First, enable the multi-VLAN knob. Then create an interface VLAN 20 on the MSFC and assign the IP address 10.1.20.1/24 to it. You can also create an interface VLAN 30 and assign 10.1.30.254/24 to it. By doing this, you have actually connected the inside subnet directly to the MSFC. This means that your two hosts can bypass the firewall. To prevent this, apply an inbound access-list to interface VLAN 30 to allow only DHCP requests. Here is a quick background on the operation of the DHCP protocol:
-
Clients broadcast a DHCPDISCOVER.
-
Servers unicast a DHCPOFFER back.
-
Clients broadcast a DHCPREQUEST.
-
Servers unicast a DHCPACK back.
DHCP messages from a client to a server are sent to the UDP port 67, and DHCP messages from a server to a client are sent to UDP port 68. Therefore, in the scenario, a simple input access-list needs to be applied to VLAN 30 on the MSFC to allow only UDP broadcasts where source port=68 and destination port=67. This takes care of allowing client-sourced messages to reach the DHCP server. You then add an IP helper-address statement to point to the DHCP server, as shown in Example 4-27.