Solved

cisco acl to block dhcp server to hand out ip address to another network

Posted on 2014-11-05
7
252 Views
Last Modified: 2014-11-06
i have two networks connected through a routerA. The dhcp server is located in the 10.100.1.0/24 network. I don't want the dhcp server (10.100.1.2)  to provide addresses to the 192.168.0.0/24 network.

i create an extended access-list in routerA:

ip access-list extended DenyDhcpOut
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
  permit ip any any

on the interface:

int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in

However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network.  Please help. I tried different combinations but none work.
0
Comment
Question by:Shen
  • 4
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424913
Minor related point:  If you don't define a scope on your DHCP server for the 192.168.0.0/24 network, it won't hand out addresses.

As for your ACL, you need to make a slight change.

1) DHCP requests don't have a source address (that's why you're using DHCP) ;-)

So you can change it to:
  deny udp any 10.100.1.2 0.0.0.0 eq bootps
  deny udp any 10.100.1.2 0.0.0.0 eq bootpc

or
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootps
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootpc
0
 

Author Comment

by:Shen
ID: 40424963
so this will deny dhcp for the 192.168.0.0 network but still permit dhcp address to the 10.100.1.0 network?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424998
Sorry... Don't understand the question.

The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.

The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Shen
ID: 40426298
This is really strange, i put your statements and still the dhcp server on 10.100.1.2 hand out the ip address. I then put only 1 rule in the access-list extended DenyDhcpOut to troubleshoot:  deny ip any any  and still I  get an ip address. I also put the ip access-group extended DenyDhcpOut in the "in" and "out" directions of the interface fa0/0/0, but still hands out address.  

I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40426520
Please post the config of the router.
0
 

Author Comment

by:Shen
ID: 40426639
I found the problem. It was a physical layer 1 issue.  The connection from the switch in the 192.168.0.0 network was going to another switch in the 10.100.1.0 network.  From this switch then we  connect to the router.  I connected the first switch directly to the router interface fa0/0/0 and your ACLs worked.

I really thank you very much for your help.  Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.

Thank you again
0
 

Author Closing Comment

by:Shen
ID: 40426643
Excellent help.  

Thank you again
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now