Shen
asked on
cisco acl to block dhcp server to hand out ip address to another network
i have two networks connected through a routerA. The dhcp server is located in the 10.100.1.0/24 network. I don't want the dhcp server (10.100.1.2) to provide addresses to the 192.168.0.0/24 network.
i create an extended access-list in routerA:
ip access-list extended DenyDhcpOut
deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
permit ip any any
on the interface:
int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in
However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network. Please help. I tried different combinations but none work.
i create an extended access-list in routerA:
ip access-list extended DenyDhcpOut
deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootps
deny udp 192.168.0.0 0.0.0.255 10.100.1.0 0.0.0.255 eq bootpc
permit ip any any
on the interface:
int fa0/0/0
ip addRESS 192.168.0.0 255.255.255.0
ip access-group DenyDhcpOut in
However, this is not doing anything. DHCP continues to hand out ip addresses to the 192.168.0.0/24 network. Please help. I tried different combinations but none work.
ASKER
so this will deny dhcp for the 192.168.0.0 network but still permit dhcp address to the 10.100.1.0 network?
Sorry... Don't understand the question.
The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.
The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
The first ACL that I posted will deny DHCP requests from the 192.168.0.0/24 network to the 10.100.1.2 server.
The second ACL will denty DHCP requests from the 192.168.0.0/24 network if the device doesn't have an IP address and it's going to the 10.100.1.0/24 network.
ASKER
This is really strange, i put your statements and still the dhcp server on 10.100.1.2 hand out the ip address. I then put only 1 rule in the access-list extended DenyDhcpOut to troubleshoot: deny ip any any and still I get an ip address. I also put the ip access-group extended DenyDhcpOut in the "in" and "out" directions of the interface fa0/0/0, but still hands out address.
I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
I wonder, if dhcp also does this at layer 2 whcih doesn ot make sense to me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found the problem. It was a physical layer 1 issue. The connection from the switch in the 192.168.0.0 network was going to another switch in the 10.100.1.0 network. From this switch then we connect to the router. I connected the first switch directly to the router interface fa0/0/0 and your ACLs worked.
I really thank you very much for your help. Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.
Thank you again
I really thank you very much for your help. Specially the explanation of the client not having an ip initially. Which is obvius but did not occur to me.
Thank you again
ASKER
Excellent help.
Thank you again
Thank you again
As for your ACL, you need to make a slight change.
1) DHCP requests don't have a source address (that's why you're using DHCP) ;-)
So you can change it to:
deny udp any 10.100.1.2 0.0.0.0 eq bootps
deny udp any 10.100.1.2 0.0.0.0 eq bootpc
or
deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootps
deny udp 0.0.0.0 0.0.0.0 10.100.1.0 0.0.0.255 eq bootpc