 subnet using port 68 (bootpc).

A & E are correct

all you actually need is permit udp any any eq bootps

A & E CORRECT

A and E correct https://networkengineering.stackexchange.com/questions/38044/dhcp-bootpc-acl

A and E are correct.

For me E + A. https://community.cisco.com/t5/switching/acl-not-working-as-intended/td-p/4168422 "permit udp host 0.0.0.0 eq boopc host 255.255.255.255 eq bootps. For the DHCP IP renewal, you can configure permit udp 10.20.20.0 0.0.0.255 eq bootpc host 128.1.99.1 eq bootps. Reason why the one you configured would not work for DHCP DORA is because when the client first time tries to get an IP, it sources with 0.0.0.0, and the DHCP request will be broadcasted to the IP 255.255.255.255. However, when the client tries to renew its IP address, it would source from its IP address which will be within the subnet 10.20.20.0/24, and will send the renewal request to the DHCP server IP as unicast." https://www.certforums.com/threads/acl-allow-access-to-dhcp-server.36762/

From Figure 7-2 (Pg 127 CCNA 200-301 Volume 2) DHCP Client PC-A --(From: 0.0.0.0 To: 255.255.255.255)--> Router ----------------------------------> DHCP Server 192.168.30.1 192.168.255.3 Option E will be correct. =================================================================== From Figure 7-3 (Pg 128 CCNA 200-301 Volume 2) PC-A <------------------------- Router <---(From 192.168.255.3 To:192.168.30.1)--- DHCP Server 192.168.30.1 192.168.255.3 Option D will be correct.

A E is correct. D is pointless because source IP address is DHCP server addres. This ACL is applied to LAN facing interface inbound so DHCP server as source here will have no matches :)

I labbed this and none of the combinations worked. B, C and D can't be added to the ACL as I get a message "% % Duplicate sequence number." A and E can be added to the ACL but the PC doesn't get an IP address and you get a syslog message ... list Gi3-in denied udp 192.168.30.2(67) -> 192.168.30.100(68), 2 packets If I removed the ACL the PC gets an IP address

D and E bootpc = udp/68 bootps = udp/67 Client-end port is 68; Server-end port is 67 (http://klamp.works/2016/04/29/dhcp.html) Therefore, correct answers are D and E: --> To server (port 67) E. 75 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps --> To client (port 68) D. 72 permit udp host 192.168.255.3 eq bootps 192.168.30.0 0.0.0.255 eq bootpc

LABED it. Correct are A and B. It should be FROM bootpc (client) TO bootps (server). Source is 0.0.0.0 to 255.255.255.255 when first get and IP Source is 192.168.30.X to 192.168.30.3 when renewing.