ACL允许DHCP

真是晕啊,昨天晚上加班搞到十一点,图书馆说要让一部份机器只能上内网,不能上外网,我原来以为是很SIMPLY的事情,没想到,搞到后来,ACL是有用的,但是DHCP却不能获得IP地址,没了IP地址怎么用ACL啊,呵呵,想想以前我做实验的时候好像行的吗?呵呵,忽然想起来了,我以前做的实验都是在已经DHCP获得地址的情况下运用ACL的,所以正常的说,

access-list 102 permit tcp any 192.0.0.0 0.255.255.255
access-list 102 permit udp any 192.0.0.0 0.255.255.255
access-list 102 permit tcp any 172.0.0.0 0.255.255.255
access-list 102 permit udp any 172.0.0.0 0.255.255.255
access-list 102 permit igmp any any
access-list 102 permit icmp any any
access-list 102 deny ip any any

最后一句access-list 102 deny ip any any

把DHCP给做掉了,当时一想到这个问题,也晕了,DHCP到底用的是什么,我以前在TCP/IP三卷中是看到过,但现在给记了,真是晕啊,后来找到了下面的标准模块,呵呵,看到REMARK的DHCP,呵呵,就把上面的DHCP给改了

access-list 102 permit tcp any 192.0.0.0 0.255.255.255
access-list 102 permit udp any 192.0.0.0 0.255.255.255
access-list 102 permit tcp any 172.0.0.0 0.255.255.255
access-list 102 permit udp any 172.0.0.0 0.255.255.255
access-list 102 permit udp any any range 67 69
access-list 102 permit tcp any any range 67 69
access-list 102 permit igmp any any
access-list 102 permit icmp any any
access-list 102 deny ip any any
一切运行正常后,才敢回家,呵呵,

上面的事情给我一个教训:做事情不能想当然,要仔细