Solved

cisco acl to block dhcp server to hand out ip address to another network

Posted on 2014-11-05
7
316 Views
Last Modified: 2014-11-06
i have two networks connected through a routerA. The dhcp server is located in the 10.100.1.0/24 network. I don't want the dhcp server (10.100.1.2)  to provide addresses to the 192.168.0.0/24 network.

i create an extended access-list in routerA:

ip access-list extended DenyDhcpOut
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
  deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
  permit ip any any

on the interface:

int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in

However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network.  Please help. I tried different combinations but none work.
0
Comment
Question by:Shen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424913
Minor related point:  If you don't define a scope on your DHCP server for the 192.168.0.0/24 network, it won't hand out addresses.

As for your ACL, you need to make a slight change.

1) DHCP requests don't have a source address (that's why you're using DHCP) ;-)

So you can change it to:
  deny udp any 10.100.1.2 0.0.0.0 eq bootps
  deny udp any 10.100.1.2 0.0.0.0 eq bootpc

or
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootps
  deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootpc
0
 

Author Comment

by:Shen
ID: 40424963
so this will deny dhcp for the 192.168.0.0 network but still permit dhcp address to the 10.100.1.0 network?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40424998
Sorry... Don't understand the question.

The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.

The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:Shen
ID: 40426298
This is really strange, i put your statements and still the dhcp server on 10.100.1.2 hand out the ip address. I then put only 1 rule in the access-list extended DenyDhcpOut to troubleshoot:  deny ip any any  and still I  get an ip address. I also put the ip access-group extended DenyDhcpOut in the "in" and "out" directions of the interface fa0/0/0, but still hands out address.  

I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40426520
Please post the config of the router.
0
 

Author Comment

by:Shen
ID: 40426639
I found the problem. It was a physical layer 1 issue.  The connection from the switch in the 192.168.0.0 network was going to another switch in the 10.100.1.0 network.  From this switch then we  connect to the router.  I connected the first switch directly to the router interface fa0/0/0 and your ACLs worked.

I really thank you very much for your help.  Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.

Thank you again
0
 

Author Closing Comment

by:Shen
ID: 40426643
Excellent help.  

Thank you again
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question